 Hello everyone, my name is John Hammond welcome back another YouTube video and we are looking at try hack me's advent of cyber And this is day 20. It's called power shelf to the rescue I think they nudge the word elf in the middle of power shell. So that's nice and fun But I am logged in on the try hack me website I'm connected to their VPN and I am ready to tackle this task So without further ado, let's dive in and I'll read through here just to get a little background for us It says someone is mischievous at the best festival company The contents within the stockings have been removed a clue was left in one of the stockings that hints the Contents have been hidden within elf station one Mick eager moves quickly and attempts to RDP in the machine, but yikes. He's unable to log in Luckily, he's been learning power shell and he can remote into the workstation using power shell over SSH So our task is to use the power shell console to navigate through the endpoint to find the hidden contents to reveal What was hidden in the stockings? Okay, so we will be using SSH to connect into this rope me excuse me Connect into this remote machine and the command to run to connect the remote machine will be SSH And then you can use tack L to specify the username Which we can see is Mick eager and the IP address of the machine here So mine has been deployed at 10 10 1 50 1 30 But again as usual your IP address will be different the password that will supply is rock star with a Zero leet speak for the oh a capital S for star and an exclamation point trailing at the end So I will go ahead and copy the syntax to SSH with that user over there, and I have a little Terminal up and ready that I can use I'll paste this in And I have already accepted it although you might be prompted with the hey Are you sure you want to connect to this host you can type in the letters yes for yes And then you should be prompted for the password now We know the password is rock star with that zero for elite speak capital S for star and an exclamation point at the end Now when I enter that password, I should be logged in note However, once you log in you'll see this prompt and that is cmd.exe That is going to end up be the original windows console, but we need to manually launch PowerShell So we'll need to type in the command PowerShell. Let's do that. I Will type in PowerShell It'll take just a second and PowerShell is a little notorious for being slow and especially over this connection We should maybe give it some time But you should see that our prompt has changed to include a ps for PowerShell here now when we type in our commands You can see they're highlighted usually in yellow or anything that we might be typing in the command line It is gonna have some nice syntax highlighting. So kudos to PowerShell for that now. Let's go see what we are up against We want to navigate to the documents folder. Okay So I guess that we can just do that. They're using the set-location documents syntax PowerShell is Kind of inherently verbose and that it is lengthy long verb-noun syntax for its commands or Commandlets as PowerShell calls them There are aliases or kind of Shorthand nicknames that you can use because on a Linux terminal or on a Windows command prompt cmd.exe You might be more familiar with typing CD to change directory. You can just as easily do that Set location is the full-length verbose verb-noun commandlet But the alias or the shorthand nickname the convenience function is simply CD So we could use either and I'll explore or discuss a little bit more of those as we read on but if we were to go ahead and set hyphen location over to Documents you should see our prompt changes and now we have documents present We're using a relative path when we do that. So if I were to CD to the parent directory up up there if I were to get hyphen child item and PowerShell thankfully does not care about case So my weird lowercase i and capital T there would be all right get child items will tell us everything Oh, excuse me with not plural get child item And you can see that PowerShell will give us this big bloody red error when we have something wrong But get child item should display everything here and we can see that Downloads documents desktop documents is in there as a relative file location We can move into so let's go ahead and it do that set hyphen location or CD into documents There we go. And as I mentioned before PowerShell is not case sensitive So I could be kind of meman over here with set location period period and PowerShell will know to do that totally fine Good good To get back into documents with that CD shorthand syntax all they control L on my keyboard to clear the screen And now let's go back to keep reading the task Here's a little bit of explanation and background on what PowerShell is it says the official explanation of PowerShell is PowerShell is a cross-platform task automation and configuration management framework consisting of a command line shell and scripting language Unlike most shells which accept and return text like you would expect in the Linux command line when you pipe One command into another PowerShell is going to differ from that PowerShell is built on top of the dot net common language Runtime or CLR and accepts and returns dot net objects This fundamental change brings entirely new tools and methods for automation. So What you're used to If you're working the Linux command line when you're running your cat command and you pipe it to head or you use grep or tail Or said or awk You're funneling through text on the standard output stream or the standard error stream or the standard input stream But that is just raw plain text all the letters and printable characters that display out on your terminal When you're working in PowerShell that Turns it on its head and it's completely different. It changes the game because it's not just text That's being funneled through but dot net objects. So if we put on our programmer hats that means that okay abstract objects or a thing with properties and methods and things that it can do and run but information relative to that and you can funnel through each of those through the PowerShell pipeline That's the gimmick in gotcha with PowerShell PowerShell has grown in popularity the last few years among defenders and especially attackers because PowerShell is typically always just about Going to be forever on the Windows desktop or the Windows server. It's native now Knowing PowerShell is a necessary skill if you have only heard of PowerShell, but never dabbled with it fret not today you will Recall from the definition above that PowerShell is a command line shell We must enter commands in the command prompt to instruct PowerShell on what we want it to do for us PowerShell commands are known as Commandlets and that's an interesting spelling right cmd let's cmd let's that's that's the way it is and that is what PowerShell calls sort of its syntax, but again the verb hyphen noun Presentation and they're called commandlets rather than commands like the Linux or cmd.exe world To list the contents of the current directory we're in we can use the get hyphen child item commandlet There are various other options we can use with this commandlet to enhance its capabilities further now This goes through and kind of bullet points all the other parameters or arguments You could use with the get hyphen child commandlet and we could zoom in on these more if we'd like to And that can all be explained with us with get hyphen help and then passing in the commandlet that we would like to use That will give a ton of information Oftentimes including examples and you can see all the different parameters or arguments that that commandlet might take So I think I have some old videos actually and I need to actually continue that series on PowerShell So if you're interested you can go check those out on my channel But let's look at some of these arguments tack path Will specify a path to one or more locations and you can use wild cards or the asterisk right a little glob or a wild card to match any string Tack file or tack directory can get a list of files if you're using the file parameter To get a list of directories that use the directory parameter You can also use the recurse parameter with file and or directory parameters So you're only focusing on files or you're only focusing on directories when you're trying to list them all out You don't care about the other just what you specify tack filter Specifies a filter to qualify the path parameter tack recurse will get the item in the specified location and In all child items of the locations So that means it'll like burrow down and dig through all of the different sub directories or the sub folders So while we might be in our user elf McEager location He has his desktop and his documents and his downloads and his favorites and all the other Folders in the in his directory if we were to use tack recurse It will spiral through all of those sub folders and directories recurse can be hefty, but very powerful tack hidden will only get hidden items and that might be useful for us because we're gonna end up looking for things that were trying to be Hid or obfuscated or slid under the radar right there. They're trying to be masked and not immediately display They're they're wanting to camouflage or blend in so tack hidden might be very very useful for us another option here Tack error action silently continue Specifies what action to take if the command encounter encounters an error note that error action parameter or that argument is what? Allows you to specify what take is what takes action What action is being taken place right silently continue is an example of one of those actions There are others that you can supply for this error action Parameter or argument so silently continue just means totally ignore the errors. I don't care just keep cruising through But we could have it do something else if we wanted to with that hyphen error action option For example, if you wanted to view all of the hidden files in the current directory you're in you can issue the following command Get child item tack file again only viewing files that are hidden and Ignore errors so the ignore error action should be silently continue Another useful commandlet is get content. This will allow you to read the contents of a file again power shell is verbose This verb hyphen noun syntax might very well match what you know in your mind as the cat command on Linux Or the type command in old-school windows cmd.exe Get content is the full commandlet, but those cat commands and type commands are aliases so you can still use them within power shell if you wanted to we could dive into a whole get hyphen alias or set hyphen alias Syntax all throughout power shell or you could go do that kind of as an extra exercise for the reader, but okay You can run the command as follows get content hyphen path and then the final name that you want to read out Right, that's a relative path here Tack path is kind of inherently default so if you don't specify tack path It knows the argument following this commandlet will be what you want to read out so that works You can run numerous operations with the get hyphen content commandlet to give you more information about a particular file You're inspecting like how many words are in the file in the exact position for a particular string Etc. We can combine that by using that power shell Pipeline where we're carrying whole dot net objects through another commandlet to get the number of words contained within a file you can use get content and Pipe the results into the measure hyphen object Commandlet you can run the command as follows to get hyphen content. Excuse me tack path Pipe to measure object and then hyphen word will display all that very cool To get the exact position of a string within a file you can use the following command get content hyphen path File dot text and then you can specify an index So index is going to end up taking the output of this Commandlet and that's why it's kind of noted here in these parentheses because now we're going to do a little bit more Dot-net or programmer stuff with it and we will index it with these square braces at a specific number and That you data find out here The index is the numerical value that is the location of the string within the file since index is start at zero You typically need to subtract one from the original value to extract the string at the current position However, this is not necessary for this exercise So that's one way to do it where you wrap your commandlet in parentheses and then index it with square braces I'm going to end up using the select string notion because we also encourage that later on So to change directories we use that location or CD just as we saw The last command that is needed to solve this room is select hyphen string and the shorthand alias for that is just Select where you don't have to type in the hyphen string. I know this is a water hose I know I'm just throwing stuff at you, but we'll get to see it in just a second We'll dive into the command line and do it for real This command will search a particular file for a pattern you define within the command run an example Execution of this command is select string with the path and tack pattern to find a specific thing and notice They're using that asterisk or the star the wild card to glob information And of course as I mentioned you can always use get hyphen help to learn more about a specific command And I'd recommend doing that even just as you go through each of these just to see what else it can do and How else you could use power shell to your advantage? So that's cool All right search for the first hidden elf file within the documents folder read the contents of this file What does elf one want? Hmm. Well, let's take a look We are currently in the documents folder, and we knew that we could run get hyphen child item And we could specify tack file to only get files and we could specify tack hidden to only get hidden files Right, so I'll hit enter on this. Ooh, and I see an E one elf seemingly a one for our L here Elf one dot text and you can see in the mode description over here There's an H indicator and that means that it is a hidden file if you were to run something like LS or dir again Because those are aliases they will work and you can still just as easily pass in those arguments power show will know But if we were to run LS dir or get child item without that you will see an elf one dot text with a regular L But notice the length here is different 22 versus 35 and that mode it is not hidden That's actually a neat little troll, right? So I could get hyphen content on elf one dot text With the L, but it's a little red herring. Hey, nothing to see here now notice I use get content, but again We could just as easily use cat or type because they are power shell aliases So now let's go ahead and cat out that elf one with a one and that we know is the hidden file that we want So I'll go ahead and cat E one F one dot text and the answer here is I want my two front teeth All I want is my two front teeth So I'll go ahead and copy that and I'll paste that in here And I'll submit this and that is the correct answer. So cool That's all that we needed to do for that one next We need to search on the desktop for a hidden folder that contains the file for elf two and then read the contents of that file Okay, so we're currently in documents, right? So I'll clear my screen I'm gonna hit control L on my keyboard or just CLS typed in as a command and I'll use CD dot dot Remember that's an alias for set location Climb us out of the documents directory and then just so we get good practice with it I will set location to the desktop If I can type you can of course tab complete, right? So if you start typing something and you know that there's only a certain amount of folders locations that Begin with that syntax you can just hit tab twice in your keyboard and will automatically fill out the rest for you Now again, I'll LS Nothing currently on the desktop, but if I LS tack hidden Oh, I can see there is an elf to Wo and that's a directory, right? So far to the exact same command LS tack hidden, but also note tack Directory it would be able to find just that Excluding that desktop that I and I file. So let's CD into that directory Let's get child item or LS or DIR and now you can see there is one dot text file here That we want to know the contents of so let's simply go ahead and cat that file out A girl or excuse me get content Maybe I don't know if this is getting confusing where I'm throwing aliases and left and right But I want you to know that power shell can act as just exactly like or very very similar to at least what you type in Via commands like what you're used to if you're used to Linux if you use the windows command prompt You can use those commands and it will behave But the pipeline and what you do when you end up piping commandlets into one another that is functionally very very different Anyway, our answer here is I want the movie Scrooge so Scrooge is the answer Let's go ahead and submit that Also correct and now search the windows directory for a hidden folder that contains files for elf 3 Now I didn't exactly interpret this immediately. Well, I went to c colon back slash Windows and then I tried to look around in here, but I couldn't find anything worthwhile So I went into c windows system 32 And that is I from what I understand what they're referring to but c windows system 32 has all of the Like inherent necessary files for your windows operating system So there's a lot in here. You can see that command obviously was running for a long time So we need to smartly look for what we're finding here We need to smartly look for a hidden folder that contains files for elf 3 What is the name of that hidden folder? Okay, so let's Go ahead and ls or dir or get child item And remember we could simply filter for what we're looking for right So tack filter could be kind of only returning things that match a given criteria or Match a correct string constraint, right? So I will define that with these String indicators right the double quotes or the single quotes and then I could use those asterisks To note the wild cards before or after the number three So I want you to match anything that includes the number three Somewhere and I can run that And now there's a lot of stuff, but we know we can zoom in on that even more right We're looking for a folder that is hidden So let's take that same exact commandlet and let's use tack hidden and let's use tack directory Now when I run this We only have one result and that's much easier to to work through here and it's called elf three So we can cd into that Change directory your set location submit elf three as the answer There we go And that is what the hint would have suggested for us here use tack filter with that notion there How many words does this first file contain? Oh, do we have multiple files in here? Looks like dir ls get child item does not show anything So we must need to specify tack hidden because maybe they're hidden files here There we go. I see a one dot text and a two dot text. So let's get content On one dot text And there is a lot of output there But we need to know how many words are in this file, right? So I will clear the screen and I'll pipe I'll use that power shell pipeline to pass in the dot net object that get content is returning I'll pipe that to measure object just as we read about earlier And now measure object supplying it with all of this information or without any arguments or parameters afterwards It gives me a count of nine nine nine nine Let's use that tack word parameter that we knew was a thing from reading and that tells us, okay Nine nine nine nine. So that must be the answer Nine nine nine nine Submit that Perfect. And what two words are at index five five one and six nine nine one in the first file? Well, let's um, let's try to use that syntax that they suggested, right? Let's use the get content one dot text And wrap that command within parentheses So we'll have an opening parentheses at the start and ending parentheses there And then we can use the square braces with a specific index So in this case five five one is what we want to see first Okay, and that word is red But I would also like to get six nine nine one That also retrieves it Cool red writer Are the words that it needs and you could do this kind of one by one if you'd like to the other way we could do this What I had it kind of hinted towards earlier is using the get content and then select Or pipe it to select string As we know select is the alias to it and then you can specify tack index or hyphen index And you can say I want index five five one Oh, sorry, that might just be select then I think yeah, I'm excuse me select is a shorthand or an alias for select object rather than select string forgive me There we go And we could of course use six nine nine one as another argument in that as well if we would like so Five five one and six nine nine one will retrieve the string red writer And that is select object as the command that i'm using there We could use the alias and we can specify just select But you get the exact same result right because you're running the exact same command Regardless, we know that red writer is our answer here So let's type that in Submit that and this is only half the answer search in the second file for the phrase from the previous question To get the full answer. What does elf three want? Okay, so Now we're going to work with this second text file. So get content two dot text and there's a lot here And we want to What search in the second file for the phrase from the previous question to get the right answer So we need to look for red writer in this whole big file here So Now we can end up using select string With a specific pattern and that was the syntax that they showcased. So Is it just red writer? with The capital letters Does that hit anything? I'm not using the asterisks right now, but I think that would just mean strictly specifically one instance Let's I'm not getting a hit, right? So let's use the asterisks here See if that finds anything. Oh red writer is not a valid regular expression should Uh, should I be using regular expressions with like a dot star dot star And do the spaces matter in that? What does that hint say? Okay, red writer should all be lowercase. So Maybe we don't need to end up using those Let's clear the screen and let's use red writer all lowercase Just taking the hint just trying to understand a little bit more of what try hack me wants Are they using the asterisks in that? Did I misread that? No, I did not red writer be begun All right, that must be the answer Let's go ahead and submit that but it needs spaces. So red writer be begun Submit. All right. There we go. We did it So that was some live learning, right? That was some good activity using powershell and getting an understanding for all that We can do with it But this was kind of simple. Hey navigating around the file system reading files doing some good stuff But that is absolutely necessary While you learn powershell, right? You're going to be doing this on a windows host You're going to be doing this on windows So you got to be able to bump around that file system Understand what all the files are there and what they contain etc So this is absolutely necessary and then you can use that as a springboard Or jumping off point to learn even more powershell But this was this was a lot of fun. I think It's always nice to be able to take a look at system or hidden files exactly because Yeah, that's where the adversary is going to hide, right? Or at least Some might try to so using and knowing a lot of these parameters are very very good to do And of course take a look at get hyphen help like always just be reading just understand a little bit of the documentation the man pages right rtfm so You can of course just pass in an alias for that too. So if I already use get help get help, excuse me on ls You can see that's defining the get child item commandlet and the aliases there are going to explain a little bit more here Get help will also include some remarks, which is really great Because it tells you like hey it can't find more information on this So you could use update help to get more information or you could end up I think passing like full is that the right commandlet Where it might give you some example Like example use cases more in-depth information regarding the parameters you could actually get help On the get help command and that's kind of meta, but but very very cool and very very fun So explore use power shell understand a little bit about it and keep digging around keep keep trying things to tinker with But this has been a long video much longer than it needed to be so thank you guys so much for watching I hope you had fun with this one I hope you're going to use a little bit more power shell and I hope you're going to keep cruising to finish up Trihac me's advent of cyber, but I'll see you in the next video everyone. I love you. Take care