TryHackMe - Investigating Windows

Here we are going to investigate a Microsoft Windows computer that has previously been compromised - lets see if we can find out what the attacker has done.

Whats the version and year of the windows machine?

Started up the target machine which is a Windows computer. Lets open up PowerShell and type in winver to get the Windows version. We can see that we are on a Windows Server 2016 Version 1607. Lets submit "Windows Server 2016" as the answer - Correct!

Which user logged in last?

Here we'll type the following into PowerShell to display the last logins.

Get-LocalUser | Select Name, Lastlogon

Shows that Administrator is the last logged in user (thats us!). Lets type "Administrator" as the answer - Correct.

When did John log into the system last?

From the output of the last PowerShell command we can see that old Johnny boy last logged in 03/02/2019 5:48:32 PM. Lets pop that in as the answer - Perfect.

What IP does the system connect to when it first starts?

OK, so this one is a bit of an odd question but lets see what we can find out. Lets start with what the computer is starting up by going to registry (its what I know off top of my head). Browsing to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run we can see that there is an entry named "UpdateSvc" that appears to be running an executable p.exe from C:\TMP with a variable containing IP address 10.34.2.3. Lets enter that IP as the answer - That is the one.

What two accounts had administrative privileges (other than the Administrator user)?

Get-LocalGroupMember -Group "Administrators". Can see that both Guest and Jenny are local Administrators. Guest, Jenny doesn't work for the answer so lets try "Jenny, Guest" - there we go!

Whats the name of the scheduled task that is malicious?

Quick look in the task scheduler and we can see a task named GameOver. Lets try that - nope. Seems to be running every 5 mins (can see a black screen popping up all the time) but the output to C:\TMP\o.txt doesn't exist to its either a red hearing, the file has been taken/deleted or simply a task the attacker couldn't get working properly.

There is another one named Clean file system which starts a PowerShell script C:\TMP\nc.ps1. Lets try putting that in as the answer - that is the one.

What file was the task trying to run daily?

As we discovered above it was trying to run PowerShell script nc.ps1. That is the answer.

What port did this file listen locally for?

And as part of the scheduled task program string we can see port 1348 is the answer here.

When did Jenny last logon?

When we listed all users last logons, Jenny didn't actually have a timestamp so the account doesn't look like it has ever logged in. Lets try never as an answer - yes that is correct!.

At what date did the compromise take place?

For this answer we just need a date rather than a full time stamp. Looking at the date the files were created under C:\TMP the compromise may have taken place on 3/2/2019. Lets enter 03/02/2019 as the answer - that works.

During the compromise, at what time did Windows first assign special privileges to a new logon?

So we filter security log for event ID 4672 as this is the event we are looking for. We know the compromise took place on 03/02/2019. The hint tells us the the format will end in :49 PM. So the first one ending in :49 PM on that date is 03/02/2019 04:04:49 PM.

What tool was used to get Windows passwords?

Checked output txt files in the C:\TMP directory. First one is d.txt which looks like it lists directories. Next is mim-out.txt - now this one definitely has passwords in it and header shows that it is mimikatz, which is well known for extracting passwords. That is the answer!

What was the attackers external control and command servers IP?

Lets check out the host file to see if anything has been added into there that shouldn't be. Oh look, there are two entries for google which point to public IPv4 address 76.32.97.132. You wouldn't normally need static IP addresses for google (especially a single IP) so lets pop that into the answer - yep, thats it.

What was the extension name of the shell uploaded via the servers website?

So if its talking about this server we are looking at being a web server, more than likely it will be using IIS. Lets browse to c:\inetpub\wwwroot which is the default path for an IIS web server to store its files. Here we find a couple of .jsp files and one .gif. Lets first try entering .jsp as this contains some interesting content - that is the one.

What was the last port the attacker opened?

Check out the hint and we see Firewall. Lets open up our firewall rules and see what the last entry is. There is a rule named Allow outside connections for development which allows any remote port to local port 1337. Boom that's it.

Check for DNS poisoning, what site was targeted?

google.com - we know this from our host file entries.