Hacking with Powershell

This room can found here. It covers: what is Powershell , how it works, basic Powershell commands, windows enumeration with Powershell, and Powershell scripting

Machine credentials:

  • Username: Administrator

  • Password: BHN2UVw0Q

Task 2

This also allows Powershell to execute .NET functions directly from its shell. Most Powershell commands, called cmdlets, are written in .NET.

Unlike other scripting languages and shell environments, the output of these cmdlets are objects, making Powershell somewhat object oriented. This also means that running cmdlets allows us to perform actions on the output object, which makes it convenient to pass output from one cmdlet to another. The normal format of a cmdlet is represented using Verb-Noun.

Common verbs to use include:

  • Get

  • Start

  • Stop

  • Read

  • Write

  • New

  • Out

Full list of approved verbs are here.

Question 1: What is the command to get help about a particular cmdlet(without any parameters)?


Task 3

Get-Command and Get-Help are our best friends!

Using Get-Help

Get-Help displays information about a cmdlet. To get help about a particular command, run Get-Help Command-Name

We can also understand how exactly to use the command by passing in the -examples flag.

Using Get-Command

Get-Command gets all the cmdlets installed on the current Computer. This cmdlet allows for pattern matching such as Get-Command Verb-* or Get-Command *-Noun

Running Get-Command New-* to view all the cmdlets for the verb new displays:

Object Manipulation

If we want to actually manipulate the output, we need to figure out a few things:

  • passing output to other cmdlets

  • using specific object cmdlets to extract information

The Pipe ( | ) is used to pass output from one cmdlet to another. A major difference compared to other shells is that instead of passing text or string to the command after the pipe, powershell passes an object to the next cmdlet. Like every object in object oriented frameworks, an object will contain methods and properties.

We can think of methods as functions that can be applied to output from the cmdlet and we can think of properties as variables in the output from a cmdlet. To view these details, pass the output of a cmdlet to the Get-Member cmdlet Verb-Noun | Get-Member

An example of running this to view the members for Get-Command is:

Get-Command | Get-Member -MemberType Method

Creating Objects From Previous cmdlets

One way of manipulating objects is pulling out the properties from the output of a cmdlet and creating a new object. This is done using the Select-Object cmdlet.

An example of listing the directories and just selecting the mode and the name:

We can also use the following flags to select particular information:

  • first - gets the first x object

  • last - gets the last x object

  • unique - shows the unique objects

  • skip - skips x objects

Filtering Objects

When retrieving output objects, we may want to select objects that match a very specific value. We can do this using the Where-Object to filter based on the value of properties.

The general format of the using this cmdlet is:

Verb-Noun | Where-Object -Property PropertyName -operator Value

Verb-Noun | Where-Object {$_.PropertyName -operator Value}

The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.

Powershell is sensitive so make sure we don't put quotes around the command

Where -operator is a list of the following operators:

  • -Contains: if any item in the property value is an exact match for the specified value

  • -EQ: if the property value is the same as the specified value

  • -GT: if the property value is greater than the specified value

Full list of operators can be found here.

An example of checking the stopped processes:

Sort Object

When a cmdlet outputs a lot of information, we may need to sort it to extract the information more efficiently. We do this by pipe lining the output of a cmdlet to the Sort-Object cmdlet.

The format of the command would be

Verb-Noun | Sort-Object

An example of sort the list of directories:

Question 1: What is the location of the file "interesting-file.txt"

C:\Program Files - Running Get-ChildItem -Path C:\ -Recurse -File interesting*.txt -ErrorAction SilentlyContinue will give us our answer.

Question 2: Specify the contents of this file

notsointerestingcontent - Running Get-Content 'C:\Program Files\interesting-File.txt.txt' will give us our answer

Question 3: How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?

6638 - Running Get-Command -CommandType Cmdlet | measure will give us our answer. Using Measure calculates the numeric properties of objects, and the characters, words, and lines in string objects, such as files of text. Helpful when parsing or searching for larger amount(s) of information.

Question 4: Get the MD5 hash of interesting-file.txt

49A586A2A9456226F8A1B4CEC6FAB329 - Running Get-FileHash 'C:\Program Files\interesting-file.txt.txt' -Algorithm MD5 will give us our answer.

Question 5: What is the command to get the current working directory?


Question 6: Does the path "C:\Users\Administrator\Documents\Passwords" Exist(Y/N)?

N - Running Get-Location -Path 'C:\Users\Administrator\Documents\Passwords' will give us our answer

Question 7: What command would you use to make a request to a web server?


Question 8: Base64 decode the file b64.txt on Windows

ihopeyoudidthisonwindows- Find the file first, Get-ChildItem -Path C:\ -Recurse -File b64.txt -ErrorAction SilentlyContinue

Now we can decode the base64 and output to a file, then get the contents of the new file.

certutil -decode 'C:\Users\Administrator\Desktop\b64.txt' decoded.txt

Get-Content 'C:\Users\Administrator\Desktop\decoded.txt'

Task 4

The first step when you have gained initial access to any machine would be to enumerate. We'll be enumerating the following:

  • users

  • basic networking information

  • file permissions

  • registry permissions

  • scheduled and running tasks

  • insecure files

Your task will be to answer the following questions to enumerate the machine using Powershell commands!

Question 1: How many users are there on the machine?

5 - Running Get-LocalUser will give us our answer

Question 2: Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?

Guest - Running Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501" gives us our answer

Question 3: How many users have their password required values set to False?

4 - Run Get-LocalUser | Where-Object -Property PasswordRequired -Match false to find the answer.

Question 4: How many local groups exist?

24 - Run Get-LocalGroup | Measure to find the answer

Question 5: What command did you use to get the IP address info?


Question 6: How many ports are listed as listening?

20 - Run Get-NetTCPConnection | Where-Object -Property State -Match Listen | Measure to find our answer.

Question 7: What is the remote address of the local port listening on port 445?

:: - Running Get-NetTCPConnection | Where-Object -Property State -Match Listen | findstr "445" will show us our answer.

Question 8: How many patches have been applied?

20 - Run Get-Hotfix and count OR Get-Hotfix | Measure

Question 9: When was the patch with ID KB4023834 installed?

6/15/2017 12:00:00 AM - In the above screenshot we can find the answer, BUT we can always run Get-Hotfix | findstr "KB4023834" OR Get-Hotfix -Id KB4023834

Question 10: Find the contents of a backup file.

backpassflag - First we find the backup file Get-ChildItem -Path C:\ -include *.bak* -File -Recurse -ErrorAction SilentlyContinue

Now we get the contents of that file Get-Content 'C:\Program Files (x86)\Internet Explorer\passwords.bak.txt'

Question 11: Search for all files containing API_KEY

fakekey123 - We can run Get-ChildItem C:* -Recurse | Select-String -pattern API_KEY to find the answer. After a while we see an error code.

Question 12: What command do you do to list all the running processes?


Question 13: What is the path of the scheduled task called new-sched-task?

/ - We can run Get-ScheduledTask -TaskName new-sched-task and obtain our answer

Question 14: Who is the owner of the C:\?

NT SERVICE\TrustedInstaller - Running Get-Acl c:/ will show us the owner.

Task 5

We'll be using PowerShell ISE(which is the Powershell Text Editor). To show an example of this script, let's use a particular scenario. Given a list of port numbers, we want to use this list to see if the local port is listening. Open the listening-ports.ps1 script on the Desktop using Powershell ISE. Powershell scripts usually have the .ps1 file extension.

$system_ports = Get-NetTCPConnection -State Listen
$text_port = Get-Content -Path C:\Users\Administrator\Desktop\ports.txt
foreach($port in $text_port){
    if($port -in $system_ports.LocalPort){
        echo $port

On the first line, we want to get a list of all the ports on the system that are listening. We do this using the Get-NetTCPConnection cmdlet. We are then saving the output of this cmdlet into a variable. The convention to create variables is used as:

$variable_name = value

On the next line, we want to read a list of ports from the file. We do this using the Get-Content cmdlet. Again, we store this output in the variables. The simplest next step is iterate through all the ports in the file to see if the ports are listening. To iterate through the ports in the file, we use the following

foreach($new_var in $existing_var){}

This particular code block is used to loop through a set of object. Once we have each individual port, we want to check if this port occurs in the listening local ports. Instead of doing another for loop, we just use an if statement with the -in operator to check if the port exists the LocalPort property of any object. A full list of if statement comparison operators can be found here. To run script, just call the script path using Powershell or click the green button on Powershell ISE:

Now that we've seen what a basic script looks like - it's time to write one of your own. The emails folder on the Desktop contains copies of the emails John, Martha and Mary have been sending to each other(and themselves). Answer the following questions with regards to these emails(try not to open the files and use a script to answer the questions).

Scripting can be a bit difficult, but here is a good resource to use.

Question 1: What file contains the password?

Doc3m - So we can essentially make a script that will run powershell commands from a file by storing them into variables and calling them throughout the script.

$path = "C:\Users\Administrator\Desktop\emails*"
$string_pattern = "password"
$command = Get-ChildItem -Path $path -Recurse | Select-String -Pattern $String_patterne
cho $command

Question 2: What is the password?

johnisaleggend99 - From the script/command we wrote above, it has our answer as well.

Doc2Mary - We can edit our script above and change the string from password to https://

$path = "C:\Users\Administrator\Desktop\emails*"
$string_pattern = "https://"
$command = Get-ChildItem -Path $path -Recurse | Select-String -Pattern $String_patterne
cho $command

Last updated