October 19, 2024
Learn the basics of Powershell and Powershell Scripting
Type: Easy
Link: https://tryhackme.com/r/room/powershell
Before completing this room, you should be aware of some fundamentals. For example, the differences between CMD, PS and some syntax. This room will cover the following:
- What is Powershell
- Basic Powershell commands
- Windows enumeration skills
- Powershell scripting
You can control the machine in your browser or RDP into the instance with the following credentials.
1.1 - Read the above and deploy the machine!
Powershell is the Windows Scripting Language and shell environment built using the .NET framework.No answer needed
This also allows Powershell to execute .NET functions directly from its shell. Most Powershell commands, called cmdlets, are written in .NET. Unlike other scripting languages and shell environments, the output of these cmdlets are objects - making Powershell somewhat object-oriented.
This also means that running cmdlets allows you to perform actions on the output object (which makes it convenient to pass output from one cmdlet to another). The normal format of a cmdlet is represented using Verb-Noun; for example, the cmdlet to list commands is called
Get-Command. Common verbs to use include:
- Get
- Start
- Stop
- Read
- Write
- New
- Out
To get the complete list of approved verbs, visit the following link.
Approved Verbs for PowersShell Commands
2.1 - What is the command to get a new object?
Get-New
Now that we've understood how cmdlets work - let's explore how to use them! The main thing to remember here is that
Get-Command and Get-Help are your best friends!Get-Help displays information about a cmdlet. To get help with a particular command, run the following: Get-Help Command-Name You can also understand how exactly to use the command by passing in the
-examples flag. This would return output like the following:Running the Get-Help cmdlet to explain a command
Get-Help Get-Command -Examples
Get-Commandcode> gets all the cmdlets installed on the current Computer. The great thing about this cmdlet is that it allows for pattern matching like the following
Get-Command Verb-* or Get-Command *-Noun
Running Get-Command New-* to view all the cmdlets for the verb new displays the following:
Using the Get-Command to list all cmdlets installed
Get-Command New-*
In the previous task, we saw how the output of every cmdlet is an object. If we want to manipulate the output, we need to figure out a few things:
- passing the output to other cmdlets
- using specific object cmdlets to extract information
The Pipeline(
|) is used to pass output from one cmdlet to another. A major difference compared to other shells is that Powershell passes an object to the next cmdlet instead of passing text or string to the command after the pipe. Like every object in object-oriented frameworks, an object will contain methods and properties.You can think of methods as functions that can be applied to output from the cmdlet, and you can think of properties as variables in the output from a cmdlet. To view these details, pass the output of a cmdlet to the
Get-Member cmdlet:
Verb-Noun | Get-Member
An example of running this to view the members for
Get-Command is: Using pipe (|) to pass output from one cmdlet to another
Get-Command | Get-Member -MemberType Method
One way of manipulating objects is pulling out the properties from the output of a cmdlet and creating a new object. This is done using the Select-Objectcmdlet.
Here's an example of listing the directories and just selecting the mode and the name:
Listing the directories and filtering via mode and name
Get-ChildItem | Select-Object -Property Mode, Name
You can also use the following flags to select particular information:
- first - gets the first x object
- last - gets the last x object
- unique - shows the unique objects
- skip - skips x objects
When retrieving output objects, you may want to select objects that match a very specific value. You can do this using the Where-Object to filter based on the value of properties.
The general format for using this cmdlet is
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
Powershell is quite sensitive, so don't put quotes around the command!
Where -operator is a list of the following operators:
-
-Contains: if any item in the property value is an exact match for the specified value -
-EQ: if the property value is the same as the specified value -
-GT: if the property value is greater than the specified value
For a full list of operators, access the following link.
Here's an example of checking the stopped processes:
Demonstrating the use of operators only to show stopped services
Get-Service | Where-Object -Property Status -eq Stopped
When a cmdlet outputs a lot of information, you may need to sort it to extract the information more efficiently. You do this by pipe-lining the output of a cmdlet to the Sort-Object cmdlet.
The format of the command would be:
Verb-Noun | Get-Member
Using the Sort-Object cmdlet to sort piped information
Get-ChildItem | Sort-Object
Now that you've understood how Powershell works let's try some commands to apply this knowledge!
3.1 - What is the location of the file "interesting-file.txt".
C:\Program Files
3.2 - Specify the contents of this file.e
notsointerestingcontent
3.3 - How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?
6638
3.4 - Get the MD5 hash of interesting-file.txt.
49A586A2A9456226F8A1B4CEC6FAB329
3.5 - What is the command to get the current working directory?
Get-Location
3.6 - Does the path "C:\Users\Administrator\Documents\Passwords" Exist (Y/N)?
N
if(Set-Location C:\Users\Administrator\Documents\Passwords) {Write-Host "Path exists!"} Else{Write-Host "Path do NOT exist!!!"}
3.7 - What command would you use to make a request to a web server?
Invoke-WebRequest
3.8 - Base64 decode the file b64.txt on Windows.
ihopeyoudidthisonwindows
The first step when you have gained initial access to any machine would be to enumerate.
We'll be enumerating the following: users, basic networking information, file permissions, registry permissions, scheduled and running tasks
insecure files.
Your task will be to answer the following questions to enumerate the machine using Powershell commands!
4.1 - How many users are there on the machine?.
5
Get-LocalUser
4.2 - Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?
Guest
Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"
4.3 - How many users have their password required values set to False?
4
4.4 - How many local groups exist?
24
4.5 - What command did you use to get the IP address info?
Get-NetIPAddress
4.6 - How many ports are listed as listening?
20
GEt-NetTCPConnection | Where-Object -Property State -Match Listen | measure
4.7 - What is the remote address of the local port listening on port 445?
::
GEt-NetTCPConnection | Where-Object -Property State -Match Listen
4.8 - How many patches have been applied?
20
Get-Hotfix | measure
4.9 - When was the patch with ID KB4023834 installed?
6/15/2017 12:00:00 AM
Get-Hotfix -Id KB4023834
4.10 - Find the contents of a backup file.
backpassflag
Get-ChildItem -Path C:\ -Include .bak -File -Recurse -ErrorAction SilentlyContinue
Get-Content "C:\Program Files (x86)\Internet Explorer\passwords.bak.txt"
4.11 - Search for all files containing API_KEY.
fakekey123
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | Select-String “API_KEY”
4.12 - What command do you do to list all the running processes?.
Get-Process
4.13 - What is the path of the scheduled task called new-sched-task?.
/
Get-ScheduleTask -TaskName new-sched-task
4.14 - Who is the owner of the C:\ ?
NT SERVICE\TrustedInstaller
Get-Acl C:/
Now that we have run Powershell commands, let's try to write and run a script to do more complex and powerful actions.
For this ask, we'll use Powershell ISE (the Powershell Text Editor). Let's use a particular scenario to show an example of this script. Given a list of port numbers, we want to use this list to see if the local port is listening. Open the listening-ports.ps1 script on the Desktop using Powershell ISE. Powershell scripts usually have the .ps1 file extension.
> $system_ports = Get-NetTCPConnection -State Listen > $text_port = Get-Content -Path C:\Users\Administrator\Desktop\ports.txt > foreach($port in $text_port){ > if($port -in $system_ports.LocalPort){ > echo $port > } >}
On the first line, we want to get a list of all the ports on the system that are listening. We do this using the Get-NetTCPConnection cmdlet. We are then saving the output of this cmdlet into a variable. The convention to create variables is used as:
> $variable_name = valueIn the following line, we want to read a list of ports from the file. We do this using the Get-Content cmdlet. Again, we store this output in the variables. The simplest next step is to iterate through all the ports in the file to see if the ports are listening. To iterate through the ports in the file, we use the following:
> foreach($new_var in $existing_var){}This particular code block is used to loop through a set of objects. Once we have each individual port, we want to check if this port occurs in the listening local ports. Instead of doing another for loop, we just use an if statement with the -in operator to check if the port exists in the LocalPort property of any object. A full list of if statement comparison operators can be found here. To run the script, call the script path using Powershell or click the green button on Powershell ISE:
Now that we've seen what a basic script looks like - it's time to write one of your own. The emails folder on the Desktop contains copies of the emails John, Martha, and Mary have been sending to each other(and themselves). Answer the following questions with regard to these emails (try not to open the files and use a script to answer the questions).
Scripting may be a bit difficult, but here is a good resource to use: </p?
5.1 - What file contains the password?
Doc3M
Get-ChildItem -Path C:\Users\Administrator\Desktop\emails -Recurse -ErrorAction SilentlyContinue | Select-String “password”
5.2 - What is the password??
johnisalegend99
5.3 - What files contains an HTTPS link?
Doc2Mary
Get-ChildItem -Path C:\Users\Administrator\Desktop\emails -Recurse -ErrorAction SilentlyContinue | Select-String “HTTPS”
Now that you've learnt a little bit about how scripting works - let's try something a bit more interesting. Sometimes we may not have utilities like Nmap and Python available, and we are forced to write scripts to do very rudimentary tasks.
Why don't you try writing a simple port scanner using Powershell? Here's the general approach to use:
Determine IP ranges to scan(in this case it will be localhost) and you can provide the input in any way you want
Determine the port ranges to scan
Determine the type of scan to run(in this case it will be a simple TCP Connect Scan)
6.1 - How many open ports did you find between 130 and 140(inclusive of those two)?
Doc2Mary
$ErrorActionPreference -eq "SilentlyContinue" $Target -eq "localhost" $LowEnd = 130 $HighEnd = 140 $X = 0
Do { $CurrentPort = $LowEnd + $X if((Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).PingSucceeded -or (Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).TcpTestSucceeded) {$CurrentPort | Out-File .\OpenPorts.txt -Append} $X = $X + 1 } While($CurrentPort -lt 140)
(Get-Content .\OpenPorts.txt).Count
