TryHackMe | Windows Command Line | RSCyberTech
11 min read1 day ago
➡️ By @RSCyberTech
- Website: RSCyberTech.com
- LinkedIn: linkedin.com/in/ricardoams
1️⃣ Task 1 — Introduction
What is the default command line interpreter in the Windows environment?
Answer ✅
cmd.exe
Justification / Source
- “The purpose of this room is to teach you how to use MS Windows Command Prompt
cmd.exe, the default command-line interpreter in the Windows environment.” - Mentioned in the section’s text.
Steps
- n/a
2️⃣ Task 2 — Basic System Information
What is the OS version of the Windows VM?
Answer ✅
10.0.20348.2655
Justification / Source
- “Let’s use the
vercommand to determine the operating system (OS) version.” - Mentioned in the section’s text.
Steps
```
user@WINSRV2022-CORE C:\\Users\\user>verMicrosoft Windows [Version 10.0.20348.2655]
```What is the hostname of the Windows VM?
Answer ✅
WINSRV2022-CORE
Justification / Source
- “We can run the
systeminfocommand to list various information about the system such as OS information, system details, processor and memory.” - Mentioned in the section’s text.
Steps
user@WINSRV2022-CORE C:\\Users\\user>systeminfoHost Name: WINSRV2022-CORE
OS Name: Microsoft Windows Server 2022 Datacenter
OS Version: 10.0.20348 N/A Build 20348
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00454-60000-00001-AA763
Original Install Date: 4/23/2024, 7:36:29 PM
System Boot Time: 12/24/2024, 11:11:47 AM
System Manufacturer: Amazon EC2
System Model: t3a.micro
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version: Amazon EC2 1.0, 10/16/2017
Windows Directory: C:\\Windows
System Directory: C:\\Windows\\system32
Boot Device: \\Device\\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 980 MB
Available Physical Memory: 127 MB
Virtual Memory: Max Size: 1,300 MB
Virtual Memory: Available: 357 MB
Virtual Memory: In Use: 943 MB
Page File Location(s): C:\\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: KB5041948
[02]: KB5041160
[03]: KB5041590
Network Card(s): 1 NIC(s) Installed.
[01]: Amazon Elastic Network Adapter
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 10.10.0.1
IP address(es)
[01]: 10.10.151.7
[02]: fe80::8d9b:8b8f:6409:e143
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.3️⃣ Task 3 — Network Troubleshooting
Which command can we use to look up the server’s physical address (MAC address)?
Answer ✅
ipconfig /all
Justification / Source
- “You can also use
ipconfig /allfor more information about your network configuration.” - Mentioned in the section’s text.
Steps
user@WINSRV2022-CORE C:\\Users\\user>ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : WINSRV2022-CORE
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : eu-west-1.compute.internal
eu-west-1.ec2-utilities.amazonaws.comEthernet adapter Ethernet: Connection-specific DNS Suffix . : eu-west-1.compute.internal
Description . . . . . . . . . . . : Amazon Elastic Network Adapter
Physical Address. . . . . . . . . : 02-75-36-8B-3C-DF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8d9b:8b8f:6409:e143%5(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.151.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Tuesday, December 24, 2024 11:12:18 AM
Lease Expires . . . . . . . . . . : Tuesday, December 24, 2024 12:42:18 PM
Default Gateway . . . . . . . . . : 10.10.0.1
DHCP Server . . . . . . . . . . . : 10.10.0.1
DHCPv6 IAID . . . . . . . . . . . : 84601211
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-B9-B7-EF-00-0C-29-FF-E5-C8
DNS Servers . . . . . . . . . . . : 10.0.0.2
NetBIOS over Tcpip. . . . . . . . : Enabled
What is the name of the process listening on port 3389?
Answer ✅
TermService
Justification / Source
- “The final networking command we will cover in this room is
netstat. This command displays current network connections and listening ports. …-adisplays all established connections and listening ports-bshows the program associated with each listening port and established connection” - Mentioned in the section’s text.
Steps
user@WINSRV2022-CORE C:\\Users\\user>netstat -ab Active Connections Proto Local Address Foreign Address State
TCP 0.0.0.0:22 WINSRV2022-CORE:0 LISTENING
[sshd.exe]
TCP 0.0.0.0:135 WINSRV2022-CORE:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:3389 WINSRV2022-CORE:0 LISTENING
TermService
[svchost.exe]
TCP 0.0.0.0:5985 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:47001 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:49664 WINSRV2022-CORE:0 LISTENING
[lsass.exe]
TCP 0.0.0.0:49665 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:49666 WINSRV2022-CORE:0 LISTENING
EventLog
[svchost.exe]
TCP 0.0.0.0:49667 WINSRV2022-CORE:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:49668 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP 10.10.151.7:22 ip-10-11-34-174:46794 ESTABLISHED
[sshd.exe]
TCP 10.10.151.7:139 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP [::]:22 WINSRV2022-CORE:0 LISTENING
[sshd.exe]
TCP [::]:135 WINSRV2022-CORE:0 LISTENING
RpcSs
[svchost.exe]
TCP [::]:445 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP [::]:3389 WINSRV2022-CORE:0 LISTENING
TermService
[svchost.exe]
TCP [::]:5985 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP [::]:47001 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP [::]:49664 WINSRV2022-CORE:0 LISTENING
[lsass.exe]
TCP [::]:49665 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
TCP [::]:49666 WINSRV2022-CORE:0 LISTENING
EventLog
[svchost.exe]
TCP [::]:49667 WINSRV2022-CORE:0 LISTENING
Schedule
[svchost.exe]
TCP [::]:49668 WINSRV2022-CORE:0 LISTENING
Can not obtain ownership information
UDP 0.0.0.0:123 *:*
W32Time
[svchost.exe]
UDP 0.0.0.0:500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:3389 *:*
TermService
[svchost.exe]
UDP 0.0.0.0:4500 *:*
IKEEXT
[svchost.exe]
UDP 0.0.0.0:5353 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:50180 *:*
Dnscache
[svchost.exe]
UDP 0.0.0.0:50377 *:*
Dnscache
[svchost.exe]
UDP 10.10.151.7:137 *:*
Can not obtain ownership information
UDP 10.10.151.7:138 *:*
Can not obtain ownership information
UDP 127.0.0.1:61602 127.0.0.1:61602
iphlpsvc
[svchost.exe]
UDP [::]:123 *:*
W32Time
[svchost.exe]
UDP [::]:500 *:*
IKEEXT
[svchost.exe]
UDP [::]:3389 *:*
TermService
[svchost.exe]
UDP [::]:4500 *:*
IKEEXT
[svchost.exe]
UDP [::]:5353 *:*
Dnscache
[svchost.exe]
UDP [::]:5355 *:*
Dnscache
[svchost.exe]
UDP [::]:50180 *:*
Dnscache
[svchost.exe]
UDP [::]:50377 *:*
Dnscache
[svchost.exe]
What is the subnet mask?
Answer ✅
255.255.0.0
Justification / Source
- “You can also use
ipconfig /allfor more information about your network configuration.” - Mentioned in the section’s text.
Steps
user@WINSRV2022-CORE C:\\Users\\user>ipconfig /allWindows IP Configuration Host Name . . . . . . . . . . . . : WINSRV2022-CORE
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : eu-west-1.compute.internal
eu-west-1.ec2-utilities.amazonaws.comEthernet adapter Ethernet: Connection-specific DNS Suffix . : eu-west-1.compute.internal
Description . . . . . . . . . . . : Amazon Elastic Network Adapter
Physical Address. . . . . . . . . : 02-75-36-8B-3C-DF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::8d9b:8b8f:6409:e143%5(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.151.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Tuesday, December 24, 2024 11:12:18 AM
Lease Expires . . . . . . . . . . : Tuesday, December 24, 2024 12:42:18 PM
Default Gateway . . . . . . . . . : 10.10.0.1
DHCP Server . . . . . . . . . . . : 10.10.0.1
DHCPv6 IAID . . . . . . . . . . . : 84601211
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-B9-B7-EF-00-0C-29-FF-E5-C8
DNS Servers . . . . . . . . . . . : 10.0.0.2
NetBIOS over Tcpip. . . . . . . . : Enabled
4️⃣ Task 4 — File and Disk Management
What are the file’s contents in C:\Treasure\Hunt?
Answer ✅
THM{CLI_POWER}
Justification / Source
- “You can easily view text files with the command
type.” - Mentioned in the section’s text.
Steps
SRV2022-CORE C:\\Users\\user>type C:\\Treasure\\Hunt\\flag.txt THM{CLI_POWER}5️⃣ Task 5 — Task and Process Management
What command would you use to find the running processes related to notepad.exe?
Answer ✅
tasklist /FI "imagename eq notepad.exe”
Justification / Source
- “Let’s say that we want to search for tasks related to
sshd.exe, we can do that with the commandtasklist /FI "imagename eq sshd.exe". Note that/FIis used to set the filter image name equalssshd.exe.” - Mentioned in the section’s text.
Steps
- n/a
What command can you use to kill the process with PID 1516?
Answer ✅
taskkill /PID 1516
Justification / Source
- “With the process ID (PID) known, we can terminate any task using
taskkill /PID target_pid. For example, if we want to kill the process with PID4567, we would issue the commandtaskkill /PID 4567.” - Mentioned in the section’s text.
Steps
- n/a
6️⃣ Task 6 — Conclusion
The command shutdown /s can shut down a system. What is the command you can use to restart a system?
Answer ✅
shutdown /r
Justification / Source
- n/a
Steps
user@WINSRV2022-CORE C:\\Users\\user>shutdown /?
Usage: shutdown [/i | /l | /s | /sg | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/soft] [/fw] [/f]
[/m \\\\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]] No args Display help. This is the same as typing /?.
/? Display help. This is the same as not typing any options.
/i Display the graphical user interface (GUI).
This must be the first option.
/l Log off. This cannot be used with /m or /d options.
/s Shutdown the computer.
/sg Shutdown the computer. On the next boot, if Automatic Restart Sign-On
is enabled, automatically sign in and lock last interactive user.
After sign in, restart any registered applications.
/r Full shutdown and restart the computer.
/g Full shutdown and restart the computer. After the system is rebooted,
if Automatic Restart Sign-On is enabled, automatically sign in and
lock last interactive user.
After sign in, restart any registered applications.
/a Abort a system shutdown.
This can only be used during the time-out period.
Combine with /fw to clear any pending boots to firmware.
/p Turn off the local computer with no time-out or warning.
Can be used with /d and /f options.
/h Hibernate the local computer.
Can be used with the /f option.
/hybrid Performs a shutdown of the computer and prepares it for fast startup.
Must be used with /s option.
/fw Combine with a shutdown option to cause the next boot to go to the
firmware user interface.
/e Document the reason for an unexpected shutdown of a computer.
/o Go to the advanced boot options menu and restart the computer.
Must be used with /r option.
/m \\\\computer Specify the target computer.
/t xxx Set the time-out period before shutdown to xxx seconds.
The valid range is 0-315360000 (10 years), with a default of 30.
If the timeout period is greater than 0, the /f parameter is
implied.
/c "comment" Comment on the reason for the restart or shutdown.
Maximum of 512 characters allowed.
/f Force running applications to close without forewarning users.
The /f parameter is implied when a value greater than 0 is
specified for the /t parameter.
/d [p|u:]xx:yy Provide the reason for the restart or shutdown.
p indicates that the restart or shutdown is planned.
u indicates that the reason is user defined.
If neither p nor u is specified the restart or shutdown is
unplanned.
xx is the major reason number (positive integer less than 256).
yy is the minor reason number (positive integer less than 65536).
Failed to get retrieve reasons.What command can you use to abort a scheduled system shutdown?
Answer ✅
shutdown /a
Justification / Source
- n/a
Steps
user@WINSRV2022-CORE C:\\Users\\user>shutdown /?
Usage: shutdown [/i | /l | /s | /sg | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/soft] [/fw] [/f]
[/m \\\\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]] No args Display help. This is the same as typing /?.
/? Display help. This is the same as not typing any options.
/i Display the graphical user interface (GUI).
This must be the first option.
/l Log off. This cannot be used with /m or /d options.
/s Shutdown the computer.
/sg Shutdown the computer. On the next boot, if Automatic Restart Sign-On
is enabled, automatically sign in and lock last interactive user.
After sign in, restart any registered applications.
/r Full shutdown and restart the computer.
/g Full shutdown and restart the computer. After the system is rebooted,
if Automatic Restart Sign-On is enabled, automatically sign in and
lock last interactive user.
After sign in, restart any registered applications.
/a Abort a system shutdown.
This can only be used during the time-out period.
Combine with /fw to clear any pending boots to firmware.
/p Turn off the local computer with no time-out or warning.
Can be used with /d and /f options.
/h Hibernate the local computer.
Can be used with the /f option.
/hybrid Performs a shutdown of the computer and prepares it for fast startup.
Must be used with /s option.
/fw Combine with a shutdown option to cause the next boot to go to the
firmware user interface.
/e Document the reason for an unexpected shutdown of a computer.
/o Go to the advanced boot options menu and restart the computer.
Must be used with /r option.
/m \\\\computer Specify the target computer.
/t xxx Set the time-out period before shutdown to xxx seconds.
The valid range is 0-315360000 (10 years), with a default of 30.
If the timeout period is greater than 0, the /f parameter is
implied.
/c "comment" Comment on the reason for the restart or shutdown.
Maximum of 512 characters allowed.
/f Force running applications to close without forewarning users.
The /f parameter is implied when a value greater than 0 is
specified for the /t parameter.
/d [p|u:]xx:yy Provide the reason for the restart or shutdown.
p indicates that the restart or shutdown is planned.
u indicates that the reason is user defined.
If neither p nor u is specified the restart or shutdown is
unplanned.
xx is the major reason number (positive integer less than 256).
yy is the minor reason number (positive integer less than 65536).
Failed to get retrieve reasons.➡️ By @RSCyberTech
- Website: RSCyberTech.com
- LinkedIn: linkedin.com/in/ricardoams
