Hacking with Powershell
TryHackMe – Hacking with Powershell Write-Up
topics: PowerShell
Background
Basic Commands
Enumerate with Powershell
Basic Scripting
Intermediate Scripting
tools: powershell
Useful cheatsheets & guides
Background
Powershell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language.
In PowerShell, administrative tasks are performed by cmdlets (pronounced command-lets), which are specialized .NET classes implementing a particular operation. These work by accessing data in different data stores, like the file system or registry, which are made available to PowerShell via providers. Third-party developers can add cmdlets and providers to PowerShell. Cmdlets may be used by scripts and scripts may be packaged into modules.
Basic Commands
Get-Command -Type Cmdlet
- To list all commands
Get-Help <cmdlet>
- equivalent to the man page
Get-Help Get-Command -Examples
- lists usage examples
Get-ChildItem
- equivalent to ls -l
Piping
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell*\PowerShellEngin e -Name PowerShellVersion).PowerShellVersion
- gets the Powershell version
File formats
Object Manipulation
This means that the powershell command prompt syntax operates in the way of the language, similar to bash.
Filtering Objects
Tasks
What is the location of the file "interesting-file.txt"
Get-ChildItem -Path C:/ -Include interesting-file.txt -Recurse -File
yields an error, ignore it with
Get-ChildItem -Path C: -Include interesting-file.txt -File -Recurse -ErrorAction SilentlyContinue
2. Specify the contents of this file
Get-Content "C:\Program Files\interesting-file.txt.txt"
3. How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?
Get-Command -CommandType Cmdlet | measure
4. Get the MD5 hash of interesting-file.txt
Get-FileHash -Path "C:\Program Files\interesting-file.txt.txt" -Algorithm MD5
5. What is the command to get the current working directory?
Get-location
6. Does the path "C:\Users\Administrator\Documents\Passwords" Exist(Y/N)?
Get-Location -Path "C:\Users\Administrator\Documents\Passwords"
returns an error so N
7. What command would you use to make a request to a web server?
Invoke-WebRequest
8. Base64 decode the file b64.txt on Windows.
Locate the file:
Get-ChildItem -Path C:/ -Include b64.txt -Recurse -File
Use certutil:
certutil -decode "C:\Users\Administrator\Desktop\b64.txt" file.txt
Read the file:
Get-Content file.txt
Enumerate with Powershell
How many users are there on the machine?
Get-LocalUser
2. Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?
First find the paramaters for Get-LocalUser
(Get-Command Get-LocalUser).Parameters
Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"
3. How many users have their password required values set to False?
Find parameters first
Get-LocalUser | Get-Member
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
4. How many local groups exist?
Get-LocalGroup | measure
5. What command did you use to get the IP address info?
Get-NetIPAddress
6. How many ports are listed as listening?
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
7. What is the remote address of the local port listening on port 445?
Get-NetTCPConnection | Where-Object -Property State -Match Listen
8. How many patches have been applied?
Get-HotFix | measure
9. When was the patch with ID KB4023834 installed?
Get-Hotfix -Id KB4023834
10. Find the contents of a backup file.
Get-ChildItem -Path C: -Include .bak -File -Recurse -ErrorAction SilentlyContinue
Get-Content "C:\Program Files (x86)\Internet Explorer\passwords.bak.txt"
11. Search for all files containing API_KEY
Get-ChildItem C:* -Recurse | Select-String -pattern API_KEY
12. What command do you do to list all the running processes?
Get-Process
13. What is the path of the scheduled task called new-sched-task?
Get-ScheduledTask -TaskName new-sched-task
14. Who is the owner of the C:\
Get-Acl C:\
Basic Scripting
We are told "The emails folder on the Desktop contains copies of the emails John, Martha and Mary have been sending to each other(and themselves). Answer the following questions with regards to these emails(try not to open the files and use a script to answer the questions)"
We can use environment variables and a simple Get-ChildItem
command to find and read the file
Intermediate Scripting
Because we are only dealing with ports 130-140, including those two (11 in total) we can use a simple for
loop to read each port and Test-NetConnection
to listen on the localhost
All possible ports are open
Last updated