Investigating Windows Tryhackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “Investigation Windows”

https://tryhackme.com/room/investigatingwindows

Room link: https://tryhackme.com/room/investigatingwindows
Note: This room is for Premium Members Only. who purchased THM premium membership.

This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.

Connect to the machine using RDP. The credentials the machine are as follows:

Username: Administrator
Password: letmein123!

Question 1. Whats the version and year of the windows machine?

Answer: Windows server 2016

Question 2. Which user logged in last?

Answer: administrator

Question 3. When did John log onto the system last?

Answer format: MM/DD/YYYY H:MM:SS AM/PM

Answer: 03/02/2019 5:48:32 PM

Question 4. What IP does the system connect to when it first starts?

Answer:10.34.2.3

Question 5. What two accounts had administrative privileges (other than the Administrator user)?

Answer format: username1, username2

Open run command using Ctrl+R and type lusrmgr.msc

Answer: Jenny, Guest

Question 6. Whats the name of the scheduled task that is malicous.

Answer:Clean file system

Question 7. What file was the task trying to run daily?

Answer: nc.ps1

Question 8. What port did this file listen locally for?

Answer: 1348

Question 9. When did Jenny last logon?

Answer: never

Question 10. At what date did the compromise take place?

Answer format: MM/DD/YY

Answer: 03/02/2019

Question 11. At what time did Windows first assign special privileges to a new logon?

Answer format: MM/DD/YYYY HH:MM:SS AM/PM

Answer: 03/02/2019 4:04:49 PM

Question 12. What tool was used to get Windows passwords?

Answer: Mimikatz

Question 13. What was the attackers external control and command servers IP?

Answer: 76.32.97.132

Question 14. What was the extension name of the shell uploaded via the servers website?

Answer: .jsp

Question 15. What was the last port the attacker opened?

Answer: 1337

Question 16. Check for DNS poisoning, what site was targeted?

Answer: google.com

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!