TryHackMe: Advent of Cyber - Day 13 - They Lost The Plan!

This is a write up for the Day 13 - They Lost The Plan! challenge in the Advent of Cyber room on TryHackMe. Some tasks may have been omitted as they do not require an answer.

---

Complete the username: p…..

Open the Command Prompt and type net users

Answer: pepper

What is the OS version?

Run systeminfo

Answer: 10.0.17763 N/A Build 17763

What backup service did you find running on the system?

Run wmic service list | findstr "Backup"

Answer: IperiusSvc

What is the path of the executable for the backup service you have identified?

Answer: C:\Program Files (x86)\Iperius Backup\IperiusService.exe

Run the whoami command on the connection you have received on your attacking machine. What user do you have?

Answer: the-grinch-hack\thegrinch

What is the content of the flag.txt file?

Run cd C:\Users\thegrinch\Documents Run type flag.txt

Answer: THM-736635221

The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?

Run type Schedule.txt

Answer: jazzercize

Recap

In this task we learnt:

• How to conduct Windows Privilege Escalation