PowerShell for Pentesters
Task 1 - Intro
No need to answer!
Task 2 - Manipulating files
What is the MD5 hash value of the file on Walter's desktop?
Task 3 - Downloading files
No need to answer!
Task 4 - System Reconnaissance
What Windows Security Update was installed on 5/15/2019?
Task 5 - Network Reconnaissance
No need to answer!
Task 6 - Using PowerView
One of the accounts has a special description; what is it?
PS C:\users\Walter\Desktop> . .\powerview.ps1
PS C:\users\Walter\Desktop> Get-NetUser | select samaccountname,description
samaccountname description
-------------- -----------
ServerAdmin Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain
Walter
sshd
krbtgt Key Distribution Center Service Account
l.jupyter
josterman
await
ebake
ssilk IDF-17828290
usand
dtribergHow many accounts are disabled?
PS C:\users\Walter\Desktop> Get-NetUser -UACFilter ACCOUNTDISABLE | select samaccountname
samaccountname
--------------
Guest
krbtgt
usand
dtribergHow many users are in the "domain admins" group?
PS C:\users\Walter\Desktop> Get-NetGroupMember -Identity "Domain Admins"
GroupDomain : WATCH.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,OU=Groups,DC=WATCH,DC=local
MemberDomain : WATCH.local
MemberName : usand
MemberDistinguishedName : CN=Ursula Sand,CN=Users,DC=WATCH,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-1966530601-3185510712-10604624-1119
GroupDomain : WATCH.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,OU=Groups,DC=WATCH,DC=local
MemberDomain : WATCH.local
MemberName : ssilk
MemberDistinguishedName : CN=Sally Silk,CN=Users,DC=WATCH,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-1966530601-3185510712-10604624-1118
GroupDomain : WATCH.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,OU=Groups,DC=WATCH,DC=local
MemberDomain : WATCH.local
MemberName : ServerAdmin
MemberDistinguishedName : CN=ServerAdmin,CN=Users,DC=WATCH,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-1966530601-3185510712-10604624-500Which users are in the "domain admins" group? (Listed alphabetically, small, comma-separated, using space)
ServerAdmin,ssilk,usandList shares; what is the name of the "interesting" share?
PS C:\users\Walter\Desktop> Get-NetShare
Name Type Remark ComputerName
---- ---- ------ ------------
ADMIN$ 2147483648 Remote Admin localhost
C$ 2147483648 Default share localhost
IPC$ 2147483651 Remote IPC localhost
NETLOGON 0 Logon server share localhost
operationfiles 0 localhost
SYSVOL 0 Logon server share localhostWhat is the name of the user-created Group Policy?
PS C:\users\Walter\Desktop> Get-NetGPO
...
usncreated : 12900
displayname : Disable WinDef
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]
whenchanged : 5/15/2021 11:21:46 AM
objectclass : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly : True
usnchanged : 12909
dscorepropagationdata : 1/1/1601 12:00:00 AM
name : {B3BCB206-765F-437E-9826-7F77743EC6C2}
flags : 0
cn : {B3BCB206-765F-437E-9826-7F77743EC6C2}
gpcfilesyspath : \\WATCH.local\SysVol\WATCH.local\Policies\{B3BCB206-765F-437E-9826-7F77743EC6C2}
distinguishedname : CN={B3BCB206-765F-437E-9826-7F77743EC6C2},CN=Policies,CN=System,DC=WATCH,DC=local
whencreated : 5/15/2021 11:19:39 AM
versionnumber : 1
instancetype : 4
objectguid : bd95654f-37c3-4003-83d4-da7a893eb989
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=WATCH,DC=localWhat are the first names of users' whose accounts were disabled? (Sorted alphabetically, small, comma-separated, using space)
PS C:\users\Walter\Desktop> Get-NetUser -UACFilter ACCOUNTDISABLE | select cn
cn
--
Guest
krbtgt
Ursula Sand
Daniel TribergLast updated
Was this helpful?