# Hacking with Powershell
This room can found [here](https://tryhackme.com/room/powershell). It covers: what is Powershell , how it works, basic Powershell commands, windows enumeration with Powershell, and Powershell scripting
Machine credentials:
* Username: Administrator
* Password: BHN2UVw0Q
## Task 2
This also allows Powershell to execute .NET functions directly from its shell. Most Powershell commands, called *cmdlets,* are written in .NET.
Unlike other scripting languages and shell environments, the output of these *cmdlets* are objects, making Powershell somewhat object oriented. This also means that running cmdlets allows us to perform actions on the output object, which makes it convenient to pass output from one *cmdlet* to another. The normal format of a *cmdlet* is represented using **Verb-Noun.**
Common verbs to use include:
* Get
* Start
* Stop
* Read
* Write
* New
* Out
Full list of approved verbs are [here](https://docs.microsoft.com/en-us/powershell/scripting/developer/cmdlet/approved-verbs-for-windows-powershell-commands?view=powershell-7).
### Question 1: What is the command to get help about a particular cmdlet(without any parameters)?
`Get-help`
## Task 3
`Get-Command` and `Get-Help` are our best friends!
**Using Get-Help**
Get-Help displays information about a *cmdlet.* To get help about a particular command, run `Get-Help Command-Name`
We can also understand how exactly to use the command by passing in the `-examples` flag.
#### Using Get-Command
Get-Command gets all the *cmdlets* installed on the current Computer. This *cmdlet* allows for pattern matching such as `Get-Command Verb-*` or `Get-Command *-Noun`
Running `Get-Command New-*` to view all the *cmdlets* for the verb new displays:
#### Object Manipulation
If we want to actually manipulate the output, we need to figure out a few things:
* passing output to other *cmdlets*
* using specific object *cmdlets* to extract information
The Pipe ( | ) is used to pass output from one *cmdlet* to another. A major difference compared to other shells is that instead of passing text or string to the command after the pipe, powershell passes an object to the next cmdlet. Like every object in object oriented frameworks, an object will contain methods and properties.
We can think of methods as functions that can be applied to output from the *cmdlet* and we can think of properties as variables in the output from a cmdlet. To view these details, pass the output of a *cmdlet* to the Get-Member *cmdlet* `Verb-Noun | Get-Member`
An example of running this to view the members for Get-Command is:
`Get-Command | Get-Member -MemberType Method`
#### Creating Objects From Previous *cmdlets*
One way of manipulating objects is pulling out the properties from the output of a cmdlet and creating a new object. This is done using the `Select-Object` *cmdlet.*
An example of listing the directories and just selecting the mode and the name:
We can also use the following flags to select particular information:
* first - gets the first x object
* last - gets the last x object
* unique - shows the unique objects
* skip - skips x objects
#### Filtering Objects
When retrieving output objects, we *may* want to select objects that match a very specific value. We can do this using the `Where-Object` to filter based on the value of properties.
The general format of the using this *cmdlet* is:
`Verb-Noun | Where-Object -Property PropertyName -operator Value`
`Verb-Noun | Where-Object {$_.PropertyName -operator Value}`
The second version uses the $\_ operator to iterate through every object passed to the Where-Object cmdlet.
**Powershell is sensitive so make sure we don't put quotes around the command**
Where `-operator` is a list of the following operators:
* -Contains: if any item in the property value is an exact match for the specified value
* -EQ: if the property value is the same as the specified value
* -GT: if the property value is greater than the specified value
Full list of operators can be found [here](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-6).
An example of checking the stopped processes:
#### Sort Object
When a *cmdlet* outputs a lot of information, we may need to sort it to extract the information more efficiently. We do this by pipe lining the output of a *cmdlet* to the `Sort-Object` *cmdlet*.
The format of the command would be
`Verb-Noun | Sort-Object`
An example of sort the list of directories:
### Question 1: What is the location of the file "interesting-file.txt"
`C:\Program Files` - Running `Get-ChildItem -Path C:\ -Recurse -File interesting*.txt -ErrorAction SilentlyContinue` will give us our answer.
### Question 2: Specify the contents of this file
`notsointerestingcontent` - Running `Get-Content 'C:\Program Files\interesting-File.txt.txt'` will give us our answer
### Question 3: How many cmdlets are installed on the system(only cmdlets, not functions and aliases)?
`6638` - Running `Get-Command -CommandType Cmdlet | measure` will give us our answer. Using Measure calculates the numeric properties of objects, and the characters, words, and lines in string objects, such as files of text. Helpful when parsing or searching for larger amount(s) of information.
### Question 4: Get the MD5 hash of interesting-file.txt
`49A586A2A9456226F8A1B4CEC6FAB329` - Running `Get-FileHash 'C:\Program Files\interesting-file.txt.txt' -Algorithm MD5` will give us our answer.
### Question 5: What is the command to get the current working directory?
`Get-Location`
### Question 6: Does the path "C:\Users\Administrator\Documents\Passwords" Exist(Y/N)?
`N` - Running `Get-Location -Path 'C:\Users\Administrator\Documents\Passwords'` will give us our answer
### Question 7: What command would you use to make a request to a web server?
`Invoke-WebRequest`
### Question 8: Base64 decode the file b64.txt on Windows
ihopeyoudidthisonwindows- Find the file first, `Get-ChildItem -Path C:\ -Recurse -File b64.txt -ErrorAction SilentlyContinue`
Now we can decode the base64 and output to a file, then get the contents of the new file.
`certutil -decode 'C:\Users\Administrator\Desktop\b64.txt' decoded.txt`
`Get-Content 'C:\Users\Administrator\Desktop\decoded.txt'`
## Task 4
The first step when you have gained initial access to any machine would be to enumerate. We'll be enumerating the following:
* users
* basic networking information
* file permissions
* registry permissions
* scheduled and running tasks
* insecure files
Your task will be to answer the following questions to enumerate the machine using Powershell commands!
### Question 1: How many users are there on the machine?
`5` - Running `Get-LocalUser` will give us our answer
### Question 2: Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?
`Guest` - Running `Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"` gives us our answer
### Question 3: How many users have their password required values set to False?
`4` - Run `Get-LocalUser | Where-Object -Property PasswordRequired -Match false` to find the answer.
### Question 4: How many local groups exist?
`24` - Run `Get-LocalGroup | Measure` to find the answer
### Question 5: What command did you use to get the IP address info?
`Get-NetIPAddress`
### Question 6: How many ports are listed as listening?
`20` - Run `Get-NetTCPConnection | Where-Object -Property State -Match Listen | Measure` to find our answer.
### Question 7: What is the remote address of the local port listening on port 445?
`::` - Running `Get-NetTCPConnection | Where-Object -Property State -Match Listen | findstr "445"` will show us our answer.
### Question 8: How many patches have been applied?
`20` - Run `Get-Hotfix` and count OR `Get-Hotfix | Measure`
### Question 9: When was the patch with ID KB4023834 installed?
`6/15/2017 12:00:00 AM` - In the above screenshot we can find the answer, BUT we can always run `Get-Hotfix | findstr "KB4023834"` OR `Get-Hotfix -Id KB4023834`
### Question 10: Find the contents of a backup file.
`backpassflag` - First we find the backup file `Get-ChildItem -Path C:\ -include *.bak* -File -Recurse -ErrorAction SilentlyContinue`
Now we get the contents of that file `Get-Content 'C:\Program Files (x86)\Internet Explorer\passwords.bak.txt'`
### Question 11: Search for all files containing API\_KEY
`fakekey123` - We can run `Get-ChildItem C:* -Recurse | Select-String -pattern API_KEY` to find the answer. After a while we see an error code.
### Question 12: What command do you do to list all the running processes?
`Get-Process`
### Question 13: What is the path of the scheduled task called new-sched-task?
`/` - We can run `Get-ScheduledTask -TaskName new-sched-task` and obtain our answer
### Question 14: Who is the owner of the C:\\?
`NT SERVICE\TrustedInstaller` - Running `Get-Acl c:/` will show us the owner.
## Task 5
We'll be using PowerShell ISE(which is the Powershell Text Editor). To show an example of this script, let's use a particular scenario. Given a list of port numbers, we want to use this list to see if the local port is listening. Open the listening-ports.ps1 script on the Desktop using Powershell ISE. Powershell scripts usually have the *.ps1* file extension.
```
$system_ports = Get-NetTCPConnection -State Listen
$text_port = Get-Content -Path C:\Users\Administrator\Desktop\ports.txt
foreach($port in $text_port){
if($port -in $system_ports.LocalPort){
echo $port
}
}
```
On the first line, we want to get a list of all the ports on the system that are listening. We do this using the Get-NetTCPConnection *cmdlet*. We are then saving the output of this *cmdlet* into a variable. The convention to create variables is used as:
```
$variable_name = value
```
On the next line, we want to read a list of ports from the file. We do this using the Get-Content *cmdlet.* Again, we store this output in the variables. The simplest next step is iterate through all the ports in the file to see if the ports are listening. To iterate through the ports in the file, we use the following
```powershell
foreach($new_var in $existing_var){}
```
This particular code block is used to loop through a set of object. Once we have each individual port, we want to check if this port occurs in the listening local ports. Instead of doing another for loop, we just use an if statement with the `-in` operator to check if the port exists the LocalPort property of any object. A full list of if statement comparison operators can be found [here](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comparison_operators?view=powershell-6). To run script, just call the script path using Powershell or click the green button on Powershell ISE:
Now that we've seen what a basic script looks like - it's time to write one of your own. The emails folder on the Desktop contains copies of the emails John, Martha and Mary have been sending to each other(and themselves). Answer the following questions with regards to these emails(try not to open the files and use a script to answer the questions).
Scripting can be a bit difficult, but [here](https://learnxinyminutes.com/docs/powershell/) is a good resource to use.
### Question 1: What file contains the password?
`Doc3m` - So we can essentially make a script that will run powershell commands from a file by storing them into variables and calling them throughout the script.
```
$path = "C:\Users\Administrator\Desktop\emails*"
$string_pattern = "password"
$command = Get-ChildItem -Path $path -Recurse | Select-String -Pattern $String_patterne
cho $command
```
### Question 2: What is the password?
`johnisaleggend99` - From the script/command we wrote above, it has our answer as well.
### Question 3: What files contains an HTTPS link?
`Doc2Mary` - We can edit our script above and change the string from `password` to `https://`
```
$path = "C:\Users\Administrator\Desktop\emails*"
$string_pattern = "https://"
$command = Get-ChildItem -Path $path -Recurse | Select-String -Pattern $String_patterne
cho $command
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://cybersec.th4ntis.com/tryhackme/hacking-with-powershell.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.