Forem: Ricardo Santos

TryHackMe | Windows PowerShell | RSCyberTech

Ricardo Santos — Fri, 03 Jan 2025 18:32:37 +0000

➡️ By @RSCyberTech

Website: RSCyberTech.com
LinkedIn: linkedin.com/in/ricardoams

Platform: TryHackMe

Learning Path: Cyber Security 101

Room: Windows PowerShell

1️⃣ Task 1 - Introduction

no answer needed

2️⃣ Task 2 - What Is PowerShell

What do we call the advanced approach used to develop PowerShell?

Answer ✅

object-oriented

Workflow / Justification / Source / Steps / Reasoning

“… Snover’s solution was to develop an object-oriented approach…”
Mentioned in the section’s text.

3️⃣ Task 3 - PowerShell Basics

How would you retrieve a list of commands that start with the verb `Remove`? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer ✅

Get-Command -Name Remove*

Workflow / Justification / Source / Steps / Reasoning

“To list all available cmdlets, functions, aliases, and scripts that can be executed in the current PowerShell session, we can use Get-Command. It’s an essential tool for discovering what commands one can use. … or each CommandInfo object retrieved by the cmdlet, some essential information (properties) is displayed on the console. It’s possible to filter the list of commands based on displayed property values. For example, if we want to display only the available commands of type “function”, we can use -CommandType "Function""
Mentioned in the section’s text.
check help page of the Get-Command for more info, like the -name parameter

What cmdlet has its traditional counterpart `echo` as an alias?

Answer ✅

Write-Output

Workflow / Justification / Source / Steps / Reasoning

PS C:\Users\captain> get-help *alias*              
Name                              Category  Module                    Synopsis
----                              --------  ------                    --------
Export-Alias                      Cmdlet    Microsoft.PowerShell.U... Exports information about currently defined aliases to a file.
Get-Alias                         Cmdlet    Microsoft.PowerShell.U... Gets the aliases for the current session.
Import-Alias                      Cmdlet    Microsoft.PowerShell.U... Imports an alias list from a file.
New-Alias                         Cmdlet    Microsoft.PowerShell.U... Creates a new alias.
Set-Alias                         Cmdlet    Microsoft.PowerShell.U... Creates or changes an alias for a cmdlet or other command in the current PowerShell session.
about_Aliases                     HelpFile
about_Alias_Provider              HelpFile

PS C:\Users\captain> get-alias -Name echo
CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Alias           echo -> Write-Output

What is the command to retrieve some example usage for the cmdlet `New-LocalUser`?

Answer ✅

Get-Help New-LocalUser -examples

Workflow / Justification / Source / Steps / Reasoning

“Another essential cmdlet to keep in our tool belt is Get-Help: it provides detailed information about cmdlets, including usage, parameters, and examples. It’s the go-to cmdlet for learning how to use PowerShell commands.”
Mentioned in the section’s text.

4️⃣ Task 4 - Navigating the File System and Working with Files

What cmdlet can you use instead of the traditional Windows command `type`?

Answer ✅

Get-Content

Workflow / Justification / Source / Steps / Reasoning

“Finally, to read and display the contents of a file, we can use the Get-Content cmdlet, which works similarly to the type command in Command Prompt (or cat in Unix-like systems).”
Present in the text

What PowerShell command would you use to display the content of the "C:\Users" directory? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer ✅

Get-ChildItem

Workflow / Justification / Source / Steps / Reasoning

”…Get-ChildItem lists the files and directories in a location specified with the -Path parameter. It can be used to explore directories and view their contents…”
Present in the text

How many items are displayed by the command described in the previous question?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

PS C:\Users\captain> ( Get-ChildItem -Path C:\Users).count
4

5️⃣ Task 5 - Piping, Filtering, and Sorting Data

How would you retrieve the items in the current directory with size greater than 100? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer ✅

Get-ChildItem | Where-Object -Property Length -gt 100

Workflow / Justification / Source / Steps / Reasoning

Crafted from the examples in the text

6️⃣ Task 6 - System and Network Information

Other than your current user and the default "Administrator" account, what other user is enabled on the target machine?

Answer ✅

p1r4t3

Workflow / Justification / Source / Steps / Reasoning

```
PS C:\Users\captain> Get-LocalUser
Name               Enabled Description
----               ------- -----------
Administrator      True    Built-in account for administering the computer/domain
captain            True    The beloved captain of this pirate ship.
DefaultAccount     False   A user account managed by the system.
Guest              False   Built-in account for guest access to the computer/domain
p1r4t3             True    A merry life and a short one.
WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application Guard scenarios.
```

This lad has hidden his account among the others with no regard for our beloved captain! What is the motto he has so bluntly put as his account's description?

Answer ✅

A merry life and a short one.

Workflow / Justification / Source / Steps / Reasoning

PS C:\Users\captain> Get-LocalUser
Name               Enabled Description
----               ------- -----------
Administrator      True    Built-in account for administering the computer/domain
captain            True    The beloved captain of this pirate ship.
DefaultAccount     False   A user account managed by the system.
Guest              False   Built-in account for guest access to the computer/domain
p1r4t3             True    A merry life and a short one.
WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application Guard scenarios.

Now a small challenge to put it all together. This shady lad that we just found hidden among the local users has his own home folder in the "C:\Users" directory. Can you navigate the filesystem and find the hidden treasure inside this pirate's home?

Answer ✅

THM{p34rlInAsh3ll}

Workflow / Justification / Source / Steps / Reasoning

PS C:\Users\captain> cat ..\p1r4t3\hidden-treasure-chest\big-treasure.txt
            ___
        .-"; ! ;"-.
      .'!  : | :  !`.
     /\  ! : ! : !  /\
    /\ |  ! :|: !  | /\
   (  \ \ ; :!: ; / /  )
  ( `. \ | !:|:! | / .' )
  (`. \ \ \!:|:!/ / / .')
   \ `.`.\ |!|! |/,'.' /
    `._`.\\\!!!// .'_.'
       `.`.\\|//.'.'
        |`._`n'_.'|  hjw
        "----^----"
FLAG: THM{p34rlInAsh3ll}

7️⃣ Task 7 - Real-Time System Analysis

In the previous task, you found a marvellous treasure carefully hidden in the target machine. What is the hash of the file that contains it?

Answer ✅

71FC5EC11C2497A32F8F08E61399687D90ABE6E204D2964DF589543A613F3E08

Workflow / Justification / Source / Steps / Reasoning

PS C:\Users\captain> get-filehash ..\p1r4t3\hidden-treasure-chest\big-treasure.txt   
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          71FC5EC11C2497A32F8F08E61399687D90ABE6E204D2964DF589543A613F3E08       C:\Users\p1r4t3\hidden-treasure-chest\big-treasure.txt

What property retrieved by default by `Get-NetTCPConnection` contains information about the process that has started the connection?

Answer ✅

OwningProcess

Workflow / Justification / Source / Steps / Reasoning

PS C:\Users\captain> Get-NetTCPConnection | get-member | sort name | where {$_.name -imatch "process"}   
   TypeName: Microsoft.Management.Infrastructure.CimInstance#ROOT/StandardCimv2/MSFT_NetTCPConnection
Name          MemberType Definition
----          ---------- ----------
OwningProcess Property   uint32 OwningProcess {get;}

It's time for another small challenge. Some vital service has been installed on this pirate ship to guarantee that the captain can always navigate safely. But something isn't working as expected, and the captain wonders why. Investigating, they find out the truth, at last: the service has been tampered with! The shady lad from before has modified the service `DisplayName` to reflect his very own motto, the same that he put in his user description. With this information and the PowerShell knowledge you have built so far, can you find the service name?

Answer ✅

p1r4t3-s-compass

Workflow / Justification / Source / Steps / Reasoning

PS C:\Users\captain> Get-Service | sort name | where {$_.DisplayName -imatch "A merry life and a short one"}
Status   Name               DisplayName
------   ----               -----------
Running  p1r4t3-s-compass   A merry life and a short one.

8️⃣ Task 8 - Scripting

What is the syntax to execute the command `Get-Service` on a remote computer named "RoyalFortune"? Assume you don't need to provide credentials to establish the connection. [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer ✅

Invoke-Command -ComputerName RoyalFortune -ScriptBlock { Get-Service }

Workflow / Justification / Source / Steps / Reasoning

crafted from the text examples

9️⃣ Task 9 - Conclusion

no answer needed

➡️ By @RSCyberTech

Website: RSCyberTech.com
LinkedIn: linkedin.com/in/ricardoams

TryHackMe | Windows Command Line | RSCyberTech

Ricardo Santos — Tue, 24 Dec 2024 12:36:11 +0000

➡️ By @RSCyberTech

Website: RSCyberTech.com
LinkedIn: linkedin.com/in/ricardoams

Platform: TryHackMe

Learning Path: Cyber Security 101

Room: Windows Command Line

1️⃣ Task 1 - Introduction

What is the default command line interpreter in the Windows environment?

Answer ✅

cmd.exe

Justification / Source

“The purpose of this room is to teach you how to use MS Windows Command Prompt cmd.exe, the default command-line interpreter in the Windows environment.”
Mentioned in the section’s text.

Steps

2️⃣ Task 2 - Basic System Information

What is the OS version of the Windows VM?

Answer ✅

10.0.20348.2655

Justification / Source

“Let’s use the ver command to determine the operating system (OS) version.”
Mentioned in the section’s text.

Steps

```
user@WINSRV2022-CORE C:\Users\user>ver

Microsoft Windows [Version 10.0.20348.2655]
```

What is the hostname of the Windows VM?

Answer ✅

WINSRV2022-CORE

Justification / Source

“We can run the systeminfo command to list various information about the system such as OS information, system details, processor and memory.”
Mentioned in the section’s text.

Steps

user@WINSRV2022-CORE C:\Users\user>systeminfo

Host Name:                 WINSRV2022-CORE
OS Name:                   Microsoft Windows Server 2022 Datacenter
OS Version:                10.0.20348 N/A Build 20348
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00454-60000-00001-AA763
Original Install Date:     4/23/2024, 7:36:29 PM
System Boot Time:          12/24/2024, 11:11:47 AM
System Manufacturer:       Amazon EC2
System Model:              t3a.micro
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version:              Amazon EC2 1.0, 10/16/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     980 MB
Available Physical Memory: 127 MB
Virtual Memory: Max Size:  1,300 MB
Virtual Memory: Available: 357 MB
Virtual Memory: In Use:    943 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB5041948
                           [02]: KB5041160
                           [03]: KB5041590
Network Card(s):           1 NIC(s) Installed.
                           [01]: Amazon Elastic Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.151.7
                                 [02]: fe80::8d9b:8b8f:6409:e143
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

3️⃣ Task 3 - Network Troubleshooting

Which command can we use to look up the server’s physical address (MAC address)?

Answer ✅

ipconfig /all

Justification / Source

“You can also use ipconfig /all for more information about your network configuration.”
Mentioned in the section’s text.

Steps

user@WINSRV2022-CORE C:\Users\user>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WINSRV2022-CORE
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : eu-west-1.compute.internal
                                       eu-west-1.ec2-utilities.amazonaws.com

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : Amazon Elastic Network Adapter
   Physical Address. . . . . . . . . : 02-75-36-8B-3C-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8d9b:8b8f:6409:e143%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.151.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, December 24, 2024 11:12:18 AM
   Lease Expires . . . . . . . . . . : Tuesday, December 24, 2024 12:42:18 PM
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCP Server . . . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 84601211
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-B9-B7-EF-00-0C-29-FF-E5-C8
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

What is the name of the process listening on port 3389?

Answer ✅

TermService

Justification / Source

“The final networking command we will cover in this room is netstat. This command displays current network connections and listening ports. … -a displays all established connections and listening ports -b shows the program associated with each listening port and established connection”
Mentioned in the section’s text.

Steps

user@WINSRV2022-CORE C:\Users\user>netstat -ab   

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:22             WINSRV2022-CORE:0      LISTENING
 [sshd.exe]
  TCP    0.0.0.0:135            WINSRV2022-CORE:0      LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:3389           WINSRV2022-CORE:0      LISTENING
  TermService
 [svchost.exe]
  TCP    0.0.0.0:5985           WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:47001          WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49664          WINSRV2022-CORE:0      LISTENING
 [lsass.exe]
  TCP    0.0.0.0:49665          WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49666          WINSRV2022-CORE:0      LISTENING
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:49667          WINSRV2022-CORE:0      LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49668          WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    10.10.151.7:22         ip-10-11-34-174:46794  ESTABLISHED
 [sshd.exe]
  TCP    10.10.151.7:139        WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:22                WINSRV2022-CORE:0      LISTENING
 [sshd.exe]
  TCP    [::]:135               WINSRV2022-CORE:0      LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:3389              WINSRV2022-CORE:0      LISTENING
  TermService
 [svchost.exe]
  TCP    [::]:5985              WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:47001             WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:49664             WINSRV2022-CORE:0      LISTENING
 [lsass.exe]
  TCP    [::]:49665             WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:49666             WINSRV2022-CORE:0      LISTENING
  EventLog
 [svchost.exe]
  TCP    [::]:49667             WINSRV2022-CORE:0      LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49668             WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  UDP    0.0.0.0:123            *:*
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:500            *:*
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:3389           *:*
  TermService
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:50180          *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:50377          *:*
  Dnscache
 [svchost.exe]
  UDP    10.10.151.7:137        *:*
 Can not obtain ownership information
  UDP    10.10.151.7:138        *:*
 Can not obtain ownership information
  UDP    127.0.0.1:61602        127.0.0.1:61602
  iphlpsvc
 [svchost.exe]
  UDP    [::]:123               *:*
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*
  IKEEXT
 [svchost.exe]
  UDP    [::]:3389              *:*
  TermService
 [svchost.exe]
  UDP    [::]:4500              *:*
  IKEEXT
 [svchost.exe]
  UDP    [::]:5353              *:*
  Dnscache
 [svchost.exe]
  UDP    [::]:5355              *:*
  Dnscache
 [svchost.exe]
  UDP    [::]:50180             *:*
  Dnscache
 [svchost.exe]
  UDP    [::]:50377             *:*
  Dnscache
 [svchost.exe]

What is the subnet mask?

Answer ✅

255.255.0.0

Justification / Source

“You can also use ipconfig /all for more information about your network configuration.”
Mentioned in the section’s text.

Steps

user@WINSRV2022-CORE C:\Users\user>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WINSRV2022-CORE
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : eu-west-1.compute.internal
                                       eu-west-1.ec2-utilities.amazonaws.com

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : Amazon Elastic Network Adapter
   Physical Address. . . . . . . . . : 02-75-36-8B-3C-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8d9b:8b8f:6409:e143%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.151.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, December 24, 2024 11:12:18 AM
   Lease Expires . . . . . . . . . . : Tuesday, December 24, 2024 12:42:18 PM
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCP Server . . . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 84601211
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-B9-B7-EF-00-0C-29-FF-E5-C8
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

4️⃣ Task 4 - File and Disk Management

What are the file’s contents in C:\Treasure\Hunt?

Answer ✅

THM{CLI_POWER}

Justification / Source

“You can easily view text files with the command type.”
Mentioned in the section’s text.

Steps

SRV2022-CORE C:\Users\user>type C:\Treasure\Hunt\flag.txt 

THM{CLI_POWER}

5️⃣ Task 5 - Task and Process Management

What command would you use to find the running processes related to notepad.exe?

Answer ✅

tasklist /FI "imagename eq notepad.exe”

Justification / Source

“Let’s say that we want to search for tasks related to sshd.exe, we can do that with the command tasklist /FI "imagename eq sshd.exe". Note that /FI is used to set the filter image name equals sshd.exe.”
Mentioned in the section’s text.

Steps

What command can you use to kill the process with PID 1516?

Answer ✅

taskkill /PID 1516

Justification / Source

“With the process ID (PID) known, we can terminate any task using taskkill /PID target_pid. For example, if we want to kill the process with PID 4567, we would issue the command taskkill /PID 4567.”
Mentioned in the section’s text.

Steps

6️⃣ Task 6 - Conclusion

The command `shutdown /s` can shut down a system. What is the command you can use to restart a system?

Answer ✅

shutdown /r

Justification / Source

Steps

user@WINSRV2022-CORE C:\Users\user>shutdown /?
Usage: shutdown [/i | /l | /s | /sg | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/soft] [/fw] [/f]
    [/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]

    No args    Display help. This is the same as typing /?.
    /?         Display help. This is the same as not typing any options.
    /i         Display the graphical user interface (GUI).
               This must be the first option.
    /l         Log off. This cannot be used with /m or /d options.
    /s         Shutdown the computer.
    /sg        Shutdown the computer. On the next boot, if Automatic Restart Sign-On
               is enabled, automatically sign in and lock last interactive user.
               After sign in, restart any registered applications.
    /r         Full shutdown and restart the computer.
    /g         Full shutdown and restart the computer. After the system is rebooted,
               if Automatic Restart Sign-On is enabled, automatically sign in and
               lock last interactive user.
               After sign in, restart any registered applications.
    /a         Abort a system shutdown.
               This can only be used during the time-out period.
               Combine with /fw to clear any pending boots to firmware.
    /p         Turn off the local computer with no time-out or warning.
               Can be used with /d and /f options.
    /h         Hibernate the local computer.
               Can be used with the /f option.
    /hybrid    Performs a shutdown of the computer and prepares it for fast startup.
               Must be used with /s option.
    /fw        Combine with a shutdown option to cause the next boot to go to the
               firmware user interface.
    /e         Document the reason for an unexpected shutdown of a computer.
    /o         Go to the advanced boot options menu and restart the computer.
               Must be used with /r option.
    /m \\computer Specify the target computer.
    /t xxx     Set the time-out period before shutdown to xxx seconds.
               The valid range is 0-315360000 (10 years), with a default of 30.
               If the timeout period is greater than 0, the /f parameter is
               implied.
    /c "comment" Comment on the reason for the restart or shutdown.
               Maximum of 512 characters allowed.
    /f         Force running applications to close without forewarning users.
               The /f parameter is implied when a value greater than 0 is
               specified for the /t parameter.
    /d [p|u:]xx:yy  Provide the reason for the restart or shutdown.
               p indicates that the restart or shutdown is planned.
               u indicates that the reason is user defined.
               If neither p nor u is specified the restart or shutdown is
               unplanned.
               xx is the major reason number (positive integer less than 256).
               yy is the minor reason number (positive integer less than 65536).
Failed to get retrieve reasons.

What command can you use to abort a scheduled system shutdown?

Answer ✅

shutdown /a

Justification / Source

Steps

user@WINSRV2022-CORE C:\Users\user>shutdown /?
Usage: shutdown [/i | /l | /s | /sg | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/soft] [/fw] [/f]
    [/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]

    No args    Display help. This is the same as typing /?.
    /?         Display help. This is the same as not typing any options.
    /i         Display the graphical user interface (GUI).
               This must be the first option.
    /l         Log off. This cannot be used with /m or /d options.
    /s         Shutdown the computer.
    /sg        Shutdown the computer. On the next boot, if Automatic Restart Sign-On
               is enabled, automatically sign in and lock last interactive user.
               After sign in, restart any registered applications.
    /r         Full shutdown and restart the computer.
    /g         Full shutdown and restart the computer. After the system is rebooted,
               if Automatic Restart Sign-On is enabled, automatically sign in and
               lock last interactive user.
               After sign in, restart any registered applications.
    /a         Abort a system shutdown.
               This can only be used during the time-out period.
               Combine with /fw to clear any pending boots to firmware.
    /p         Turn off the local computer with no time-out or warning.
               Can be used with /d and /f options.
    /h         Hibernate the local computer.
               Can be used with the /f option.
    /hybrid    Performs a shutdown of the computer and prepares it for fast startup.
               Must be used with /s option.
    /fw        Combine with a shutdown option to cause the next boot to go to the
               firmware user interface.
    /e         Document the reason for an unexpected shutdown of a computer.
    /o         Go to the advanced boot options menu and restart the computer.
               Must be used with /r option.
    /m \\computer Specify the target computer.
    /t xxx     Set the time-out period before shutdown to xxx seconds.
               The valid range is 0-315360000 (10 years), with a default of 30.
               If the timeout period is greater than 0, the /f parameter is
               implied.
    /c "comment" Comment on the reason for the restart or shutdown.
               Maximum of 512 characters allowed.
    /f         Force running applications to close without forewarning users.
               The /f parameter is implied when a value greater than 0 is
               specified for the /t parameter.
    /d [p|u:]xx:yy  Provide the reason for the restart or shutdown.
               p indicates that the restart or shutdown is planned.
               u indicates that the reason is user defined.
               If neither p nor u is specified the restart or shutdown is
               unplanned.
               xx is the major reason number (positive integer less than 256).
               yy is the minor reason number (positive integer less than 65536).
Failed to get retrieve reasons.

➡️ By @RSCyberTech

Website: RSCyberTech.com
LinkedIn: linkedin.com/in/ricardoams

TryHackMe | Search Skills | RSCyberTech

Ricardo Santos — Sat, 02 Nov 2024 22:03:40 +0000

➡️ By @RSCyberTech

Website: RSCyberTech.com
LinkedIn: linkedin.com/in/ricardoams

Platform: TryHackMe

Learning Path: Cyber Security 101

Room: Search Skills

1️⃣ Task 1 - Introduction

no answer needed

2️⃣ Task 2 - Evaluation of Search Results

What do you call a cryptographic method or product considered bogus or fraudulent?

Answer ✅

Snake oil

Justification / Source

“In cryptography, snake oil is any cryptographic method or product considered to be bogus or fraudulent.”
https://en.wikipedia.org/wiki/Snake_oil_(cryptography)#:~:text=In cryptography%2C snake oil is,in 19th century United States.

Steps

Google search for “cryptographic method or product considered to be bogus or fraudulent”

What is the name of the command replacing `netstat` in Linux systems?

Answer ✅

ss

Justification / Source

“Formally, ss is the **socket statistics* command that replaces netstat .”*
https://www.redhat.com/en/blog/ss-command#:~:text=Formally%2C ss is the socket,commands and their ss replacements.

Steps

Google search for “name of the command replacing netstat in Linux systems”

3️⃣ Task 3 - Search Engines

How would you limit your Google search to PDF files containing the terms cyber warfare report?

Answer ✅

filetype:pdf cyber warfare report

Justification / Source

Information present in the section’s text

Steps

What phrase does the Linux command `ss` stand for?

Answer ✅

socket statistics

Justification / Source

“The ss (socket statistics) command is a powerful tool in Linux used for examining sockets.”
https://www.sans.org/blog/linux-incident-response-using-ss-for-network-analysis/

Steps

Google search for “ss command meaning”

4️⃣ Task 4 - Specialized Search Engines

What is the top country with lighttpd servers?

Answer ✅

United States

Justification / Source

https://www.shodan.io/search?query=httpd

Steps

Searching for httpd on shodan.io
Looking at the top countries section on the left side menu

What does BitDefenderFalx detect the file with the hash `2de70ca737c1f4602517c555ddd54165432cf231ffc0e21fb2e23b9dd14e7fb4` as?

Answer ✅

Android.Riskware.Agent.LHH

Justification / Source

“BitDefenderFalx **Android.Riskware.Agent.LHH”
https://www.virustotal.com/gui/file/2de70ca737c1f4602517c555ddd54165432cf231ffc0e21fb2e23b9dd14e7fb4

Steps

Searching the provided hash in VirusTotal.com
Looking at the BitDefender result

5️⃣ Task 5 - Vulnerabilities and Exploits

What utility does CVE-2024-3094 refer to?

Answer ✅

xz

Justification / Source

“Malicious code was discovered in the upstream tarballs of **xz”
https://nvd.nist.gov/vuln/detail/CVE-2024-3094?ref=thestack.technology

Steps

Google search for “CVE-2024-3094”

6️⃣ Task 6 - Technical Documentation

What does the Linux command `cat` stand for?

Answer ✅

concatenate

Justification / Source

“cat - **concatenate* files and print on the standard output”*
https://linux.die.net/man/1/cat

Steps

Google search for “man cat”

What is the `netstat` parameter in MS Windows that displays the executable associated with each active connection and listening port?

Answer ✅

-b

Justification / Source

- “-b - Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.”

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netstat

Steps

Google search for “netstat windows”

7️⃣ Task 7 - Social Media

You are hired to evaluate the security of a particular company. What is a popular social media website you would use to learn about the technical background of one of their employees?

Answer ✅

LinkedIn

Justification / Source

Steps

Continuing with the previous scenario, you are trying to find the answer to the secret question, “Which school did you go to as a child?”. What social media website would you consider checking to find the answer to such secret questions?

Answer ✅

Facebook

Justification / Source

Steps

8️⃣ Task 8 - Conclusion

No answer needed

➡️ By @RSCyberTech

Website: RSCyberTech.com
LinkedIn: linkedin.com/in/ricardoams

Forem: Ricardo Santos

TryHackMe | Windows PowerShell | RSCyberTech

1️⃣ Task 1 - Introduction

2️⃣ Task 2 - What Is PowerShell

What do we call the advanced approach used to develop PowerShell?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

3️⃣ Task 3 - PowerShell Basics

How would you retrieve a list of commands that start with the verb Remove? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

What cmdlet has its traditional counterpart echo as an alias?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

What is the command to retrieve some example usage for the cmdlet New-LocalUser?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

4️⃣ Task 4 - Navigating the File System and Working with Files

What cmdlet can you use instead of the traditional Windows command type?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

What PowerShell command would you use to display the content of the "C:\Users" directory? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

How many items are displayed by the command described in the previous question?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

5️⃣ Task 5 - Piping, Filtering, and Sorting Data

How would you retrieve the items in the current directory with size greater than 100? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

6️⃣ Task 6 - System and Network Information

Other than your current user and the default "Administrator" account, what other user is enabled on the target machine?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

This lad has hidden his account among the others with no regard for our beloved captain! What is the motto he has so bluntly put as his account's description?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

Now a small challenge to put it all together. This shady lad that we just found hidden among the local users has his own home folder in the "C:\Users" directory. Can you navigate the filesystem and find the hidden treasure inside this pirate's home?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

7️⃣ Task 7 - Real-Time System Analysis

In the previous task, you found a marvellous treasure carefully hidden in the target machine. What is the hash of the file that contains it?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

What property retrieved by default by Get-NetTCPConnection contains information about the process that has started the connection?

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

8️⃣ Task 8 - Scripting

What is the syntax to execute the command Get-Service on a remote computer named "RoyalFortune"? Assume you don't need to provide credentials to establish the connection. [for the sake of this question, avoid the use of quotes (" or ') in your answer]

Answer ✅

Workflow / Justification / Source / Steps / Reasoning

9️⃣ Task 9 - Conclusion

TryHackMe | Windows Command Line | RSCyberTech

1️⃣ Task 1 - Introduction

What is the default command line interpreter in the Windows environment?

Answer ✅

Justification / Source

Steps

2️⃣ Task 2 - Basic System Information

What is the OS version of the Windows VM?

Answer ✅

Justification / Source

Steps

What is the hostname of the Windows VM?

Answer ✅

Justification / Source

Steps

3️⃣ Task 3 - Network Troubleshooting

Which command can we use to look up the server’s physical address (MAC address)?

Answer ✅

Justification / Source

Steps

What is the name of the process listening on port 3389?

Answer ✅

Justification / Source

Steps

What is the subnet mask?

How would you retrieve a list of commands that start with the verb `Remove`? [for the sake of this question, avoid the use of quotes (" or ') in your answer]

What cmdlet has its traditional counterpart `echo` as an alias?

What is the command to retrieve some example usage for the cmdlet `New-LocalUser`?

What cmdlet can you use instead of the traditional Windows command `type`?

What property retrieved by default by `Get-NetTCPConnection` contains information about the process that has started the connection?

What is the syntax to execute the command `Get-Service` on a remote computer named "RoyalFortune"? Assume you don't need to provide credentials to establish the connection. [for the sake of this question, avoid the use of quotes (" or ') in your answer]

The command `shutdown /s` can shut down a system. What is the command you can use to restart a system?

What is the name of the command replacing `netstat` in Linux systems?

What phrase does the Linux command `ss` stand for?

What does BitDefenderFalx detect the file with the hash `2de70ca737c1f4602517c555ddd54165432cf231ffc0e21fb2e23b9dd14e7fb4` as?

What does the Linux command `cat` stand for?

What is the `netstat` parameter in MS Windows that displays the executable associated with each active connection and listening port?