-
Notifications
You must be signed in to change notification settings - Fork 0
/
Hacking with Powershell
218 lines (167 loc) · 6.25 KB
/
Hacking with Powershell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
#Task 2 What is Powershell?
- What is the command to get help about a particular cmdlet(without any parameters)?
Get-Help
#Task 3 Basic Powershell Commands
- What is the location of the file "interesting-file.txt"
hint: Get-ChildItem -Path C:\ -Include *interesting-file.txt* -File -Recurse -ErrorAction SilentlyContinue
c:\program files\
- Specify the contents of this file
Get-Content 'C:\Program Files\interesting-file.txt.txt'
notsointerestingcontent
- How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?
hint: get-command -CommandType cmdlet | measure
6638
- Get the MD5 hash of interesting-file.txt
hint: Get-FileHash -path "C:\Program Files\interesting-file.txt.txt" -Algorithm md5
49A586A2A9456226F8A1B4CEC6FAB329
- What is the command to get the current working directory?
get-location
- Does the path "C:\Users\Administrator\Documents\Passwords" Exist(Y/N)?
hint: get-location -path "C:\Users\Administrator\Documents\Passwords"
N
- What command would you use to make a request to a web server?
hint:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.1&viewFallbackFrom=powershell-6
Invoke-WebRequest
- Base64 decode the file b64.txt on Windows.
hint: get-childitem -path c:\ -include b64.txt -Recurse -File -ErrorAction SilentlyContinue
C:\Users\Administrator\Desktop\b64.txt
certutil -decode C:\Users\Administrator\Desktop\b64.txt out.txt
get-content out.txt
or more out.txt
ihopeyoudidthisonwindows
#Task 4 Enumeration
How many users are there on the machine?
hint:get-localuser
5
- Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?
hint: (Get-Command Get-LocalUser).Parameters
Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"
Guest
- How many users have their password required values set to False?
hint: Get-LocalUser | Where-Object -Property PasswordRequired -Match false
4
- How many local groups exist?
hint: get-localgroup | measure
24
- What command did you use to get the IP address info?
hint: find comand get-command | where-object -property name -like "*ip*" | where-object -property name -like "*address*"
get-netipaddress
- How many ports are listed as listening?
hint: get-nettcpconnection|where-object state -match listen|measure
20
What is the remote address of the local port listening on port 445?
hint: get-nettcpconnection|where-object state -match listen
::
- How many patches have been applied?
hint: get-hotfix|measure
20
- When was the patch with ID KB4023834 installed?
Get-HotFix|Where-Object -Property HotfixID -Match "KB4023834"
6/15/2017 12:00:00 AM
- Find the contents of a backup file.
hint: Get-ChildItem -Path c:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue
C:\Program Files (x86)\Internet Explorer
or Get-ChildItem -Path c:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue|get-content
backpassflag
- Search for all files containing API_KEY
hint: get-childitem -file -recurse -force -erroraction silentlycontinue -path c:\ | select-string -pattern API_KEY | select path
c:\users\public\music\config.xml
get-content c:\users\public\music\config.xml
fakekey123
or Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY
fakekey123
- What command do you do to list all the running processes?
hint: get-command | where-object -property name -like “*get*” | where-object -property name -like “*process*”
get-process
- What is the path of the scheduled task called new-sched-task?
hint: get-schedule -taskname new-sched-task
or get-scheduledtask | where-object -property TaskName -like “*new-sched-task*”
\
- Who is the owner of the C:\
hint: get-acl c:\
NT SERVICE\TrustedInstaller
#Task 5 Basic Scripting Challenge
- What file contains the password?
hint:
cd c:\users\administrator\Desktop
Get-ChildItem -path .\emails\ -Recurse | Select-String -Pattern password
or open powershell ISE
####
$path = "C:\Users\Administrator\Desktop\emails\*"
$string_pattern = "password"
$command = Get-childitem -Path $path -Recurse | Select-String -Pattern $String_pattern
echo $command
####
save file to pass.ps1
.\pass.ps1
Doc3M
- What is the password?
johnisalegend99
- What files contains an HTTPS link?
hint: Get-ChildItem -path .\emails\ -Recurse | Select-String -Pattern https
or open powershell ise
###
####
$path = "C:\Users\Administrator\Desktop\emails\*"
$string_pattern = "https"
$command = Get-childitem -Path $path -Recurse | Select-String -Pattern $String_pattern
echo $command
####
####
save file to https.ps1
.\https.ps1
doc2mary
OR to answer 2 question above
write script:
####
$emails = "C:\users\Administrator\Desktop\emails\*"
$word_search1 = "password"
$word_search2 = "https"
$find_password = get-childitem -recurse $emails | select-string -pattern $word_search1
$find_https_link = get-childitem -recurse $emails | select-string -pattern $word_search2
echo ""
echo "Instances of 'Password'"
echo ""
echo $find_password
echo ""
echo "Instances of 'Https'"
echo ""
echo $find_https_link
echo ""
echo "Done!"
###
save 2question.ps1
.\2question.ps1
#Task 6 Intermediate Scripting
- How many open ports did you find between 130 and 140(inclusive of those two)?
####
$localhost = "127.0.0.1"
$Start_Port = "130"
$End_Port = "140"
$ErrorActionPreference= ‘silentlycontinue’
Foreach($port in $Start_Port..$End_Port){
If(Test-Connection –BufferSize 32 –Count 1 –quiet –ComputerName "localhost")
{ $socket = new-object System.Net.Sockets.TcpClient($localhost,$port)
If($socket.Connected) { “Port $port open!” } else
{ “Port $port not open!” }
}
}
####
save portscan.ps1
.\portscan.ps1
OR
###
for($i=130; $i -le 140; $i++){
Test-NetConnection localhost -Port $i
}
###
save pscan.ps1
.\pscan.ps1
11
https://tryhackme.com/room/powershell
https://github.com/edoardottt/tryhackme-ctf/tree/main/Hacking-with-Powershell <-- all ok
https://cd6629.gitbook.io/ctfwriteups/converting-metasploit-modules-to-python/hacking-with-powershell-wlk <-- all ok
https://deskel.github.io/posts/thm/hacking-with-powershell
https://saihatnetsec.blogspot.com/2021/04/tryhackme-hacking-with-powershell.html
https://guidedhacking.com/threads/tryhackme-alfred-walkthrough-offensive-pentesting-path.17581/?__cf_chl_jschl_tk__=pmd_0a6f636408f31a54ac82749d9591fec10f35b46f-1626940823-0-gqNtZGzNAmKjcnBszQYO