Windows PowerShell | TryHackMe
Discover the “Power” in PowerShell and learn the basics.
Find This Room: Windows PowerShell
Task 1 Introduction
Ahoy there! If you’re here, you’ve either heard whispers of the marvels of PowerShell and want to discover more, or you’ve sailed over from the first room of the Command Line module — Windows Command Line. Either way, you’re about to embark on a journey to discover the marvels of this powerful shell, learning how to use it to uncover the secrets of any Windows system. Avast, then — on board!
Learning Objectives
This is the second room in the Command Line module. It is an introductory room to PowerShell, the second — only historically — command-line utility built for the Windows operating system.
- Learn what PowerShell is and its capabilities.
- Understand the basic structure of PowerShell’s language.
- Learn and run some basic PowerShell commands.
- Understand PowerShell’s many applications in the cyber security industry.
Room Prerequisites
Before approaching this room, it’s recommended that you have understood the concepts in the Windows and AD Fundamentals module and the Windows Command Line room.
Task 2 What Is PowerShell
From the official Microsoft page: “PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework.”
PowerShell is a cross-platform task automation tool combining a command-line shell, scripting language, and configuration management framework. It’s object-oriented (handles complex data types) and built on the .NET framework, unlike text-based CMD, which only processes plain text. Initially created for Windows, it now supports macOS and Linux.
Key Comparison: PowerShell deals with objects (with properties and methods), while CMD deals with plain text.
CMD vs PowerShell:
- CMD is text-based (like
dir
,echo
). - PowerShell returns objects (e.g.,
Get-ChildItem
,Write-Output
).
What do we call the advanced approach used to develop PowerShell?
object-oriented
Task 3 PowerShell Basics
Launching PowerShell
PowerShell can be launched in several ways, depending on your needs and environment. If you are working on a Windows system from the graphical interface (GUI), these are some of the possible ways to launch it:
- Start Menu: Type
powershell
in the Windows Start Menu search bar, then click onWindows PowerShell
orPowerShell
from the results. - Run Dialog: Press
Win + R
to open theRun
dialog, typepowershell
, and hitEnter
. - File Explorer: Navigate to any folder, then type
powershell
in the address bar, and pressEnter
. This opens PowerShell in that specific directory. - Task Manager: Open the Task Manager, go to
File > Run new task
, typepowershell
, and pressEnter
.
Alternatively, PowerShell can be launched from a Command Prompt (cmd.exe
) by typing powershell
, and pressing Enter
.
In our case, where we only have access to the target VM’s Command Prompt, this is the method we’ll use.
After PowerShell has launched, we’re presented with a PS
(which stands for PowerShell
) prompt in the current working directory.
Basic Syntax: Verb-Noun
As previously mentioned, PowerShell commands are known as cmdlets
(pronounced command-lets
). They are much more powerful than the traditional Windows commands and allow for more advanced data manipulation.
Cmdlets follow a consistent Verb-Noun
naming convention. This structure makes it easy to understand what each cmdlet does. The Verb
describes the action, and the Noun
specifies the object on which action is performed. For example:
Get-Content
: Retrieves (gets) the content of a file and displays it in the console.Set-Location
: Changes (sets) the current working directory.
Basic Cmdlets
To list all available cmdlets, functions, aliases, and scripts that can be executed in the current PowerShell session, we can use Get-Command
. It’s an essential tool for discovering what commands one can use.
For each CommandInfo
object retrieved by the cmdlet, some essential information (properties) is displayed on the console. It’s possible to filter the list of commands based on displayed property values. For example, if we want to display only the available commands of type “function”, we can use -CommandType "Function"
, as shown below:
We will learn more efficient ways to filter output from cmdlets in the upcoming tasks.
Another essential cmdlet to keep in our tool belt is Get-Help
: it provides detailed information about cmdlets, including usage, parameters, and examples. It’s the go-to cmdlet for learning how to use PowerShell commands.
As shown in the results above, Get-Help
informs us that we can retrieve other useful information about a cmdlet by appending some options to the basic syntax. For example, by appending -examples
to the command displayed above, we will be shown a list of common ways in which the chosen cmdlet can be used.
To make the transition easier for IT professionals, PowerShell includes aliases — which are shortcuts or alternative names for cmdlets — for many traditional Windows commands. Indispensable for users already familiar with other command-line tools, Get-Alias
lists all aliases available. For example, dir
is an alias for Get-ChildItem
, and cd
is an alias for Set-Location
.
Where to Find and Download Cmdlets
Another powerful feature of PowerShell is the possibility of extending its functionality by downloading additional cmdlets from online repositories.
NOTE: Please note that the cmdlets listed in this section require a working internet connection to query online repositories. The attached machine doesn’t have access to the internet, therefore these commands won’t work in this environment.
To search for modules (collections of cmdlets) in online repositories like the PowerShell Gallery, we can use Find-Module
. Sometimes, if we don’t know the exact name of the module, it can be useful to search for modules with a similar name. We can achieve this by filtering the Name
property and appending a wildcard (*
) to the module’s partial name, using the following standard PowerShell syntax: Cmdlet -Property "pattern*"
.
PS C:\Users\captain> Find-Module -Name "PowerShell*"
Version Name Repository Description
------- ---- ---------- -----------
0.4.7 powershell-yaml PSGallery Powershell module for serializing and deserializing YAML
2.2.5 PowerShellGet PSGallery PowerShell module with commands for discovering, installing, updating and publishing the PowerShell artifacts like Modules, DSC Resources, Role Capabilities and Scripts.
1.0.80.0 PowerShell.Module.InvokeWinGet PSGallery Module to Invoke WinGet and parse the output in PSOjects
0.17.0 PowerShellForGitHub PSGallery PowerShell wrapper for GitHub API
Once identified, the modules can be downloaded and installed from the repository with Install-Module
, making new cmdlets contained in the module available for use.
PS C:\Users\captain> Install-Module -Name "PowerShellGet"
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):
With these essential tools in our belt, we can now start exploring PowerShell’s capabilities.
How would you retrieve a list of commands that start with the verb
Remove
? [for the sake of this question, avoid the use of quotes (" or ') in your answer]
Get-Command -Name Remove
What cmdlet has its traditional counterpart
echo
as an alias?
Write-Output
What is the command to retrieve some example usage for the cmdlet
New-LocalUser
?
Get-Help New-LocalUser -Examples
Task 4 Navigating the File System and Working with Files
What cmdlet can you use instead of the traditional Windows command
type
?
Get-Content
What PowerShell command would you use to display the content of the “C:\Users” directory? [for the sake of this question, avoid the use of quotes (“ or ‘) in your answer]
Get-ChildItem -Path C:\Users
How many items are displayed by the command described in the previous question?
4
Task 5 Piping, Filtering, and Sorting Data
Piping is a technique used in command-line environments that allows the output of one command to be used as the input for another. This creates a sequence of operations where the data flows from one command to the next. Represented by the |
symbol, piping is widely used in the Windows CLI, as introduced earlier in this module, as well as in Unix-based shells.
In PowerShell, piping is even more powerful because it passes objects rather than just text. These objects carry not only the data but also the properties and methods that describe and interact with the data.
For example, if you want to get a list of files in a directory and then sort them by size, you could use the following command in PowerShell:
How would you retrieve the items in the current directory with size greater than 100? [for the sake of this question, avoid the use of quotes (“ or ‘) in your answer]
Get-ChildItem | Where-Object -Property Length -gt 100
Task 6 System and Network Information
PowerShell was created to address a growing need for a powerful automation and management tool to help system administrators and IT professionals. As such, it offers a range of cmdlets that allow the retrieval of detailed information about system configuration and network settings.
The Get-ComputerInfo
cmdlet retrieves comprehensive system information, including operating system information, hardware specifications, BIOS details, and more. It provides a snapshot of the entire system configuration in a single command. Its traditional counterpart systeminfo
retrieves only a small set of the same details.
Essential for managing user accounts and understanding the machine’s security configuration, Get-LocalUser
lists all the local user accounts on the system. The default output displays, for each user, username, account status, and description.
Similar to the traditional ipconfig
command, the following two cmdlets can be used to retrieve detailed information about the system’s network configuration.
Get-NetIPConfiguration
provides detailed information about the network interfaces on the system, including IP addresses, DNS servers, and gateway configurations.
In case we need specific details about the IP addresses assigned to the network interfaces, the Get-NetIPAddress
cmdlet will show details for all IP addresses configured on the system, including those that are not currently active.
These cmdlets give IT professionals the ability to quickly access crucial system and network information directly from the command line, making it easier to monitor and manage both local and remote machines.
Other than your current user and the default “Administrator” account, what other user is enabled on the target machine?
This lad has hidden his account among the others with no regard for our beloved captain! What is the motto he has so bluntly put as his account’s description?
Now a small challenge to put it all together. This shady lad that we just found hidden among the local users has his own home folder in the “C:\Users” directory.
Can you navigate the filesystem and find the hidden treasure inside this pirate’s home?
Set-Location C:\Users\p1r4t3
Get-ChildItem
Set-Location hidden-treasure-chest
Get-Content big-treasure.txt
Task 7 Real-Time System Analysis
To gather more advanced system information, especially concerning dynamic aspects like running processes, services, and active network connections, we can leverage a set of cmdlets that go beyond static machine details.
Get-Process
provides a detailed view of all currently running processes, including CPU and memory usage, making it a powerful tool for monitoring and troubleshooting.
Similarly, Get-Service
allows the retrieval of information about the status of services on the machine, such as which services are running, stopped, or paused. It is used extensively in troubleshooting by system administrators, but also by forensics analysts hunting for anomalous services installed on the system.
To monitor active network connections, Get-NetTCPConnection
displays current TCP connections, giving insights into both local and remote endpoints. This cmdlet is particularly handy during an incident response or malware analysis task, as it can uncover hidden backdoors or established connections towards an attacker-controlled server.
Additionally, we are going to mention Get-FileHash
as a useful cmdlet for generating file hashes, which is particularly valuable in incident response, threat hunting, and malware analysis, as it helps verify file integrity and detect potential tampering.
In the previous task, you found a marvellous treasure carefully hidden in the target machine. What is the hash of the file that contains it?
71FC5EC11C2497A32F8F08E61399687D90ABE6E204D2964DF589543A613F3E08
What property retrieved by default by
Get-NetTCPConnection
contains information about the process that has started the connection?
It’s time for another small challenge. Some vital service has been installed on this pirate ship to guarantee that the captain can always navigate safely. But something isn’t working as expected, and the captain wonders why. Investigating, they find out the truth, at last: the service has been tampered with! The shady lad from before has modified the service
DisplayName
to reflect his very own motto, the same that he put in his user description.With this information and the PowerShell knowledge you have built so far, can you find the service name?
Get-Service | Where-Object { $_.DisplayName -like "*$motto*" } | Select-Object Name, DisplayName
Task 8 Scripting
Scripting is the process of writing and executing a series of commands contained in a text file, known as a script, to automate tasks that one would generally perform manually in a shell, like PowerShell.
Simply speaking, scripting is like giving a computer a to-do list, where each line in the script is a task that the computer will carry out automatically. This saves time, reduces the chance of errors, and allows to perform tasks that are too complex or tedious to do manually. As you learn more about shells and scripting, you’ll discover that scripts can be powerful tools for managing systems, processing data, and much more.
Learning scripting with PowerShell goes beyond the scope of this room. Nonetheless, we must understand that its power makes it a crucial skill across all cyber security roles.
- For blue team professionals such as incident responders, malware analysts, and threat hunters, PowerShell scripts can automate many different tasks, including log analysis, detecting anomalies, and extracting indicators of compromise (IOCs). These scripts can also be used to reverse-engineer malicious code (malware) or automate the scanning of systems for signs of intrusion.
- For the red team, including penetration testers and ethical hackers, PowerShell scripts can automate tasks like system enumeration, executing remote commands, and crafting obfuscated scripts to bypass defences. Its deep integration with all types of systems makes it a powerful tool for simulating attacks and testing systems’ resilience against real-world threats.
- Staying in the context of cyber security, system administrators benefit from PowerShell scripting for automating integrity checks, managing system configurations, and securing networks, especially in remote or large-scale environments. PowerShell scripts can be designed to enforce security policies, monitor systems health, and respond automatically to security incidents, thus enhancing the overall security posture.
Whether used defensively or offensively, PowerShell scripting is an essential capability in the cyber security toolkit.
Before concluding this task about scripting, we can’t go without mentioning the Invoke-Command
cmdlet.
Invoke-Command
is essential for executing commands on remote systems, making it fundamental for system administrators, security engineers and penetration testers. Invoke-Command
enables efficient remote management and—combining it with scripting—automation of tasks across multiple machines. It can also be used to execute payloads or commands on target systems during an engagement by penetration testers—or attackers alike.
Let us discover some example usage for this powerful cmdlet by consulting the Get-Help
"examples" page:
The first two examples provided by the Get-Help
"examples" page and reported above are enough to grasp the simplicity and power of the Invoke-Command
cmdlet.
The first example shows how the cmdlet can be very easily combined with any custom script to automate tasks on remote computers.
The second example demonstrates that we don’t need to know how to script to benefit from the power of Invoke-Command
. In fact, by appending the -ScriptBlock { ... }
parameter to the cmdlet's syntax, we can execute any command (or sequence of commands) on the remote computer. The result would be the same as if we were typing the commands in a local PowerShell session on the remote computer itself.
What is the syntax to execute the command
Get-Service
on a remote computer named "RoyalFortune"? Assume you don't need to provide credentials to establish the connection. [for the sake of this question, avoid the use of quotes (" or ') in your answer]
Invoke-Command -ComputerName RoyalFortune -ScriptBlock { Get-Service }