dev-resources.site

for different kinds of informations.

TryHackMe | Windows Command Line | RSCyberTech

Published at

12/24/2024

1️⃣ Task 1 - Introduction

What is the default command line interpreter in the Windows environment?

Answer ✅

cmd.exe

Justification / Source

“The purpose of this room is to teach you how to use MS Windows Command Prompt cmd.exe, the default command-line interpreter in the Windows environment.”
Mentioned in the section’s text.

Steps

2️⃣ Task 2 - Basic System Information

What is the OS version of the Windows VM?

Answer ✅

10.0.20348.2655

Justification / Source

“Let’s use the ver command to determine the operating system (OS) version.”
Mentioned in the section’s text.

Steps

```
user@WINSRV2022-CORE C:\Users\user>ver

Microsoft Windows [Version 10.0.20348.2655]
```

What is the hostname of the Windows VM?

Answer ✅

WINSRV2022-CORE

Justification / Source

“We can run the systeminfo command to list various information about the system such as OS information, system details, processor and memory.”
Mentioned in the section’s text.

Steps

user@WINSRV2022-CORE C:\Users\user>systeminfo

Host Name:                 WINSRV2022-CORE
OS Name:                   Microsoft Windows Server 2022 Datacenter
OS Version:                10.0.20348 N/A Build 20348
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00454-60000-00001-AA763
Original Install Date:     4/23/2024, 7:36:29 PM
System Boot Time:          12/24/2024, 11:11:47 AM
System Manufacturer:       Amazon EC2
System Model:              t3a.micro
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version:              Amazon EC2 1.0, 10/16/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     980 MB
Available Physical Memory: 127 MB
Virtual Memory: Max Size:  1,300 MB
Virtual Memory: Available: 357 MB
Virtual Memory: In Use:    943 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB5041948
                           [02]: KB5041160
                           [03]: KB5041590
Network Card(s):           1 NIC(s) Installed.
                           [01]: Amazon Elastic Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.0.1
                                 IP address(es)
                                 [01]: 10.10.151.7
                                 [02]: fe80::8d9b:8b8f:6409:e143
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

3️⃣ Task 3 - Network Troubleshooting

Which command can we use to look up the server’s physical address (MAC address)?

Answer ✅

ipconfig /all

Justification / Source

“You can also use ipconfig /all for more information about your network configuration.”
Mentioned in the section’s text.

Steps

user@WINSRV2022-CORE C:\Users\user>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WINSRV2022-CORE
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : eu-west-1.compute.internal
                                       eu-west-1.ec2-utilities.amazonaws.com

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : Amazon Elastic Network Adapter
   Physical Address. . . . . . . . . : 02-75-36-8B-3C-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8d9b:8b8f:6409:e143%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.151.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, December 24, 2024 11:12:18 AM
   Lease Expires . . . . . . . . . . : Tuesday, December 24, 2024 12:42:18 PM
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCP Server . . . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 84601211
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-B9-B7-EF-00-0C-29-FF-E5-C8
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

What is the name of the process listening on port 3389?

Answer ✅

TermService

Justification / Source

“The final networking command we will cover in this room is netstat. This command displays current network connections and listening ports. … -a displays all established connections and listening ports -b shows the program associated with each listening port and established connection”
Mentioned in the section’s text.

Steps

user@WINSRV2022-CORE C:\Users\user>netstat -ab   

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:22             WINSRV2022-CORE:0      LISTENING
 [sshd.exe]
  TCP    0.0.0.0:135            WINSRV2022-CORE:0      LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:3389           WINSRV2022-CORE:0      LISTENING
  TermService
 [svchost.exe]
  TCP    0.0.0.0:5985           WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:47001          WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49664          WINSRV2022-CORE:0      LISTENING
 [lsass.exe]
  TCP    0.0.0.0:49665          WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:49666          WINSRV2022-CORE:0      LISTENING
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:49667          WINSRV2022-CORE:0      LISTENING
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:49668          WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    10.10.151.7:22         ip-10-11-34-174:46794  ESTABLISHED
 [sshd.exe]
  TCP    10.10.151.7:139        WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:22                WINSRV2022-CORE:0      LISTENING
 [sshd.exe]
  TCP    [::]:135               WINSRV2022-CORE:0      LISTENING
  RpcSs
 [svchost.exe]
  TCP    [::]:445               WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:3389              WINSRV2022-CORE:0      LISTENING
  TermService
 [svchost.exe]
  TCP    [::]:5985              WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:47001             WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:49664             WINSRV2022-CORE:0      LISTENING
 [lsass.exe]
  TCP    [::]:49665             WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  TCP    [::]:49666             WINSRV2022-CORE:0      LISTENING
  EventLog
 [svchost.exe]
  TCP    [::]:49667             WINSRV2022-CORE:0      LISTENING
  Schedule
 [svchost.exe]
  TCP    [::]:49668             WINSRV2022-CORE:0      LISTENING
 Can not obtain ownership information
  UDP    0.0.0.0:123            *:*
  W32Time
 [svchost.exe]
  UDP    0.0.0.0:500            *:*
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:3389           *:*
  TermService
 [svchost.exe]
  UDP    0.0.0.0:4500           *:*
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:5355           *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:50180          *:*
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:50377          *:*
  Dnscache
 [svchost.exe]
  UDP    10.10.151.7:137        *:*
 Can not obtain ownership information
  UDP    10.10.151.7:138        *:*
 Can not obtain ownership information
  UDP    127.0.0.1:61602        127.0.0.1:61602
  iphlpsvc
 [svchost.exe]
  UDP    [::]:123               *:*
  W32Time
 [svchost.exe]
  UDP    [::]:500               *:*
  IKEEXT
 [svchost.exe]
  UDP    [::]:3389              *:*
  TermService
 [svchost.exe]
  UDP    [::]:4500              *:*
  IKEEXT
 [svchost.exe]
  UDP    [::]:5353              *:*
  Dnscache
 [svchost.exe]
  UDP    [::]:5355              *:*
  Dnscache
 [svchost.exe]
  UDP    [::]:50180             *:*
  Dnscache
 [svchost.exe]
  UDP    [::]:50377             *:*
  Dnscache
 [svchost.exe]

What is the subnet mask?

Answer ✅

255.255.0.0

Justification / Source

“You can also use ipconfig /all for more information about your network configuration.”
Mentioned in the section’s text.

Steps

user@WINSRV2022-CORE C:\Users\user>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WINSRV2022-CORE
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : eu-west-1.compute.internal
                                       eu-west-1.ec2-utilities.amazonaws.com

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Description . . . . . . . . . . . : Amazon Elastic Network Adapter
   Physical Address. . . . . . . . . : 02-75-36-8B-3C-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8d9b:8b8f:6409:e143%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.151.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Tuesday, December 24, 2024 11:12:18 AM
   Lease Expires . . . . . . . . . . : Tuesday, December 24, 2024 12:42:18 PM
   Default Gateway . . . . . . . . . : 10.10.0.1
   DHCP Server . . . . . . . . . . . : 10.10.0.1
   DHCPv6 IAID . . . . . . . . . . . : 84601211
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-B9-B7-EF-00-0C-29-FF-E5-C8
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

4️⃣ Task 4 - File and Disk Management

What are the file’s contents in C:\Treasure\Hunt?

Answer ✅

THM{CLI_POWER}

Justification / Source

“You can easily view text files with the command type.”
Mentioned in the section’s text.

Steps

SRV2022-CORE C:\Users\user>type C:\Treasure\Hunt\flag.txt 

THM{CLI_POWER}

5️⃣ Task 5 - Task and Process Management

What command would you use to find the running processes related to notepad.exe?

Answer ✅

tasklist /FI "imagename eq notepad.exe”

Justification / Source

“Let’s say that we want to search for tasks related to sshd.exe, we can do that with the command tasklist /FI "imagename eq sshd.exe". Note that /FI is used to set the filter image name equals sshd.exe.”
Mentioned in the section’s text.

Steps

What command can you use to kill the process with PID 1516?

Answer ✅

taskkill /PID 1516

Justification / Source

“With the process ID (PID) known, we can terminate any task using taskkill /PID target_pid. For example, if we want to kill the process with PID 4567, we would issue the command taskkill /PID 4567.”
Mentioned in the section’s text.

Steps

6️⃣ Task 6 - Conclusion

The command `shutdown /s` can shut down a system. What is the command you can use to restart a system?

Answer ✅

shutdown /r

Justification / Source

Steps

user@WINSRV2022-CORE C:\Users\user>shutdown /?
Usage: shutdown [/i | /l | /s | /sg | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/soft] [/fw] [/f]
    [/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]

    No args    Display help. This is the same as typing /?.
    /?         Display help. This is the same as not typing any options.
    /i         Display the graphical user interface (GUI).
               This must be the first option.
    /l         Log off. This cannot be used with /m or /d options.
    /s         Shutdown the computer.
    /sg        Shutdown the computer. On the next boot, if Automatic Restart Sign-On
               is enabled, automatically sign in and lock last interactive user.
               After sign in, restart any registered applications.
    /r         Full shutdown and restart the computer.
    /g         Full shutdown and restart the computer. After the system is rebooted,
               if Automatic Restart Sign-On is enabled, automatically sign in and
               lock last interactive user.
               After sign in, restart any registered applications.
    /a         Abort a system shutdown.
               This can only be used during the time-out period.
               Combine with /fw to clear any pending boots to firmware.
    /p         Turn off the local computer with no time-out or warning.
               Can be used with /d and /f options.
    /h         Hibernate the local computer.
               Can be used with the /f option.
    /hybrid    Performs a shutdown of the computer and prepares it for fast startup.
               Must be used with /s option.
    /fw        Combine with a shutdown option to cause the next boot to go to the
               firmware user interface.
    /e         Document the reason for an unexpected shutdown of a computer.
    /o         Go to the advanced boot options menu and restart the computer.
               Must be used with /r option.
    /m \\computer Specify the target computer.
    /t xxx     Set the time-out period before shutdown to xxx seconds.
               The valid range is 0-315360000 (10 years), with a default of 30.
               If the timeout period is greater than 0, the /f parameter is
               implied.
    /c "comment" Comment on the reason for the restart or shutdown.
               Maximum of 512 characters allowed.
    /f         Force running applications to close without forewarning users.
               The /f parameter is implied when a value greater than 0 is
               specified for the /t parameter.
    /d [p|u:]xx:yy  Provide the reason for the restart or shutdown.
               p indicates that the restart or shutdown is planned.
               u indicates that the reason is user defined.
               If neither p nor u is specified the restart or shutdown is
               unplanned.
               xx is the major reason number (positive integer less than 256).
               yy is the minor reason number (positive integer less than 65536).
Failed to get retrieve reasons.

What command can you use to abort a scheduled system shutdown?

Answer ✅

shutdown /a

Justification / Source

Steps

user@WINSRV2022-CORE C:\Users\user>shutdown /?
Usage: shutdown [/i | /l | /s | /sg | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/soft] [/fw] [/f]
    [/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]

    No args    Display help. This is the same as typing /?.
    /?         Display help. This is the same as not typing any options.
    /i         Display the graphical user interface (GUI).
               This must be the first option.
    /l         Log off. This cannot be used with /m or /d options.
    /s         Shutdown the computer.
    /sg        Shutdown the computer. On the next boot, if Automatic Restart Sign-On
               is enabled, automatically sign in and lock last interactive user.
               After sign in, restart any registered applications.
    /r         Full shutdown and restart the computer.
    /g         Full shutdown and restart the computer. After the system is rebooted,
               if Automatic Restart Sign-On is enabled, automatically sign in and
               lock last interactive user.
               After sign in, restart any registered applications.
    /a         Abort a system shutdown.
               This can only be used during the time-out period.
               Combine with /fw to clear any pending boots to firmware.
    /p         Turn off the local computer with no time-out or warning.
               Can be used with /d and /f options.
    /h         Hibernate the local computer.
               Can be used with the /f option.
    /hybrid    Performs a shutdown of the computer and prepares it for fast startup.
               Must be used with /s option.
    /fw        Combine with a shutdown option to cause the next boot to go to the
               firmware user interface.
    /e         Document the reason for an unexpected shutdown of a computer.
    /o         Go to the advanced boot options menu and restart the computer.
               Must be used with /r option.
    /m \\computer Specify the target computer.
    /t xxx     Set the time-out period before shutdown to xxx seconds.
               The valid range is 0-315360000 (10 years), with a default of 30.
               If the timeout period is greater than 0, the /f parameter is
               implied.
    /c "comment" Comment on the reason for the restart or shutdown.
               Maximum of 512 characters allowed.
    /f         Force running applications to close without forewarning users.
               The /f parameter is implied when a value greater than 0 is
               specified for the /t parameter.
    /d [p|u:]xx:yy  Provide the reason for the restart or shutdown.
               p indicates that the restart or shutdown is planned.
               u indicates that the reason is user defined.
               If neither p nor u is specified the restart or shutdown is
               unplanned.
               xx is the major reason number (positive integer less than 256).
               yy is the minor reason number (positive integer less than 65536).
Failed to get retrieve reasons.

➡️ By @RSCyberTech