PowerShell for Pentesters

Task 1 - Intro

No need to answer!

Task 2 - Manipulating files

What is the MD5 hash value of the file on Walter's desktop?

Task 3 - Downloading files

No need to answer!

Task 4 - System Reconnaissance

What Windows Security Update was installed on 5/15/2019?

Task 5 - Network Reconnaissance

No need to answer!

Task 6 - Using PowerView

One of the accounts has a special description; what is it?

PS C:\users\Walter\Desktop> . .\powerview.ps1
PS C:\users\Walter\Desktop> Get-NetUser | select samaccountname,description

samaccountname description
-------------- -----------
ServerAdmin    Built-in account for administering the computer/domain
Guest          Built-in account for guest access to the computer/domain
Walter
sshd
krbtgt         Key Distribution Center Service Account
l.jupyter
josterman
await
ebake
ssilk          IDF-17828290
usand
dtriberg

How many accounts are disabled?

PS C:\users\Walter\Desktop> Get-NetUser -UACFilter ACCOUNTDISABLE | select samaccountname

samaccountname
--------------
Guest
krbtgt
usand
dtriberg

How many users are in the "domain admins" group?

PS C:\users\Walter\Desktop> Get-NetGroupMember -Identity "Domain Admins"


GroupDomain             : WATCH.local
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,OU=Groups,DC=WATCH,DC=local
MemberDomain            : WATCH.local
MemberName              : usand
MemberDistinguishedName : CN=Ursula Sand,CN=Users,DC=WATCH,DC=local
MemberObjectClass       : user
MemberSID               : S-1-5-21-1966530601-3185510712-10604624-1119

GroupDomain             : WATCH.local
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,OU=Groups,DC=WATCH,DC=local
MemberDomain            : WATCH.local
MemberName              : ssilk
MemberDistinguishedName : CN=Sally Silk,CN=Users,DC=WATCH,DC=local
MemberObjectClass       : user
MemberSID               : S-1-5-21-1966530601-3185510712-10604624-1118

GroupDomain             : WATCH.local
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,OU=Groups,DC=WATCH,DC=local
MemberDomain            : WATCH.local
MemberName              : ServerAdmin
MemberDistinguishedName : CN=ServerAdmin,CN=Users,DC=WATCH,DC=local
MemberObjectClass       : user
MemberSID               : S-1-5-21-1966530601-3185510712-10604624-500

Which users are in the "domain admins" group? (Listed alphabetically, small, comma-separated, using space)

ServerAdmin,ssilk,usand

List shares; what is the name of the "interesting" share?

PS C:\users\Walter\Desktop> Get-NetShare

Name                 Type Remark              ComputerName
----                 ---- ------              ------------
ADMIN$         2147483648 Remote Admin        localhost
C$             2147483648 Default share       localhost
IPC$           2147483651 Remote IPC          localhost
NETLOGON                0 Logon server share  localhost
operationfiles          0                     localhost
SYSVOL                  0 Logon server share  localhost

What is the name of the user-created Group Policy?

PS C:\users\Walter\Desktop> Get-NetGPO
...
usncreated               : 12900
displayname              : Disable WinDef
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]
whenchanged              : 5/15/2021 11:21:46 AM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 12909
dscorepropagationdata    : 1/1/1601 12:00:00 AM
name                     : {B3BCB206-765F-437E-9826-7F77743EC6C2}
flags                    : 0
cn                       : {B3BCB206-765F-437E-9826-7F77743EC6C2}
gpcfilesyspath           : \\WATCH.local\SysVol\WATCH.local\Policies\{B3BCB206-765F-437E-9826-7F77743EC6C2}
distinguishedname        : CN={B3BCB206-765F-437E-9826-7F77743EC6C2},CN=Policies,CN=System,DC=WATCH,DC=local
whencreated              : 5/15/2021 11:19:39 AM
versionnumber            : 1
instancetype             : 4
objectguid               : bd95654f-37c3-4003-83d4-da7a893eb989
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=WATCH,DC=local

What are the first names of users' whose accounts were disabled? (Sorted alphabetically, small, comma-separated, using space)

PS C:\users\Walter\Desktop> Get-NetUser -UACFilter ACCOUNTDISABLE | select cn

cn
--
Guest
krbtgt
Ursula Sand
Daniel Triberg

PreviousNet Sec Challenge (Nmap, Netcat, FTP)NextCorp

Last updated 3 years ago

hashtagTask 1 - Intro

hashtagTask 2 - Manipulating files

hashtagTask 3 - Downloading files

hashtagTask 4 - System Reconnaissance

hashtagTask 5 - Network Reconnaissance

hashtagTask 6 - Using PowerView

Task 1 - Intro

Task 2 - Manipulating files

Task 3 - Downloading files

Task 4 - System Reconnaissance

Task 5 - Network Reconnaissance

Task 6 - Using PowerView