Basics of Powershell For Pentesters - TryHackMe Hacking with Powershell P1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on and welcome back in today's video we're gonna go over a very unique room in try hack me the room name is hacking with Powershell so basically this room here uh is part of the offensive security pathway and we're going to split the walkthrough into two parts the first part will walk you through from task to all the way to task four so we're gonna start with basic Basics uh Basics you know stuff for with Powershell and then we're gonna step to enumeration in the next video we're gonna do scripting Challenge and intermediate scripting of course all for the sake or for the purpose of pen testing so we've of course you will be required to connect to the machine with RTP so this gives a name and this is a password how you connect after you deploy the machine here uh let me show you in the command line so here the command is sudo or desktop dashu administrator and the IP address it may throw an error in the first because it's not allowed to uh or it's configured to not allow for connections uh you know there's a setting here you have to do that so go to control panel this is on the remote host and configure the system here and uncheck this box allow connections only from computers running remote desktop with network level authentication so if you're left if you if you leave this checked which is the default settings that come when you deploy the machine you're not going to be able to connect from our desktop in the comment line here after you uncheck this box you'll be able to connect of course you can ask me how do we uncheck this box and we can't connect you can do that here from the machine start the attack box and when it comes live here uncheck it and then connect with your remote desktop okay so let's get started and understand basics of partial so for that we're gonna start project from here foreign language window scripting language I built with the.net framework uh it's composed mainly of CMD let's okay so basically a partial command or Powershell standard is consisted of okay [Music] now that's the basic uh structure for a Powershell CM delete okay all of the parts you'll see in the lids are this way verb and noun okay that's the formula for example get is a verb right and a noun is help so this is a CM delete that will you know uh retrieve help so if you enter you can see details about this command right so as you can see here I have description displays held about Windows partial CM deleted Concepts long description and you can see here this update gets help and this is the uh the way you use the command so basically we use get help and put the CM delete name that you would like to get information about okay so get help is used to retrieve information about CM delete okay for example I heard about the commands and I want to give more info about this Command right so I will just get help get help and say that the CM that I want more details about is get commands give me details about this so this is the output of this command so here it's saying that get command is a command or a CM that retrieves all of the commands and installed on the computer that you can use with Powershell now we can supply if we don't get it of what we're saying here we can say Dash examples to give us examples about how we use the same delete first for example let's go up all right right from this is too much to handle okay so basically here's the example one get CMD let's functions and aliases if we type this we will retrieve a list of all of the CM delete functions and aliases in partial on this computer that we can use so basically this is the first and foremost command on Powershell let's import it and also if you go down you can see all of the examples you can use with this uh see on the git application locker policy for example so get command is the comment that you would use you know to display all of the available CM deletes on the computer let's say we want to retrieve actually the list of the commands or the c Index on this computer so we would use get command player and say get comment see these are all of the C interlets that we can use with get comment this is too much to handle right we can't just read through all of these in one in one line that's why we're gonna talk about pipeline later so important to understand here is let's go up foreign thing to understand guys is [Music] what is that okay let's go up oh it's not going up anymore okay so I'm going to understand guys that the output of every CM delete here is called an object okay that's why we call partial is object oriented programming so it can be object oriented right can be but still it is still scripting language but basically the output is an object it's not a string or not text number it is an object and like any other object the object does have two uh attributes the first one is the properties and second is the method you can you can think of the method as a function okay how the what is the function of this CMZ so we look for the methods the properties the name the mode the status this is the property so every that for example just CND let's write here new EMC job template is an object right I know it's CM delete but basically partial to read this as an object so this one has properties and has methods so how do we understand more about objects right so let's clear here and sort this output here so that's why we introduced the concept of pipeline here I want an output of the first CM delay to be piped so another CM did it for manipulation and sorting much like Linux when you filter it using grip you do the same here with Powershell so you want to manipulate the objects right so basically to do that we have two um see endless we can use the first one is where object okay here we specify an output from the First Command I'm gonna lay down the examples later so this one we specify that we want an object with specific value a specific property value a specific function value so we use where objects now here if we don't if you don't have specifics about the objects and we want just to retrieve um do you say properties of the object we select or we use select objects I'm going to give examples here so to make this picture clear so basically for example I use get command okay and then one pipe so here say select objects all right now when I say select object I want the output of the get command takes it from here okay and pipe it to select object so that object is the same deal that would give you the properties of the object so for example I want to find the name of the commands only the names so I would type Dash property I say name so I want to display only the names of the get command answer you retrieve a list of only the names of the commands let's see here the output so here only the names right now you might ask me how do we know the properties of the output of this command so basically previously we just typed this get command right I will treat the list of all the commands right now every every object has properties now we're gonna I'm gonna tell you how your properties look like foreign so basically for example this is the name the name is a property right here is the version and this is let me I don't know why it's not scrolling up correctly here okay let's let's say that let's type get comment and for example say we want to get only the new commands so say new okay so everything that has a new in it I just want to want the output to be manageable so I want to explain I can explain how the properties work okay so these are these are the CM deletes that have the new string in it as we specify in the filter so see here we have okay as you can see the command type and the name version Source these are the properties So based on understanding the properties of these objects we can then manipulate them and filter them okay for example let's say I want to display the cmdlets okay that's or whose source is let's say [Music] um let's look for something net security right net security is the source of the CM videos I want to display all of the CM deletes I can use okay whose source is net security so I have an end with that let's go down so we would use select object so say get command foreign objects Dash property property is [Music] source let's see here so we will explain the sources yeah actually I made a mistake now here we display the sources so here we filtering based on the property I want to list the CM delays properties only so we look at the CMD let's properties now if I want to pin down the filtering based on specific values of the properties I would use the word object so here comes the use of the where object so say get command where objects the object is I once I want only the the function the cmdulets okay whose property source is equal to net security so I'll use word object Dash property specify the property the property is source and here I would say equal you can use equal you can use contains or you can use greater than just four numbers I guess okay so in my example I will choose equal Nets security so get me the commands where the the source is net security see here all of the return CMS and functions their source is net security for example let's dive down to how to display the current services on the computer so get service this will display the services and let's understand the properties of this so here we have the display name the name and status now we want to see the services that are stopped running I can you just you just you should take take a note of the available status so you have stopped have running that's what we have and here's the name and display name let's say for example I want to get the status of the uh what kind of service you want you see here for example um or yeah you want to get more info about a specific service but you don't really remember the name for example you might not know that there's a service called um what is the service here I want to pick up to the installer right as you can see the Windows model and installer so I want to see the status of the service without displaying all of the services and without remembering the full name so here comes word object to the rescue so basically here let's go up not that out come on you see the connection is very unstable that I need to count to 100 before just clicking on the scroll so name as you can see the manipulation here or I would manipulate the property name so go down and say get service here where object Dash property the property is named that contains uh say trusted nope how come contains trusted all right let's try installer again no luck let me try equal yes we don't get this let me tell you why here the the equal Returns the same as the specified value so we don't have here a service that's that's named only an installer and contains return an exact match for this for the for this one but I could understand the difference here why didn't return the contain the trusted one as I'm saying contains so only trusted so V here is enough for this to be listed okay let's say you want to see the running Services only so you would manipulate the status here so property name instead of name we would select the property to be status and equal to right so here we see the running Services as you can see okay now we can also use another CM delete which is for listing the current directories and files so get inside item let's display the files and the director is here right so enough of that let's take an example and understand that or answer the question sorry so what do we have here what is the location of the file interesting files.txt so they're saying that we have a file called interesting files and we want to set find the location of this so how to do this we can use where objects right for example get child item okay now here gets head item as I said displays the directories on the current directory here directories on the current director we have so it lists all of that in the administrator now if I want to look for a file not in this directory I would I would need to specify a path so in my example I don't know where the file called interesting file.txt I don't know where it is okay so those I don't want I don't know where is the path I'm supposed to look for I'm supposed to look in so I would say Beth I specify the path to be the C drive everything look for everything it works much like the way find coordinates works C so here if I type enter look what's gonna happen now it displayed the directories right on the C folder now if I use where objects here and say for example I want to see the interesting files the interesting file I'm looking for using word object still I'm not going to get any result because where object look only in the current directory which you see and here there's no interesting files so I did something that narrows the results more so here I would use the include so include here as you can see takes the thing I'm looking for between two stars and say interesting five that's what I'm looking for and what I'm looking for is five specify the type of it fine and yes that set so enter nothing returned so you can get help by visiting the cm0 page so all we can is get help commands let's do that gets and and here get inside there's examples so here let's see the use of this this is an example one example to get hit so item system if I recurs this command gets file system files into current directory and it is subdirectories as you can see the tag or the switch Dash system looks for system files and here file meaning that we're looking for files the example three attributes to actually isn't no not looking for that foreign no so here's one this command gets read write files in the CDs test okay so it is the include actually as we're looking for get shot atom dots that's include recurs Force this command gets all of the text files in the current directory and it's a subdirectories so our Command is correct what's actually here we have to I guess cancel this and say recurse so now it's going to look for the interesting file everything that ends with interesting file dot txt in the C directory and we have an error okay but not finished yet we're missing Unite recurs meaning that it looks in the subdirectories as well and the type of thing it's looking for is fine this is going to happen here foreign so we haven't found anything now let me here put the star back maybe it's confusing about this enter oh found it so basically the directory C program files okay no need to complete or Carry On which is the directory let's take it and put it here or it's saying e or and that's correct specify the contents of the slide let's see the content of this file all right so to get the content of this file we still do the same unit specified or dedicated for that purpose so get content and take the bath and watch that all right and Define name is interesting while I to txt you see this that's why the first try didn't work as you can see here so you're saying it ends only with interesting file.txt didn't found I put the other star we're saying and no matter what comes after detect the XT just sound it and here it is so double quotes that's it get the contents what do we have object not found yes I guess we have a typo here enter into settings see what okay let's remove this okay that's the content of that but saying not so interesting content okay and then okay how many CMD let's are installed on the system only CMD let's not functions and aliases so we were talking about using the get Command right and we can use the where object to display only the C on the left let's see how we can use this so basically we can type get commands I don't know what's up with this second caps look so here say where objects um the get command has as I remember name and parameter parameter right for something like parameter let me get the help here of but I don't want to rewrite the command again yet objects parameter name object properties no not this we have the kit number here okay so here where object um Dash property the property is command type Dash equal s so here we're getting the all of the commands what is called oh yeah or the commands that are only C and delete okay that's helpful to get all of this but you want to get the number saying how many cm deletes waiting for this to finish typing Ctrl d okay so we get back to the same command and here type use the pipeline to manipulate the object mode and say measure this would give the accounts so we have all of this right by a bit more to the measure to get the number foreign all right correct now get the nd5 hash of interesting file.txt okay now to get the nd5 hash very straightforward get file hash now specify select get content or get uh child item specify the path and here we specify the path um I don't want to get this all right let me copy it from somewhere that next we specify the algorithm so the algorithm here is md5 as requested and this is the md5 hash okay what is the command to get the current working directory so Linux we would type pwt in Powershell type gets location right now the command is get location so add does the path see users administrator documents passwords exists yes or no okay to know how let's take the path first we use the get location if you receive an error then there would be no path like that okay application come on s show me oh no a parameter account we found that matches parameter name path so it means that it doesn't exist so I would say nope what command would you use to make a request to Observer all of you know right in vocal requests from the walkthroughs requests page 64 decode Define p64 on Windows page60 for the file let's look for the five first see where is this file so get fired Ash get command get content get child item say here is 64. let's find where it is a64.txt so it is in the desktop okay let's get the content of this file I'm going to use get content so here say replace this program files or take this path foreign name is p64.txt let's see what is the content in there we have an error documents no it's desktop so I correct this to this Dot again we have an error it's like to correct so much so this is the content of the p64 so it's asking here base64d code you want to decode this hmm so basically we use the decode or we would use something um even if there's a PowerShot something like that let's see how we can do this honestly I'm not right um Powershell is 64. decode Microsoft nothing official about this all right let's see other guys experience no no well actually this is helpful but not for a file I want to use something for the file the answers were about you know decoding and encoding a string but here we don't have a string we have a string of base64 inside a file this is also not helpful okay to find decoding with 64th partial whether that's working when it was firing okay which is also possible so we have a as you can see we store the file in a parameter and say we get its content and stored in that available and use the partial native decoding so from page 64 string which is either complete the file out file encoding out.html fine all right this is also very possible let's do it so basically what we did here let's say okay we Define the variable five equal I will Define we put the file path which is this one let's check that yes right enter now I have another variable which is the data the data is the current of this file which we have displayed here we take this command and put it here foreign command or here they use the file okay so here we say instead of typing the full path we just type the file we refresh the file value okay now here let's take this here what we have to modify here is the out file the out fire will be today codes b64 that will be txt so get a child item so we have the file let's get its content the code it doesn't exist outcome doesn't exist notice that the code p64 interesting actually I think it is not in the C it is it's an administrator so we have yeah that's right so we'll move this foreign this is garbage this is the flag and this is the flag okay so let's take the flag and get back here okay correct let's now this is the basics of Persia of course this is not uh comprehensive uh an exhaustive I know tutorial this is a briefing but now we know the formula the syntax you can just make your way through right by just researching and finding more practicing yourself now let's get down to enumerations so we have the questions we have to remember it now this is for pen testing of course how many users are there on the machine well this is very easy the users you can get the users by using kits local foreign user you see one two three four five five users of course this is native enumeration with Powershell right we're not using any script to do that like power review or partial Empire you're just doing that with your knowledge in partial which local user does this Sid belong to also this is very easy let me copy the Sid so basically we used nope basically we use the get local user right to get the users now we have a property here called Sid and inside of this property we specify the SRD we're looking for as you can see guests so type here I guess how many users have their password required values set to false how many users have their password required values set to false how many users have their password required value is set to false okay let's find out so we use again get local user and here we have the red object the property is password required and the value will be false so that's maths no wrong property password required match fall where object to get locally there why can't be found a parameter that cannot be found that matches parameter name property again type of Pro currency oh these are the accounts that have the password required set to false one two three four four I guess this is false correct okay how many local groups exist so here we're saying how many rights we can use the measure so list the groups gets local oops now we release the groups right too many now to get the number like we did with the uh determining the number of cndelets we say measure 24 oh too much too many what command you use to get the IP address information it must like say ifconfig or ipconfig we use get net address anyone who is into this admit know this I guess net IP address right how many ports are listed as listening it's like we're saying the netstat anclp right here we're looking for ports that aren't listening so if we say get net no no no okay that's TCP connection we display the ports and their status let's do that first I understand the as I said earlier all of the output in the partial is considered as an object an object has properties so here we're looking for the state property we want this to be listen so we get back here and say where objects there's property storage is state equal listen measure how many where projects we have 20. let's try this what is the remote address of the local port is the remote address of the local port listening on Port 445 so there is an open port 445 you want to find the remote address right let me get back what is the remote address of the local Port listening on Port 445 well this is this one but here they are asking how how do you do that with the command right so here we get back to this kit TCP connection with object the property here is um the same right State equal listen here they're not asking about let me get back what is the remote address of the local Port listening on portfolver five so a local Port will be 445. so this one will be the state is going to be local port equal over five of course no measure and this is the remote address how many patches have been applied that's like you know when you scan a Windows machine or you have a Windows machine a limited set on the machine and you get the system info you give the system info to the windows explosives gesture I guess so it's scanning for batches and also part of you and Powershell Empire does this it's it there is a command to look for the patches and not fixes but you can do that manually with Powershell get what fix and see how many or before let's see them first you can see the patches that have been applied these are the updates and the batches as you can see and the date and installed on and installed by the user the ID description The Source here we're asking for the number so we out pipeline just to measure we were talking about 12320 when was the batch ID installed so here we're looking for details about dispatch so we're going to use get or the same command but here say that where objects Dash property is not X 5z that's equal equal this one so this is the date six fifteen thousand this is the one okay correct find the contents of a backup file find the contents of a backup file so we're looking here for a DOT Bak file so use this before when finding it interesting file.txt.txt let's get back and find the description item no not this one yeah similar to this one so here we Define the path includes and here instead of that we say Bak Ed indicating a backup file that's why that's recurs and find me a backup file oh this is the one passwords.pak.txt now get its content now we say for the content after I determine the path here it gets content remove this one take this little codes oh come on again one more time I'm hopeless of this okay let me put out one last time program s X 86 instruments Explorer and the file name is passwords txt and lastly back pass flag foreign for all files containing API key so I'm going to search here for all files and look for their contents what is the content of these files and extract the API key from it so I want to find here how it's going to look like so for this one we're going to use the third item again okay so agent path C and here it is the XT or specific there's no specific extension so I'm going to specify the extension and here we're gonna pipeline pipe line this to or output this to select string and there's uh no argument for this pattern the pattern you're looking for is API key show us the files nothing hmm what if I typed start here foreign okay let's cancel the path see how it's going to look like with a star it seems like we have knowledge for this right or I guess I forgot something let's keep the path and specify recurs to look for the subdirectories as well okay while this is running not gonna wait we're gonna proceed to the next one till this finishes next one is what command do you do to list all the running processes well this is also easy get process right what is the path of the schedule task called new schedule task so here I'm sure you're going to have used where object but first we're gonna list the schedule tasks and understand the properties right before that we're gonna look for this so good schedule task so the schedule uh two months the schedule tasks are these so the properties are State task name task path so we're going to play with task name so get scheduled task where objects Dash property property name is new privacy uh no here equal and here the task name right it was task name the object name the property name sorry task name that's right that's right now the command is correct let's copy it wrong what's asking what's the path of the schedule task the path is this who is the owner of the sea who is the owner of the sea so you were talking about access control list or something like that so it use get ACL C the owner is net service trusted installer you might see that these commands are easy but when you when you have a case right like a testing scenario or engagement applying these commands has never been has never been easy actually so what you're doing now we're waiting for this one so what's what happened I'm still waiting okay Ctrl Z seems like we received something right search for all files containing API key well now what I'm supposed to put the answer what's the answer I'm supposed to put here I don't know [Music] it's like finding the API key value what's that API key equal fake key let's try that okay q123 click one two three so yes we are supposed to find the value of this so this is the value so that was for the basics and enumeration next we're going to take fantastic challenge with partial basic scripting Challenge and immediate scripting I hope this was helpful and see you in the next video

Info

Channel: Motasem Hamdan

Views: 20,351

Rating: undefined out of 5

Keywords: powershell, oscp, tryhackme

Id: 2pvERj9GtgI

Channel Id: undefined

Length: 62min 14sec (3734 seconds)

Published: Thu Jan 07 2021