Investigating Windows - TryHackMe

March 15, 2023  

Bueno primeramente nos dicen que nos conectemos por RDP y nos dan credenciales Administrator:letmein123!

❯ rdesktop -u Administrator -p letmein123! 10.10.16.33

Whats the version and year of the windows machine?

Windows server 2016

Which user logged in last?

administrator por que nosotros fuimos los ultimos el logearnos en caso de que nuestra respuesta fuera incorrecta podriamos ver la ultima vez que se conectaron otros usuarios

When did John log onto the system last?

03/02/2019 5:48:32 PM

What IP does the system connect to when it first starts?

En esta pregunta tenemos que responder la IP que nos mostro cuando nos conectamos ala maquina que fue la 10.43.2.3

What two accounts had administrative privileges (other than the Administrator user)?

Jenny, Guest

Whats the name of the scheduled task that is malicous.

Clean file system

What file was the task trying to run daily?

nc.ps1

What port did this file listen locally for?

1348

When did Jenny last logon?

Never

At what date did the compromise take place?

03/02/2019

At what time did Windows first assign special privileges to a new logon?

03/02/2019 4:04:49 PM

What tool was used to get Windows passwords?

mimikatz

What was the attackers external control and command servers IP?

76.32.97.132

What was the extension name of the shell uploaded via the servers website?

.jsp

What was the last port the attacker opened?

1337

Check for DNS poisoning, what site was targeted?

Si recordamos habimos visto en el /etc/hosts que la ip era 76.32.97.132 si revisamos que era lo que habia despues que era el dominio donde apuntaba es google.com