=

Windows Powershell - Try Hack Me writeup

Task 1 - Introduction

^

Q1. Raise the anchor, hoist the sailsβ€”it's time to set sail!

No Answer Needed

Task 2 - What Is PowerShell

^

Q1. What do we call the advanced approach used to develop PowerShell?

object-oriented

Answer πŸ‘‰ object-oriented

Task 3 - PowerShell Basics

^

Q1. How would you retrieve a list of commands that start with the verb Remove? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

  • Using Get-Command cmdlet to get all the commands.
  • Applying -Name property with a pattern Remove* to get all matched output.

Answer πŸ‘‰ Get-Command -Name Remove*

Q2. What cmdlet has its traditional counterpart echo as an alias?

Answer πŸ‘‰ Write-Output

Q3. What is the command to retrieve some example usage for the cmdlet New-LocalUser?

  • Using Get-Help cmdlet to get some help about another cmdlet.
  • Use -Example property to get some examples of given cmdlet.

Answer πŸ‘‰ Get-Help New-LocalUser -examples

Task 4 - Navigating the File System and Working with Files

^

Q1. What cmdlet can you use instead of the traditional Windows command type?

  • In traditional windows command, type command is used to output the content of the file. In cmdlet ps uses Get-Content

Answer πŸ‘‰ Get-Content

Q2. What PowerShell command would you use to display the content of the "C:Users" directory? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

  • To list the content of a directory , Get-ChildItem cmdlet can be used.
  • To get contents of specific directory, you have to use -Path property. By default it is set to current directory(.\)

Answer πŸ‘‰ Get-ChildItem -Path C:Users

Q3. How many items are displayed by the command described in the previous question?

  • Use .count or pipe the output to Measure-Object cmdlet.
  • (Get-ChildItem -Path C:\Users).count
  • Get-ChildItem -Path C:\Users | Measure-Object

Answer πŸ‘‰ 4

Task 5 - Piping, Filtering, and Sorting Data

^

Q1. How would you retrieve the items in the current directory with size greater than 100? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Lets build the command according to above question.

  • First using Get-ChildItem cmdlet to listout all child items of current directory.
  • Piping the output to Where-Object cmdlet for additional filtering.
  • Selecting the property that we use to filter , -Property Length
  • Giving the condition that we want to be met , -gt 100

Answer πŸ‘‰ Get-ChildItem | Where-Object -Property Length -gt 100

Task 6 - System and Network Information

^

Q1. Other than your current user and the default "Administrator" account, what other user is enabled on the target machine?

  • First get the object of local users the pipe the output to Where-Object cmdlet.
  • Check that the object's property Enabled is set to true
Get-LocalUser | Where-Object {$_.Enabled -eq $True}
accout name and description

Answer πŸ‘‰ p1r4t3

Q2. This lad has hidden his account among the others with no regard for our beloved captain! What is the motto he has so bluntly put as his account's description?

Answer πŸ‘‰ A merry life and a short one.

Q3. Now a small challenge to put it all together. This shady lad that we just found hidden among the local users has his own home folder in the "C:Users" directory. Can you navigate the filesystem and find the hidden treasure inside this pirate's home?

  • First find the treasure file in C:\Users directory recursivly.
  • Once you got the file then pipe it to Get-Content cmdlet
Get-ChildItem "*treasure*" -Recurse -ErrorAction SilentlyContinue -Path C:Users -File | Get-Content
flag

Answer πŸ‘‰ THM{p34rlInAsh3ll}

Task 7 - Real-Time System Analysis

^

Q1. In the previous task, you found a marvellous treasure carefully hidden in the target machine. What is the hash of the file that contains it?

  • Change the directory to the file you have find.
  • Use the cmdlet Get-FileHash to get the hash of file.
file hash using Get-FileHash cmdlet

Answer πŸ‘‰ 71FC5EC11C2497A32F8F08E61399687D90ABE6E204D2964DF589543A613F3E08

Q2. What property retrieved by default by Get-NetTCPConnection contains information about the process that has started the connection?

Answer πŸ‘‰ OwningProcess

Q3. With this information and the PowerShell knowledge you have built so far, can you find the service name?

Use Get-Service cmdlet to get all the services the pipe the result to findstr that finds the motto "merry" which is provided in the question

Get-Service | findstr.exe "merry"
service info

Answer πŸ‘‰ p1r4t3-s-compass

Task 8 - Scripting

^

Q1. What is the syntax to execute the command Get-Service on a remote computer named "RoyalFortune"? Assume you don't need to provide credentials to establish the connection. [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer πŸ‘‰ Invoke-Command -ComputerName RoyalFortune -ScriptBlock { Get-Service }

Task 9 - Conclusion

^

Q1. I'm ready to go on to the next adventure!

No Answer Needed