➡️ go through @RSCyberTech
platform: try to crack me
Learning path: Cybersecurity 101
Room: Windows PowerShell
What do we call the higher-order approach to developing PowerShell?
Answer✅
Workflow/rationale/source/steps/reasoning
- “…Snover’s solution was to develop an object-oriented approach…”
- mentioned in the text of this section.
How would you retrieve the command list Started with verb Remove? [for the sake of this question, avoid the use of quotes (” or ‘) in your answer]
Answer✅
Get-Command -Name Remove*
Workflow/rationale/source/steps/reasoning
- “To list all available cmdlets, functions, aliases, and scripts that can be executed in the current PowerShell session, we can use
Get-Command. It is an important tool for discovering which instructions are available. …or everyCommandInfoWhen the cmdlet retrieves an object, some basic information (properties) will be displayed on the console. The command list can be filtered based on the displayed property values. For example, if we only want to display available instructions of type “function”, we can use-CommandType "Function"“ - mentioned in the text of this section.
- Check the help page
Get-CommandFor more information e.g.-namescope
What cmdlet has its traditional counterpart echo As an alias?
Answer✅
Workflow/rationale/source/steps/reasoning
–
PS C:\Users\captain> get-help *alias*
Name Category Module Synopsis
---- -------- ------ --------
Export-Alias Cmdlet Microsoft.PowerShell.U... Exports information about currently defined aliases to a file.
Get-Alias Cmdlet Microsoft.PowerShell.U... Gets the aliases for the current session.
Import-Alias Cmdlet Microsoft.PowerShell.U... Imports an alias list from a file.
New-Alias Cmdlet Microsoft.PowerShell.U... Creates a new alias.
Set-Alias Cmdlet Microsoft.PowerShell.U... Creates or changes an alias for a cmdlet or other command in the current PowerShell session.
about_Aliases HelpFile
about_Alias_Provider HelpFile
–
PS C:\Users\captain> get-alias -Name echo
CommandType Name Version Source
----------- ---- ------- ------
Alias echo -> Write-Output
What is the command to retrieve some example usage of a cmdlet New-LocalUser?
Answer✅
Get-Help New-LocalUser -examples
Workflow/rationale/source/steps/reasoning
- “Another important cmdlet in our tool belt is
Get-Help: It provides detailed information about the cmdlet, including usage, parameters, and examples. It’s the cmdlet of choice for learning how to use PowerShell commands. - mentioned in the text of this section.
What cmdlets can you use to replace traditional Windows commands type?
Answer✅
Workflow/rationale/source/steps/reasoning
- “Finally, to read and display the contents of the file, we can use
Get-Contentcmdlet, which works the same astypecommand in command prompt characters (orcatin Unix-like systems)”. - present in text
What PowerShell command would you use to display the contents of the “C:\Users” directory? [for the sake of this question, avoid the use of quotes (” or ‘) in your answer]
Answer✅
Workflow/rationale/source/steps/reasoning
- ”…
Get-ChildItemList files and directories in a specified location-Pathscope. It can be used to explore directories and view their contents…” - present in text
How many items does the command described in the previous question display?
Answer✅
Workflow/rationale/source/steps/reasoning
–
PS C:\Users\captain> ( Get-ChildItem -Path C:\Users).count
4
How to retrieve items in the current directory with a size greater than 100? [for the sake of this question, avoid the use of quotes (” or ‘) in your answer]
Answer✅
Get-ChildItem | Where-Object -Property Length -gt 100
Workflow/rationale/source/steps/reasoning
- Made based on examples in the text
In addition to the current user and the default Administrator account, what other users are enabled on the target computer?
Answer✅
Workflow/rationale/source/steps/reasoning
–
```
PS C:\Users\captain> Get-LocalUser
Name Enabled Description
---- ------- -----------
Administrator True Built-in account for administering the computer/domain
captain True The beloved captain of this pirate ship.
DefaultAccount False A user account managed by the system.
Guest False Built-in account for guest access to the computer/domain
p1r4t3 True A merry life and a short one.
WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scenarios.
```
This guy hid his account among others, with no regard for our beloved Captain! What is his motto that he expresses so bluntly in his account description?
Answer✅
A merry life and a short one.
Workflow/rationale/source/steps/reasoning
–
PS C:\Users\captain> Get-LocalUser
Name Enabled Description
---- ------- -----------
Administrator True Built-in account for administering the computer/domain
captain True The beloved captain of this pirate ship.
DefaultAccount False A user account managed by the system.
Guest False Built-in account for guest access to the computer/domain
p1r4t3 True A merry life and a short one.
WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scenarios.
Now putting all this together is a bit of a challenge. The suspicious guy we just discovered hiding in Local Users has his own home folder in the “C:\Users” directory. Can you browse the archive system and find the hidden treasures in this pirate’s house?
Answer✅
Workflow/rationale/source/steps/reasoning
–
PS C:\Users\captain> cat ..\p1r4t3\hidden-treasure-chest\big-treasure.txt
___
.-"; ! ;"-.
.'! : | : !`.
/\ ! : ! : ! /\
/\ | ! :|: ! | /\
( \ \ ; :!: ; / / )
( `. \ | !:|:! | / .' )
(`. \ \ \!:|:!/ / / .')
\ `.`.\ |!|! |/,'.' /
`._`.\\\!!!// .'_.'
`.`.\\|//.'.'
|`._`n'_.'| hjw
"----^----"
FLAG: THM{p34rlInAsh3ll}
In the last mission, you discovered a wonderful treasure carefully hidden in the target machine. What is the hash of the archive containing it?
Answer✅
71FC5EC11C2497A32F8F08E61399687D90ABE6E204D2964DF589543A613F3E08
Workflow/rationale/source/steps/reasoning
PS C:\Users\captain> get-filehash ..\p1r4t3\hidden-treasure-chest\big-treasure.txt
Algorithm Hash Path
--------- ---- ----
SHA256 71FC5EC11C2497A32F8F08E61399687D90ABE6E204D2964DF589543A613F3E08 C:\Users\p1r4t3\hidden-treasure-chest\big-treasure.txt
What attributes are retrieved by default? Get-NetTCPConnection Contains information about the process that initiated the connection?
Answer✅
Workflow/rationale/source/steps/reasoning
–
PS C:\Users\captain> Get-NetTCPConnection | get-member | sort name | where {$_.name -imatch "process"}
TypeName: Microsoft.Management.Infrastructure.CimInstance#ROOT/StandardCimv2/MSFT_NetTCPConnection
Name MemberType Definition
---- ---------- ----------
OwningProcess Property uint32 OwningProcess {get;}
Time for another little challenge. This pirate ship has some important services installed to ensure that the captain can always sail safely. But something doesn’t go as expected, and the captain wants to know why. After investigation, they finally found out the truth: the service had been tampered with! The previous shady guy modified the service DisplayName Reflecting his own motto, which is the same motto he has in his user description. With this information and your current knowledge of PowerShell, can you find the service name?
Answer✅
Workflow/rationale/source/steps/reasoning
–
PS C:\Users\captain> Get-Service | sort name | where {$_.DisplayName -imatch "A merry life and a short one"}
Status Name DisplayName
------ ---- -----------
Running p1r4t3-s-compass A merry life and a short one.
What is the syntax for executing instructions? Get-Service On a remote computer named “RoyalFortune”? It is assumed that you do not need to provide credentials to establish the connection. [for the sake of this question, avoid the use of quotes (” or ‘) in your answer]
Answer✅
Invoke-Command -ComputerName RoyalFortune -ScriptBlock { Get-Service }
Workflow/rationale/source/steps/reasoning
- Carefully crafted based on text examples
➡️ go through @RSCyberTech