# THM - PowerShell
Windows Scripting Language builting using the .NET framework
.NET framework allows Powershell to execute .NET functions directly from its shell
Powershell commands, or cmdlets, are written in .NET
the Output of these cmdlets are objects, so it is sort of OOP
Format of a cmdlet is Verb-Noun.
For example, to list commands is Get-Command (verb-noun)
Common Verbs:
- Get
- Start
- Stop
- Read
- Write
- New
- Out
Approved Verbs for Powershell commands (by Microsoft) - https://docs.microsoft.com/en-us/powershell/scripting/developer/cmdlet/approved-verbs-for-windows-powershell-commands?view=powershell-7

Powershell.exe - https://ss64.com/ps/powershell.html

## Basic Powershell Commands
`Get-Help Command-Name` displays information about a cmdlet
`Get-Help Command-Name -examples` can get information on exactly how to use the command
`Verb-* or *-Noun` are valid parameters to pass
`|` pipes pass objects to the next cmdlet
Every object contains a Method and Properties, you can get these from a command with something like `Verb-Noun | Get-Member`
`Get-Member -MemberType Method` allows for sorting by method, and property instead of method would allow for that
`Select-Object` pulls properties from the output of a cmdlet and creating a new object
`Where-Object` allows for filter output objects `Verb-Noun | Where-Object -Property PropertyName -operator Value` Where `-operator` is `-Contains` if any item in the property value is an exact match for the specified value, `-eq` the property value is the same as the specified value, or `-gt` the property value is greater than the specified value
full list of operators - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-6
`Sort-Object` can be used to sort when the outputs give a lot of information



In [None]:
## What is the location of the file "interesting-file.txt" #>
Get-ChildItem -Path C:\ -include Desktop -force -recurse -ErrorAction SilentlyContinue
# seems to be the way to go because I can get an item by path. 
## Specify the contents of this file #>
Get-Content -Path C:\Program Files\interesting-file.txt.txt
## How many cmdlets are installed on the system (only cmdlets, not functions and alies?)#>
Get-Command | Where-Object -Property CommandType -eq Cmdlet | Measure-Object -Property CommandType -Sum
# explaination is that Get-Command will list all commands as rows of objects
# then Where-Object will select only the Cmdlet types based on the property that list these

# Get the MD5 hash of the interesting-file.txt
Get-Command *hash* 
Get-FileHash -Path C:\Program Files\interesting-file.txt.txt -Algorithm MD5

# What is the command to get the current working directory?
Get-Location

# What command would you use to make a request to a web server?
Get-Command *url* # showed an Alias for curl -> Invoke-WebRequest
Invoke-WebRequest

# Base64 decode the file b64.txt on Windows
# google search showed that [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($a))
$a = Get-Content .\b64.txt
[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($a))



In [None]:
# Enumeration 
# Users, basic networking information, file permisions, registry permissions
# scheduled and running task, insecure files

# How many users are there on the machine?
# Interesting but not confirmed
Get-IAMUsers
Get-CONNUserList
Get-LocalUser -Name * # dumps local users with Name, Enabled, and Description

# Which local user does this SID(S-1-5-21-1394777289-3961777894-1791813945-501) belong to?
Get-LocalUser -SID S-1-5-21-1394777289-3961777894-1791813945-501

# How many users have their password required values set to False?
Get-LocalUser | Get-Member
Get-LocalUser * | Select-Object -Parameter *passwordrequired* 
# Because Get-LocalUser brings the User object from Microsoft

# How many local groups exist?
Get-LocalGroup -Name *

# What command did you use to get the IP address info?
Get-NetIPAddress

# How many ports are listed at listening?
Get-NetTCPConnection -State Listen

# What is the remote address of the local port listening on port 445?
Get-NetTCPConnection -State Listen -LocalPort 445

# How many patches have been applied?
Get-WindowsUpdateLog # aparently not patches
Get-Hotfix

# When was the patch with ID KB4023834 installed?
Get-Hotfix | Where-Object -Property HotFixID -eq KB4023834

# Find the contents of a backup file
# I did lots of searches for *backup* but found out it was *.bak* since it was a backup file
Get-ChildItem -Path C:\ -include *.bak* -force -recurse -ErrorAction SilentlyContinue
Get-Content "C:\Program Files (x86)\Internet Explorer\passwords.bak.txt" 
# Search for all files containing API_KEY
Get-ChildItem -Path C:\Users\ -recurse -ErrorAction SilentlyContinue | Select-String -Pattern 'API_KEY' -SimpleMatch -CaseSensitive -ErrorAction SilentlyContinue

# What command do you do to list all the running processes?
Get-Process

# What is the path of the scheduled task called new-sched-task?
Get-ScheduledTask -TaskName 

# What is the owner of the C:\
Get-Acl C:\


In [None]:
# Basic Scripting Challenge
# files end with .ps1
# variables 
$variable_name = value
# iterate through a file 
foreach($new_var in $existing_var){}



In [None]:
# Intermediate Scripting
# simple port scanner
# Determine IP ranges to scan and you can providte the input in any way you want
# Determine the port ranges to scan
# Determine the type of scan to run 

# Test-Connection 
#   -TargetName <IPv4> or computer name 
#   -TcpPort <Integer>

param([String]$target, [Int32]$portstart, [Int32]$portstop)
if($portstop -lt $portstart){
    exit()
}
# $port_Range = $portstop - $portstart
for($portstart; $portstop; $portstart++){
    Test-Connection -TargetName $target -TcpPort $portstart
}

