Advent of Cyber 3 (2021): Day 23 Write-up PowershELlF Magic[TryHackMe]
Published in
3 min readDec 25, 2021
Hey Guys! We are back with Day 23 of the “Advent of Cyber” event by TryHackMe. If you haven’t solved the Day 1 challenge click here.
This time we have a challenge of Blue Teaming named “PowershELlF Magic”.
Learning Objectives:
- Analyze Windows event logs to understand actions performed in an attack.
- Recover key artifacts in unencrypted web communications.
- Utilize PowerShell Scripting to recover a delete artifact.
1. What command was executed as Elf McNealy to add a new user to the machine?
Answer: Invoke-Nightmare2. What user executed the PowerShell file to send the password.txt file from the administrator’s desktop to a remote server?
Answer: adm1n3. What was the IP address of the remote server? What was the port used for the remote connection? (format: IP,Port)
Answer: 10.10.148.96,43214. What was the encryption key used to encrypt the contents of the text file sent to the remote server?
Answer: j3pn50vkw21hhurbqmxjlpmo9doiukyb5. What application was used to delete the password.txt file?
Answer: sdelete.exe6. What is the date and timestamp the logs show that password.txt was deleted? (format: MM/DD/YYYY H:MM:SS PM)
Answer: 11/11/2021 7:29:27 PM7. What were the contents of the deleted password.txt file?
Edit the Decrypter.ps1 file and add the encryption key which we got previously and add the value.
We get the encrypted value here.
Answer: Mission Control: letitsnowletitsnowletitsnow
Thank you for reading! See you tomorrow!!
Please clap👏 if you like what we are doing and drop your thoughts and love❤️ in the comment section.
Do Follow us on our LinkedIn: https://www.linkedin.com/company/rootissh
Stay Tuned for more Writeups of this event as well others!
