Advent of Cyber - Day 13

Link: Advent Of Cyber 3 on TryHackMe

Question 1

Complete the username: p.....

Command: net users

Answer: pepper

Question 2

What is the OS version?

Command: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Answer: 10.0.17763 N/A Build 17763

Question 3

What backup service did you find running on the system?

Command: wmic service list | Out-File -FilePath dump.txt

Here I am dumping it into a file for convenience's sake, but probably avoid doing this during an engagement.

Answer: IperiusSvc

Question 4

What is the path of the executable for the backup service you have identified?

Answer: C:\Program Files (x86)\Iperius Backup\IperiusService.exe

Question 5

Run the whoami command on the connection you have received on your attacking machine. What user do you have?

Step 1:

Get evil.bat created.

Step 2:

Create the backup job.

Step 3:

Set the destination.

Step 4:

Set up the pre-script.

Step 5:

Start the listener: nc -lvnp 1234

Step 6:

Start the backup as a service:

Step 7:

Profit!

Answer: the-grinch-hack\thegrinch

Question 6

What is the content of the flag.txt file?

Answer: THM-736635221

Question 7

The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?

Answer: jazzercize