Hacking with Powershell

TryHackMe Hacking with Powershell Write-Up

topics: PowerShell

  1. Background

  2. Basic Commands

  3. Enumerate with Powershell

  4. Basic Scripting

  5. Intermediate Scripting

tools: powershell

Useful cheatsheets & guides

Background

Powershell is a task automation and configuration management framework from Microsoft, consisting of a command-line shell and associated scripting language.

In PowerShell, administrative tasks are performed by cmdlets (pronounced command-lets), which are specialized .NET classes implementing a particular operation. These work by accessing data in different data stores, like the file system or registry, which are made available to PowerShell via providers. Third-party developers can add cmdlets and providers to PowerShell. Cmdlets may be used by scripts and scripts may be packaged into modules.

Basic Commands

Get-Command -Type Cmdlet - To list all commands

Get-Help <cmdlet> - equivalent to the man page

Get-Help Get-Command -Examples - lists usage examples

Get-ChildItem - equivalent to ls -l

Piping

(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell*\PowerShellEngin e -Name PowerShellVersion).PowerShellVersion - gets the Powershell version

File formats

Object Manipulation

This means that the powershell command prompt syntax operates in the way of the language, similar to bash.

Filtering Objects

Tasks

  1. What is the location of the file "interesting-file.txt"

Get-ChildItem -Path C:/ -Include interesting-file.txt -Recurse -File

yields an error, ignore it with

Get-ChildItem -Path C: -Include interesting-file.txt -File -Recurse -ErrorAction SilentlyContinue

2. Specify the contents of this file

Get-Content "C:\Program Files\interesting-file.txt.txt"

3. How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?

Get-Command -CommandType Cmdlet | measure

4. Get the MD5 hash of interesting-file.txt

Get-FileHash -Path "C:\Program Files\interesting-file.txt.txt" -Algorithm MD5

5. What is the command to get the current working directory?

Get-location

6. Does the path "C:\Users\Administrator\Documents\Passwords" Exist(Y/N)?

Get-Location -Path "C:\Users\Administrator\Documents\Passwords"

returns an error so N

7. What command would you use to make a request to a web server?

Invoke-WebRequest

8. Base64 decode the file b64.txt on Windows.

  • Locate the file: Get-ChildItem -Path C:/ -Include b64.txt -Recurse -File

  • Use certutil: certutil -decode "C:\Users\Administrator\Desktop\b64.txt" file.txt

  • Read the file: Get-Content file.txt

Enumerate with Powershell

  1. How many users are there on the machine?

Get-LocalUser

2. Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?

First find the paramaters for Get-LocalUser

(Get-Command Get-LocalUser).Parameters

Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"

3. How many users have their password required values set to False?

Find parameters first

Get-LocalUser | Get-Member

Get-LocalUser | Where-Object -Property PasswordRequired -Match false

4. How many local groups exist?

Get-LocalGroup | measure

5. What command did you use to get the IP address info?

Get-NetIPAddress

6. How many ports are listed as listening?

Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure

7. What is the remote address of the local port listening on port 445?

Get-NetTCPConnection | Where-Object -Property State -Match Listen

8. How many patches have been applied?

Get-HotFix | measure

9. When was the patch with ID KB4023834 installed?

Get-Hotfix -Id KB4023834

10. Find the contents of a backup file.

Get-ChildItem -Path C: -Include .bak -File -Recurse -ErrorAction SilentlyContinue

Get-Content "C:\Program Files (x86)\Internet Explorer\passwords.bak.txt"

11. Search for all files containing API_KEY

Get-ChildItem C:* -Recurse | Select-String -pattern API_KEY

12. What command do you do to list all the running processes?

Get-Process

13. What is the path of the scheduled task called new-sched-task?

Get-ScheduledTask -TaskName new-sched-task

14. Who is the owner of the C:\

Get-Acl C:\

Basic Scripting

We are told "The emails folder on the Desktop contains copies of the emails John, Martha and Mary have been sending to each other(and themselves). Answer the following questions with regards to these emails(try not to open the files and use a script to answer the questions)"

We can use environment variables and a simple Get-ChildItem command to find and read the file

$path = "C:\Users\Administrator\Desktop\emails\*"
$string_pattern = "password"
$command = Get-ChildItem -Path $path -Recurse | Select-String -Pattern $String_patternecho $command

Intermediate Scripting

Because we are only dealing with ports 130-140, including those two (11 in total) we can use a simple for loop to read each port and Test-NetConnection to listen on the localhost

for($i=130; $i -le 140; $i++){
    Test-NetConnection localhost -Port $i
}

All possible ports are open

PreviousPython Exploit DevelopmentNext*Scripting (TryHackMe)

Last updated