Investigating Windows - TryHackMe

Investigating Windows - TryHackMe

·

4 min read

A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.

tryhackme.com/room/investigatingwindows

Key

Questions will be Titled with Q:

Answers will be titled with A:

Example:

Q: What is your name?

A: Josh

Let's get into it

The first question we are presented with is:

Q: What's the version and year of the windows machine?

Opening up CMD and running systeminfo we are presented with a wall of information but we are interested in "OS name"

image.png

A: windows server 2016

Q: Which user logged in last?

running whoami we can see who we are and as we are currently logged in, we are the last logged-in user.

image.png

A: administrator

But what if we are analyzing an offline system? This is where event viewer comes into play. there are two event logs we will want to filter for:

Event ID 4624: An account was successfully logged in
Event ID 4672: Special privileges assigned to new logon

These events will be stored inside of Windows logs -> Security

image.png

After navigating to the correct logs we will want to filter for the above-discussed event IDs:

image.png

Filter by the date and time and then investigate the contents of the event.

image.png

Moving on

Q: When did John log onto the system last?

executing net user user in cmd we can see information about our specific user

image.png

A: 03/02/2019 5:48:32 PM

(change format add 0's into the date)

Q: What IP does the system connect to when it first starts?

We can investigate the registry and look at things such as "run" and "run once" on 64bit systems, there are two different locations one for 64bit binaries and 32bit binaries. For this challenge, it was located in the 32bit start up

HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> Run
C:\TMP\p.exe -s \\10.34.2.3 'net user' > C:\TMP\o2.txt

image.png

or we could query start up with wmic

wmic startup list full

image.png

A: 10.34.2.3

Q: What two accounts had administrative privileges (other than the Administrator user)?

Executing net localgroup administrators in cmd will query our local administrator accounts

image.png

A: jenny, guest

Q: What's the name of the scheduled task that is malicous.

Opening up the windows task scheduler and looking at the actions we can get an idea of what programs/scripts are being executed and investigate them further for malicious activity

image.png

seeing Netcat PowerShell script is not normal in most environments, we can open the script to confirm this.

A: Clean file system

Q: What file was the task trying to run daily?

Referencing the above question we can see in the actions it is attempting to execute nc.ps1

A: nc.ps1

Q: What port did this file listen locally for?

Remaining in the schedule task section we can see that the PowerShell script is executed with -l for listening on the port:

image.png

A: 1348

Q: When did Jenny last logon?

Same as our earlier question we use:

net user Jenny

image.png

A: never

Q: At what date did the compromise take place?

on the C: drive there is a TMP directory where the threat actor has stored all their tools/scripts/output too. This folder was created on:

A: 03/02/2019

Q: At what time did Windows first assign special privileges to a new logon?

Earlier we used event viewer to filter for two Event IDs we will do this process again but this time we will only filter for 4672 which is the special logon.

image.png

Use the hint for this question as there are earlier logs than this.

A: 03/02/2019 4:04:49 PM

Q: What tool was used to get Windows passwords?

going to C:/TMP there is a log file related to mimikatz. My pre-existing knowledge of mimikatz made this one pretty straightforward forward or you could of read the output files.

image.png

A: mimikatz

Q: When looking at explorer.exe there was recent access to hosts

image.png

Investigating the host file all the other IPs are local IPs besides the entries for google.com

image.png

A: 76.32.97.132

Q: Investigating the C: drive I saw inetpup -> wwwroot which indicates the web server files will be here:

image.png

A: .jsp

Q: What was the last port the attacker opened?

Checking our firewall rules the first and most recent entry

image.png

A:1337

Q: Check for DNS poisoning, what site was targeted?

Checking our host files like in our previous question we can see an unusual IP which is not related to the regular google DNS

image.png

A: google.com