📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe
  2. Challenges (CTF): Easy

Investigating Windows

PreviousSmag GrottoNextCat Pictures

Last updated 3 years ago

Was this helpful?

Lets connect to the machine through RDP using remmina

We are logged in. Lets go to Windows > This PC > (Right Click) Properties

We were the ones who logged in last as the user Administrator.

Lets check when the user John last logged onto the machine

Next lets look for the IP that the system connects to when it first starts. So lets go look for programs that start when the system boots up, lets go to to Start > Regedit > Hkey-Local-Machine > Software > Microsoft > Windows > Current Version > Run. Lets look at the UpdateSvc script.

We have the IP address

To see what other users have Administrative privileges on the system, we can go to Start > User Accounts > Manage Accounts

The other user is Guest

Now lets go find the name of the scheduled task that is malicious. Lets go to Start > Task scheduler > Task Schedule Library.

Looking through the tasks, The Clean file system is the task which is malicious as it clears data every few minutes

The file that is tasked to run daily can be found in the Actions tab

Lets check this script out. Start > This PC > Local Disk > TMP > nc

Does not look well formatted, so lets open this with a app that can make it easier to use, we can open this app by right clicking on the script and clicking edit, the app is Windows PowerShell ISE

The port the file it is listening on was found before

Next lets check when the user Jenny last logged in

The compromise took place when the Game Over script was run, so lets see when that was first run

For the answer to the next questions we need to go to the Event Viewer > Windows Logs > Security > Filter Current Logs > Type in 4624 (The ID for all the logs that are logging in related) > Now click on the Data and Time tab to get the first logs on top.

Now I did not know which one it was, so I looked at the hint which said that it ended with :49 PM, so lets look for it. And I found it

We saw that the scheduler was Mimikatz, so that is the tool used to get Windows passwords.

We can find the external control and command server IP address of the attacker by looking at the hosts file on the machine. This can be found at C:\Windows\System32\drivers\etc\hosts. Looking at the file there are two interesting sites that are set a unique IP address

To find the extension of the shell uploaded via the servers website we have to go to Local Disk > inetpub > wwwroot

The extension is .jsp

To find the last port the attacker opened we need to go to Windows Firewall > Inbound Rules.

Lets look at the properties of the selected rule as we might see what port the attacker used last as they might have changed the port and not change it back

Looks like we found the port

The site that was targeted for DNS poisoning was google.com as we saw earlier in the hosts file