InvestigatingWindows - mattit4o/TryHackMeWriteUps GitHub Wiki

Investigating Windows

A https://tryhackme.com Subscriber room

This room is a typical example of what an IT person would potentially find when they find a server that has been attacked.

The challenge has a few tasks to see if you can locate how and when the compromise has occurred. You connect to the machine using RDP through the TryHackMe website.

Try Hack Me Investigating Windows

Initial recon

When you start the Server there does not appear to be anything initially running. However a popup soon appears.. saying that the .Net Framework 3.5 could not be install.

dotnet popup

You can get to the cmd.exe prompt.

command prompt

You can open Windows Explorer - you can see from the recent files there has been some activity in c:\tmp, c:\inetpub\wwwroot and c:\windows\system32\drivers\etc\hosts

explorer recent files

Tasks

#1 Whats the version and year of the windows machine?

Running "Ver" at the cmd prompt reports Microsoft Windows [Version 10.0.14393]

command prompt

And Checking Control panel -> System and Security > System (or properties on "This PC") shows the version of the operating System

windows system

#2 Which user logged in last?

Check Security Event Logs using Event Viewer Use Filters to reduce number of events, try filtering for Event id: 4624 You will see you are the most recent login. Not much help.

event manager

#3 When did John log onto the system last? Answer format: MM/DD/YYYY H:MM:SS AM/PM

john logon

The best way to check this is via cmd prompt - use the net user command. "Net User" will show the local users on the server

net user

"Net User John" will provide the answer we are looking for.

net user john

#4 What IP does the system connect to when it first starts?

Check the event logs again. Found answer in registry

regedit

#5 What two accounts had administrative privileges (other than the Administrator user)? Answer format: username1, username2

This can be checked via computer management or cmd prompt.

computer management groups

net user groups

#6 Whats the name of the scheduled task that is malicous.

Check Task Scheduler

task scheduler

#7 What file was the task trying to run daily?

Actions tab of task

task run

#8 What port did this file listen locally for?

Port is in action tab

#9 When did Jenny last logon?

Use "net user jenny" to find the answer

net user jenny

#10 At what date did the compromise take place? (typo in the question) Answer format: MM/DD/YYYY

Check event Logs for Date of activity

event date

#11 At what time did Windows first assign special privileges to a new logon? Answer format: MM/DD/YYYY HH:MM:SS AM/PM

Check Event logs

special priv event

#12 What tool was used to get Windows passwords?

Check the text files in the c:\tmp folder one has been renamed (also file is removed eventually by windows defender)

recent file

#13 What was the attackers external control and command servers IP?

Check hosts file - likely that the address they poison is theirs

hosts

#14 What was the extension name of the shell uploaded via the servers website?

Check the files in recent files.

explorer recent files

#15 What was the last port the attacker opened?

Check firewall rules, protocols and ports tab.

firewall rules

firewall rule port

#16 Check for DNS poisoning, what site was targeted?

Check the hosts file - c:\windows\system32\drivers\etc

hosts