Hacking with PowerShell

March 16, 2024

Task 1: Objectives

Task 2: What is Poweshell?

Task 3: Basic Powershell Commands

Get-Help Get-Command -Examples

Get-Command New-*

Get-Command | Get-Member -MemberType Method

Get-ChildItem | Select-Object -Property Mode, Name
ls

Get-Service | Where-Object -Property Status -eq Stopped

Get-ChildItem | Sort-Object

Answers for the questions

Get-ChildItem -Path "C:\Program Files" -Filter "*.txt" -Recurse -File

ls
more interesting-file.txt.txt

(Get-Command -CommandType Cmdlet).Count

Get-FileHash -Path interesting-file.txt.txt -Algorithm MD5

Get-Location
pwd

cd C:\Users\Administrator\Documents\Passwords

Invoke-WebRequest -Uri "http://10.9.193.229:8000/python-shell.txt"

more b64.txt
$base64EncodedData = Get-Content -Path b64.txt -Raw

$decodedData = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64EncodedData))

$decodedData

Task 4: Enumeration

For the first question

Get-LocalUser

For the second question

wmic useraccount get name,sid

For the third question

# Get a list of local users
$localUsers = Get-WmiObject Win32_UserAccount -Filter "LocalAccount='True'"

# Iterate through each user
foreach ($user in $localUsers) {
    $username = $user.Name
    $passwordRequired = $user.PasswordRequired

    Write-Output "User: $username - Password Required: $passwordRequired"
}

For the fourth question

Get-LocalGroup
(Get-LocalGroup).Count

For the fifth question

Get-NetIPAddress

For the sixth question

Get-NetTcpConnection
(Get-NetTcpConnection).Count

For the seventh question

get-hotfix
(get-hotfix).Count

For the tenth question

Get-ChildItem -Path "C:\" -Filter "*.bak*" -Recurse
cd C:\'Program Files (x86)'\'Internet Explorer'
more passwords.bak.txt

For the elevent question

# Specify the directory to search in
$directoryPath = "C:Users"

# Recursively search for files containing "API_KEY"
$files = Get-ChildItem -Path $directoryPath -Recurse -File | Select-String -Pattern "API_KEY" -List

# Display the files containing "API_KEY"
if ($files) {
    Write-Output "Files containing 'API_KEY':"
    $files.Path
} else {
    Write-Output "No files containing 'API_KEY' found in $directoryPath."
}

For the twelveth question

get-process

For the fourteenth question

$directoryPath = "C:\"
$owner = (Get-ACL -Path $directoryPath).Owner
Write-Output "Owner of $directoryPath is: $owner"

Task 5: Basic Scripting Challenge

cd C:\Users\Administrator\Desktop\emails\martha
ls
get-content -Path Doc3M.txt

cd C:\Users\Administrator\Desktop\emails\mary
ls
more .\Doc2Mary.txt

Task 6: Intermediate Scripting

$ErrorActionPreference -eq "SilentlyContinue"
$Target -eq "localhost"
$LowEnd = 130
$HighEnd = 140
$X = 0

Do
{
$CurrentPort = $LowEnd + $X
if((Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).PingSucceeded -or (Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).TcpTestSucceeded)
{$CurrentPort | Out-File .\OpenPorts.txt -Append}
$X = $X + 1
}
While($CurrentPort -lt 140)

(Get-Content .\OpenPorts.txt).Count