We covered basics of the scripting language, Powershell, for penetration testers. We covered basic commands, scripting, enumerating targets and took a nice challenge that is part of TryHackMe Hacking with Powershell room.

Get COMPTIA Pentest+ Study Notes

Windows Privilege Escalation Techniques Course

Introduction to Powershell

Powershell is the Windows Scripting Language and shell environment built using the .NET framework.

This also allows Powershell to execute .NET functions directly from its shell. Most Powershell commands, called cmdlets, are written in .NET. Unlike other scripting languages and shell environments, the output of these cmdlets are objects – making Powershell somewhat object-oriented.

This also means that running cmdlets allows you to perform actions on the output object (which makes it convenient to pass output from one cmdlet to another). The normal format of a cmdlet is represented using Verb-Noun; for example, the cmdlet to list commands is called Get-Command

Common verbs to use include:

  • Get
  • Start
  • Stop
  • Read
  • Write
  • New
  • Out

To get the complete list of approved verbs, visit this link.

Using Get-Help

Get-Help displays information about a cmdlet. To get help with a particular command, run the following:

Get-Help Command-Name

Object-Oriented Nature of PowerShell:

PowerShell treats everything as an object, and each object has properties (attributes) and methods (functions).

For example, the Get-Command cmdlet returns objects with properties like name, version, source, etc.The video emphasizes understanding the properties and methods of cmdlets to manipulate and filter them.

Pipelines in PowerShell

PowerShell allows the output of one command to be piped to another cmdlet for further processing.Two main cmdlets used in pipelines are:

  • Where-Object: Used to filter objects based on property values.
  • Select-Object: Used to select specific properties from the output.

Examples of PowerShell Filtering

The video shows examples of filtering command output:

  • Using Get-Command | Select-Object -Property Name to display only the names of the cmdlets.
  • Using Where-Object to filter cmdlets based on a specific property, such as the source of the cmdlet (NetSecurity).
  • Listing services on the machine using Get-Service, filtering by status (e.g., running or stopped), and getting information about specific services using Where-Object.

Enumerating Files and Directories

The Get-ChildItem cmdlet is used to list directories and files in the current directory.

The instructor demonstrates how to search for a specific file (e.g., interestingfiles.txt) across the file system by specifying the root path and using filtering techniques.

PowerShell Commands Discussed

Get-Help: Retrieves help for cmdlets.

Get-Command: Lists all available cmdlets and their properties.

Select-Object: Selects specific properties from the output (e.g., names of cmdlets).Where-Object: Filters cmdlets based on property values (e.g., filtering services by status).Get-Service: Lists services on the machine, with their status (running or stopped).Get-ChildItem: Lists files and directories in the specified path.

Practical Example

The video demonstrates how to search for a file named interestingfiles.txt using Get-ChildItem and Where-Object to filter the output based on the file’s name. The search begins in the root directory (C:) and recursively checks all directories.

Room Answers

 

What is the command to get a new object?

What is the location of the file “interesting-file.txt”

 

Specify the contents of this file

 

How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?

 

Get the MD5 hash of interesting-file.txt

 

What is the command to get the current working directory?

 

Does the path “C:\Users\Administrator\Documents\Passwords” Exist (Y/N)?

 

What command would you use to make a request to a web server?

 

Base64 decode the file b64.txt on Windows.

How many users are there on the machine?

 

Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?

 

How many users have their password required values set to False?

 

How many local groups exist?

 

What command did you use to get the IP address info?

 

How many ports are listed as listening?

 

What is the remote address of the local port listening on port 445?

 

How many patches have been applied?

 

When was the patch with ID KB4023834 installed?

 

Find the contents of a backup file.

 

Search for all files containing API_KEY

 

What command do you do to list all the running processes?

 

What is the path of the scheduled task called new-sched-task?

 
Who is the owner of the C:\

What file contains the password?

 

What is the password?

 

What files contains an HTTPS link?

How many open ports did you find between 130 and 140(inclusive of those two)?

 

Video Walkthrough | TryHackMe Hacking with Powershell P1

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles