Challenges: Investigating Windows (TryHackMe)

JebitokJebitok
3 min read

Table of contents

In this write-up, Iโ€™ll be walking through the Investigating Windows room on TryHackMe โ€” a digital forensics-style challenge that simulates analyzing a compromised Windows Server environment. The scenario revolves around connecting to a Windows machine via RDP and digging through logs, scheduled tasks, user sessions, and file activity to trace the attacker's steps.

Through this exercise, we explore core blue team concepts such as logon tracking, privilege analysis, and identifying persistence mechanisms โ€” all skills relevant for both defenders and curious learners diving into Windows forensics.

This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.

Connect to the machine using RDP. The credentials the machine are as follows:

Username: Administrator
Password: letmein123!

Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.

Answer the questions below

  1. Whats the version and year of the windows machine? Windows Server 2016

    systeminfo

  2. Which user logged in last? Administrator

    quser

    net user Administrator

  3. When did John log onto the system last? 03/02/2019 5:48:32 PM

    Answer format: MM/DD/YYYY H:MM:SS AM/PM

    net user John

  4. What IP does the system connect to when it first starts? 10.34.2.3

  5. What two accounts had administrative privileges (other than the Administrator user)? Guest, Jenny

    Answer format: List them in alphabetical order.

  6. Whats the name of the scheduled task that is malicious. Clean file system

    Get-ScheduledTask | Get-ScheduledTaskinfo

  7. What file was the task trying to run daily? nc.ps1

  8. What port did this file listen locally for? 1348

  9. When did Jenny last logon? Never

    net user Jenny

  10. At what date did the compromise take place? 03/02/2019

    Answer format: MM/DD/YYYY

  11. During the compromise, at what time did Windows first assign special privileges to a new logon?

    Answer format: MM/DD/YYYY HH:MM:SS AM/PM 03/02/2019 4:04:49 PM

  12. What tool was used to get Windows passwords? Mimikatz

  13. What was the attackers external control and command servers IP? 76.32.97.132

  14. What was the extension name of the shell uploaded via the servers website? .jsp

  15. What was the last port the attacker opened? 1337

  1. Check for DNS poisoning, what site was targeted? google.com

The Investigating Windows room offers a practical glimpse into the investigative process after a system compromise. From analyzing logon events and scheduled tasks to identifying attacker activity and tools like Mimikatz, this challenge emphasizes the importance of attention to detail and critical thinking.

It serves as a strong reminder that visibility into endpoint activity is crucial for effective threat detection and response. Thanks for reading, and as always, keep exploring, stay safe, and never stop learning! ๐Ÿง ๐Ÿ”๐Ÿ’ป

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

tryhackmeWindowsCTF Writeup

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.