# Investigating Windows ![](/files/-MdF4hXjvkipyIrxyT1k) Lets connect to the machine through RDP using `remmina` ![](/files/-MdF5HlIwQKoTwaZF7Pq) ![](/files/-MdF5TvS1VO-fCOnGg7h) We are logged in. Lets go to `Windows > This PC > (Right Click) Properties` ![](/files/-MdF5v2ne4dCM3eZisWY) ![](/files/-MdF60cJjFbo9EaWurpa) ![](/files/-MdF6693DUG3TO0bFwgR) We were the ones who logged in last as the user `Administrator`. ![](/files/-MdIshnjDFjeciJiDJCr) Lets check when the user `John` last logged onto the machine ![](/files/-MdIsvTvuD-yRnzS7JaK) ![](/files/-MdItWlx_30oLCjqqTGS) Next lets look for the IP that the system connects to when it first starts. So lets go look for programs that start when the system boots up, lets go to to *`Start > Regedit > Hkey-Local-Machine > Software > Microsoft > Windows > Current Version > Run`.* Lets look at the UpdateSvc script. ![](/files/-MdIvJa70Oewi_Gi5YnD) We have the IP address ![](/files/-MdIvQ_6o0LNbHejpyGm) To see what other users have Administrative privileges on the system, we can go to *`Start > User Accounts > Manage Accounts`* ![](/files/-MdIwWTNQBIQ5PuVdV25) The other user is Guest ![](/files/-MdIw_cALPGHeOhim1IT) Now lets go find the name of the scheduled task that is malicious. Lets go to *`Start > Task scheduler > Task Schedule Library`.* ![](/files/-MdIyKudXUNOcRV_Vip0) Looking through the tasks, The Clean file system is the task which is malicious as it clears data every few minutes ![](/files/-MdIyUOlde7fxH1v0RDH) ![](/files/-MdIyaTNo_z5rsd8bdeY) The file that is tasked to run daily can be found in the Actions tab ![](/files/-MdIzIpVGYcbxXuTwwZF) ![](/files/-MdIzN8UmPtRwovLl0Mk) Lets check this script out. `Start > This PC > Local Disk > TMP > nc` ![](/files/-MdIzoM3mxa_7d2FJIL2) Does not look well formatted, so lets open this with a app that can make it easier to use, we can open this app by right clicking on the script and clicking edit, the app is `Windows PowerShell ISE` ![](/files/-MdJ-CQe2hoxMkOoezU9) The port the file it is listening on was found before ![](/files/-MdJ-fpD4n6blmPSmjjF) ![](/files/-MdJ-kv-KYC5FTdHqkoN) Next lets check when the user `Jenny` last logged in ![](/files/-MdJ-wXcksv9dG7ru_je) ![](/files/-MdJ01dtElePWpLTMthm) The compromise took place when the Game Over script was run, so lets see when that was first run ![](/files/-MdJ0Wx-5PV1OQJyxhQ2) ![](/files/-MdJ0alSJiioSya078fX) For the answer to the next questions we need to go to the `Event Viewer > Windows Logs > Security > Filter Current Logs > Type in 4624 (The ID for all the logs that are logging in related) > Now click on the Data and Time tab to get the first logs on top`. ![](/files/-MdJ1yge0kTY1dpSdK06) Now I did not know which one it was, so I looked at the hint which said that it ended with `:49 PM`, so lets look for it. And I found it ![](/files/-MdJ444j09CgV9-P_Wzs) ![](/files/-MdJ4Dxwzos25-VREz29) We saw that the scheduler was `Mimikatz`, so that is the tool used to get Windows passwords. ![](/files/-MdJ4p1GSml3SeaVslMm) We can find the external control and command server IP address of the attacker by looking at the hosts file on the machine. This can be found at `C:\Windows\System32\drivers\etc\hosts`. Looking at the file there are two interesting sites that are set a unique IP address ![](/files/-MdJ6RyCW4OKtq_IemTu) ![](/files/-MdJ6X48pmBQlctCi99O) To find the extension of the shell uploaded via the servers website we have to go to *`Local Disk > inetpub > wwwroot`* ![](/files/-MdJ75OZJvoXJTEGADrz) The extension is `.jsp` ![](/files/-MdJ7AceZFjiUA8og4Cc) To find the last port the attacker opened we need to go to `Windows Firewall > Inbound Rules`. ![](/files/-MdJ84iqPnIn-fEMFan6) Lets look at the properties of the selected rule as we might see what port the attacker used last as they might have changed the port and not change it back ![](/files/-MdJ8MgryzpAv9IjNzPW) Looks like we found the port ![](/files/-MdJ8Qna0ogp2Se_qrV6) The site that was targeted for DNS poisoning was `google.com` as we saw earlier in the hosts file ![](/files/-MdJ7Ree0TdD4IEFaEco) ![](/files/-MdJ8Wl4nxdIPR7yQFw8) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/sakura-room.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.