Blue Teaming | PowershELlF to the rescue
This level is based on tryhackme Advent Of Cyber 2 [2020] Day 20, lets begin.
Story π
Someone is mischievous at The Best Festival Company. The contents within the stockings have been removed. A clue was left in one of the stockings that hints that the contents have been hidden within Elfstation1. McEager moves quickly and attempts to RDP into the machine. Yikes! He is unable to log in.
Luckily, he has been learning PowerShell, and he can remote into the workstation using PowerShell over SSH.
Task π
Use the PowerShell console to navigate throughout the endpoint to find the hidden contents to reveal what was hidden in the stockings.
Persiapan π€
username: mceager
password: r0ckStar!
IP: <youripmachine>
Lets begin π₯
We have to connect into mceager SSH first.
ssh -l mceager 10.10.229.91After successfully connecting to the mceager SSH, we can open PowerShell over SSH to proceed with the next steps.
Q1) Search for the first hidden elf file within the Documents folder. Read the contents of this file. What does Elf 1 want?
First, we need to change our current directory to /Documents/, we can use either set-location or cd Documents, (Yup, we can use terminal command in powershell)
Since we want to search for hidden files, we can use the -Hidden flag.
Answers:- 2 front teeth
Q2) Search on the desktop for a hidden folder that contains the file for Elf 2. Read the contents of this file. What is the name of that movie that Elf 2 wants?
In the previous question, we learned that we can find hidden folders using the -Hidden flag. Additionally, we can use the -Directory (or -Dir) flag to filter and display only folders.
First, change the current directory to Desktop using either Set-Location or cd Desktop. Once we locate the hidden folder for elf 2, we can simply open the folder to view its contents.
after we know the hidden folder for elf 2, we can just open the folder file
answers:- Scrooged
Q3) Search the Windows directory for a hidden folder that contains files for Elf 3. What is the name of the hidden folder? (This command will take a while)
Now, we move our current dir to /Windows/, with command cd:/windows/ to search for specific items, we can combine flags like this:, -Hidden -Dir -Filter β*3*β , this command means we are searching for hidden directories with names containing the number 3.
If we use the ls command, it only displays items one level deep within the /Windows/ directory. To search recursively through all subdirectories, we can use the -Recurse flag. This flag retrieves items from the specified location and all its child items.
However, when using -Recurse, we might encounter numerous error messages. To suppress these errors, we can add the -ErrorAction SilentlyContinue flag.
Tadaaaaaaa
answers:- 3lfthr3e
Q4) How many words does the first file contain?
After navigating to the 3lfthr3e folder, we find it contains two hidden files. To determine the answer to the question, we can use the Measure-Object -Word command to analyze the content of these files.
answers:- 9999
Q5) What 2 words are at index 551 and 6991 in the first file?
Here, we can gather a clue that will help us answer question #5.
answers:- red ryder
Q6) This is only half the answer. Search in the 2nd file for the phrase from the previous question to get the full answer. What does Elf 3 want? (use spaces when submitting the answer)
To search for specific patterns within files, we can use the Select-String command with the -Pattern flag. For example:
select-string <file> -Pattern 'keyword'
answers:- redryderbbgun
Thank you for reading this until the end! This write-up serves as my personal journal while working through this room, documenting my journey, challenges, and learnings along the way. I hope it can also be a helpful resource for others exploring similar paths.
