Investigating Windows Tryhackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “Investigation Windows”
Room link: https://tryhackme.com/room/investigatingwindows
Note: This room is for Premium Members Only. who purchased THM premium membership.
This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.
Connect to the machine using RDP. The credentials the machine are as follows:
Question 1. Whats the version and year of the windows machine?
Answer: Windows server 2016
Question 2. Which user logged in last?
Question 3. When did John log onto the system last?
Answer format: MM/DD/YYYY H:MM:SS AM/PM
Answer: 03/02/2019 5:48:32 PM
Question 4. What IP does the system connect to when it first starts?
Question 5. What two accounts had administrative privileges (other than the Administrator user)?
Answer format: username1, username2
Open run command using Ctrl+R and type lusrmgr.msc
Answer: Jenny, Guest
Question 6. Whats the name of the scheduled task that is malicous.
Answer:Clean file system
Question 7. What file was the task trying to run daily?
Question 8. What port did this file listen locally for?
Question 9. When did Jenny last logon?
Question 10. At what date did the compromise take place?
Answer format: MM/DD/YY
Question 11. At what time did Windows first assign special privileges to a new logon?
Answer format: MM/DD/YYYY HH:MM:SS AM/PM
Answer: 03/02/2019 4:04:49 PM
Question 12. What tool was used to get Windows passwords?
Question 13. What was the attackers external control and command servers IP?
Question 14. What was the extension name of the shell uploaded via the servers website?
Question 15. What was the last port the attacker opened?
Question 16. Check for DNS poisoning, what site was targeted?
You can find me on:
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!