Call 1 (201) 549-9007 (US) | +91 - 836-854-5467 (WhatsApp) Email: [email protected]

TryHackMe – Windows Investigating CTF


TryHackMe - Windows Investigating CTF

In this room, we don’t perform any attack because this machine is already compromised/hacked by a hacker. Our job is to investigate this windows machine and find clues to what the hacker might have done.

Info about the machine :

Connect to the machine using RDP. The credentials of the machine are as follows:

Username: Administrator

Password: letmein123!

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

Question 1: What is the version and year of the windows machine?

Solution: It’s too simple just go on “This Pc” right-click on it and then click on ‘properties’.

This Pc
TryHackMe - Windows Investigating

Answer -- Windows Server 2016

Question 2: Which user logged in last?

Solution: Step 1: Open Windows PowerShell and type the command--

“Get-Local user | select Name, Last login” to see the last login user and time.

windows powershell
TryHackMe - Windows Investigating

Answer -- Administrator.

Question 3: When did John log onto the system last?

(Answer- format: MM/DD/YYYY H:MM:SS AM/PM)

Solution: Similar to the previous question.

powershell
TryHackMe - Windows Investigating

Answer -- 03/02/2019 05:48:32 PM

Question 4: What IP does the system connect to when it first starts?

Solution: When you log on to the machine then cmd by default open and the ‘IP’, if you forget then restart the pc.

default open

Answer -- 10.34.2.3

Question 5: What two accounts had administrative privileges (other than the Administrator user)?

{Answer- format: username1, username2}

Solution: Step 1: Open computer management then clicks on “Local users and groups.

Step 2: After that click on “Groups”.

computer management

Step 3: After that Double-click on ‘Administrator’ .

Administrator

Answer -- Jerry, Guest

Question 6: What's the name of the scheduled task that is malicious?

Solution: Step 1: Open ‘Task Scheduler’, and then click on the task scheduler library.

task scheduler library

Step 2: Check all of them one by one and also check its action, then you find a “clean system file”.

clean system file

Answer -- Clean file system

Question 7: What file was the task trying to run daily?

Solution: Step 1: Open ‘Task Scheduler’, and then click on the task scheduler library.

task scheduler library

Step 2: Check all of them one by one and also check their action then you see a file that triggers daily.

that triggers daily.

Answer -- nc.ps1

Question 8: What port did this file listen locally for?

Solution: Step 1: Open ‘Task Scheduler’, and then click on the task scheduler library.

Step 2: Check all of them one by one and also check their action, then you find a “clean system file”.

Then you get the port number at the last.

clean system file

Answer -- 1348

Question 9: When did Jenny last logon?

Solution: Step 1: Open Windows PowerShell and type the command--

“net users jenny” to see login details about jerry.

Windows PowerShell

Answer -- Never

Question 10: At what date did the compromise take place?

{Answer- format: MM/DD/YYYY}

Solution: Step 1: Open ‘Task Scheduler’, and then click on the task scheduler library.

Step 2: Check all of them one by one and also check their action, then you find a date.

Task Scheduler

Answer -- 03/02/2019

Question 11: At what time did Windows first assign special privileges to a new logon?

{Answer- format: MM/DD/YYYY HH:MM:SS AM/PM}

Solution: Step 1: Open ‘Event viewer’.

event viewer

Step 2: Check hint and find a file with time in this format 00:00:49 AM/PM.

windows security

Answer -- 03/02/2019 04:04:49 PM

Question 12: What tool was used to get Windows passwords?

Solution: Step 1: Open the ‘c’ directory and open the ‘TEMP’ folder then click on ‘mim-out ‘ open with notepad.

TEMP

Answer -- mimikatz

Question 13: What were the attacker's external control and command server's IP?

Solution: Step 1: Open the ‘C’ drive then click on the windows folder then open system32 and then open the driver folder and last open the etc folder.

c-drive

Step 2: After that, you see a “hosts” name file then open it on a notepad.

hosts

Answer -- 76.32.97.132

Question 14: What was the extension name of the shell uploaded via the server's website?

Solution: Step 1: Open the ‘C’ drive then click on the windows folder then open inetpub folder you see “wwwroot” folder open it.

wwwroot

Answer -- .jsp

Question 15: What was the last port the attacker opened?

Solution: Step 1: Open “windows firewall” (click on the start menu and type windows firewall)

Step 2: Then click on the first option “inbound Rule”, where you see “Allow outside connection” click on it and scroll right side, and see the port number.

Allow outside connection
Allow outside

Answer -- 1337

Related Blog:
How to Get Started with Try Hack Me
TryHackME – Blue Writeup

Question 16: Check for DNS poisoning, what site was targeted?

Solution: Step 1: Open the ‘C’ drive then click on the windows folder then open system32 and then open the driver folder and last open the etc folder.

Allow outside

Step 2: After that, you see a “hosts” name file then open it on a notepad.

TryHackMe - Windows Investigating CTF

Answer -- google.com

Now the TryHackMe - Windows Investigating is complete

TryHackMe - Windows Investigating CTF

Author Bio

Abhishek Sharma

Cybersecurity Intern

Comments

Leave a Reply

Your email address will not be published.

Open chat
Hello 👋
Can we help you?
  • Contact Us

    Contact Us