Investigating Windows
@ Animesh Roy | Tuesday, May 25, 2021 | 2 minutes read | Update at Tuesday, May 25, 2021

Investigating Windows

A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.


Task 01: Investigating Windows


Flg 2

looking into eventviewer log for EventID 4624. Ref: read

Flag 3

open CMD -> type net user John look for Last Logon

Flag 4

while booting up we see the IP in CMD

Flag 5

CMD: net localgroup administrators

FLag 6

open task scheduler and look for names that sticks out.


dig more with clean file system

FLag 8


FLag 9

FLag 10

check the file create date of Flag7

FLag 11

looking 10 min (before-after for any special logon)
PS: use Get-EventLog Date Range with XPath Filter

FLag 12

GameOver is another Task Scheduled. opon investigation / running it like an Idiot you’ll see the banner that tells you the Name of the tool. mim.exe


this machine doesnot have SYSMON, and took me 40 min to figure out where to look, long story short there is is hardcoded to that’s suspicious.

FLag 14

Default web dir in Windows is c:\inetpub\wwwroot found the file backddoors there (jsp is the ans.)

FLag 15

Rookie 0x1337 Hax0r mistake of using port 1337 PS: in Windows port can be open/close manually using Windosws built in firewall rules.

FLag 16

Ans is from Flag-13, hardcoded known domain name.

© 2010 - 2024 Classroom

Reading Stuffs

Social Links