Investigating Windows
A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done. TryHackMe Investigating Windows
TryHackMe Room Here :- Click Here
Task 1 Investigating Windows
This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.
Connect to the machine using RDP. The credentials the machine are as follows:
Username: Administrator
Password: letmein123!
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
1) Whats the version and year of the windows machine?
Ans :- Windows Server 2016
2) Which user logged in last?
Ans :- Administrator
3) When did John log onto the system last?
Answer format: MM/DD/YYYY H:MM:SS AM/PM
Ans :- 03/02/2019 5:48:32 PM
In cmd Prompt :-
net users
net users john
4) What IP does the system connect to when it first starts?
Ans :- 10.34.2.3
when I connected to the THM machine... after 2 minutes from its implementation then he sent a message in command connecting to this IP and this is the address we are looking for.
5) What two accounts had administrative privileges (other than the Administrator user)?
Answer format: username1, username2
Ans :- Jenny, Guest
In cmd Prompt :- net users
6) Whats the name of the scheduled task that is malicous.
Ans :- Clean file system
7) What file was the task trying to run daily?
Ans :- nc.ps1
8) What port did this file listen locally for?
Ans :- 1348
9) When did Jenny last logon?
Ans :- Never
In cmd Prompt :-
net users
net users jenny
10) At what date did the compromise take place?
Answer format: MM/DD/YY
Ans :- 03/02/2019
11) At what time did Windows first assign special privileges to a new logon?
Answer format: MM/DD/YYYY HH:MM:SS AM/PM
Ans :- 03/02/2019 4:04:49 PM
12) What tool was used to get Windows passwords?
Ans :- Mimikatz
13) What was the attackers external control and command servers IP?
Ans :- 76.32.97.132
14) What was the extension name of the shell uploaded via the servers website?
Ans :- .jsp
15) What was the last port the attacker opened?
Ans :- 1337
16) Check for DNS poisoning, what site was targeted?
Ans :- google.com
Disclaimer
This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing malicious or damaging attacks. Performing any hacks without written permission is illegal ..!
All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.
All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)