Windows Command Line [ CyberSecurity 101 Learning Path ] TryHackMe Writeup | Detailed Walkthrough | Beginner Friendly

Windows Command Line is a Part of The Learning Path From the Newly updated Cyber Security 101 Path on TryHackMe

Let’s Start !

Task 1 : Introduction

It’s advised to read this module for better understanding
We are asked to Start the Machine and the Attacker Box for better experience

THM’s AttackBox opens in a split window ( You can also expand )

Once both our AttackBox and VM are initialized properly ,
Let’s move to the Question of this room

user : Tryhackme123!

To login lets use SSH → ssh username@ip-address and then input Password

ssh user@10.10.200.3 ( Note : your IP address will be different from this )

and then input the password → Tryhackme123!

Video Snippet below might help you

Task 1 : Question : What is the default command line interpreter in the Windows environment?

The default command-line interpreter in the Windows environment is Command Prompt, also known as cmd.exe. It’s a legacy shell that allows users to execute a wide range of commands and scripts in the Windows operating system.

with that out of the way , let’s move to the next Task →

Task 2 : Basic System Information

Task 2 — Question 1 : What is the OS version of the Windows VM?

The ver command in cmd.exe displays the version of the Windows operating system currently running. It’s a quick way to check the OS version without needing detailed system information.

Microsoft Windows [Version 10.0.20348.2655]

Since we are asked just the OS version

The Answer is : 10.0.20348.2655

Task 2 Question 2 : What is the hostname of the Windows VM?

To check the hostname of a Linux VM, we can use the command hostname
To Check the hostname of a Windows VM we can simply use the command-
systeminfo

WINSRV2022-CORE

Answer : WINSRV2022-CORE

Task 2 is now successfully completed !

Task 3 — Question 1 : Which command can we use to look up the server’s physical address (MAC address)?

The command ipconfig /all, displays detailed network configuration information, including the MAC address (physical address).

Answer : ipconf /all

Task 3 Question 2 : What is the name of the process listening on port 3389?

netstat -abon shows all active connections and listening ports along with the associated programs and process IDs.

The Question asks us to find the name of the process listening to Port 3389

Answer is : TermService

Task 3 Question 3 : What is the IP address of your gateway?

We can use the command → ipconfig /all which shows our IP address, subnet mask, and default gateway.

ipconfig /all 

Default Gateway is : 10.10.0.1

The Answer is : 10.10.0.1

Task 3 is now Complete !

Task 4 : File and Disk Management

Task 4 Question : What are the file’s contents in C:\Treasure\Hunt?

Let’s first check our Present Directory that we are working on by using the command cd, in windows you use command cd just like in linux you use pwdto check the directory path .

We are currently working on this directory →

C:\Users\user

Question asks us to check the contents of this directory →

C:\Treasure\Hunt

Few Commands that are useful in cmd →

cd     To change Directory 
dir    To list the contents of the directory ( ls in linux ) 
type   To display the contents of the file ( cat in linux ) 

Let’s use cd to change directory to \Treasure\Hunt and list the contents of the directory by the command → dir

After Changing the Directory to \Treasure\Hunt and checking the contents , we found a text file flag.txt , let’s check the contents by using the command type to display the text .

Contents of the file flag.txt →

THM{CLI_POWER}

Task 4 Done !

Task 5 : Task and Process Management

Task 5 — Question 1 : What command would you use to find the running processes related to notepad.exe?

The Command: tasklist Displays all currently running processes, including their names, process IDs (PIDs), session names, session numbers, and memory usage.

Here we can see Image Name , PID , Session Name , Session and Mem Usage

we are going to use command tasklist /FI "imagename eq notepad.exe" for this question as it is used in Windows Command Prompt to display a filtered list of running processes specifically related to notepad.exe

Here’s a breakdown:

tasklist: This command lists all currently running processes on the system, including details like process names, process IDs (PIDs), memory usage, and session information.

/FI: This option applies a filter to the tasklist output, limiting the results based on specified criteria.

"imagename eq notepad.exe": This is the filter criteria for /FI, where:

imagename refers to the name of the process (or executable) you want to filter by.

eq means "equals," specifying that only processes matching the exact name notepad.exe should be displayed.

Answer to this Question : tasklist /FI “imagename eq notepad.exe”

tasklist /FI "imagename eq notepad.exe"

Task 5 — Question 2 : What command can you use to kill the process with PID 1516?

The command taskkill /PID "number” is used in Windows Command Prompt to terminate a specific running process by its Process ID (PID). Here’s a quick breakdown:

• taskkill: This command ends tasks or processes on Windows.
• /PID: This option specifies that you are targeting a process by its Process ID.
• number: This is the specific PID of the process you want to terminate and usually is in 4 digits

Answer for this Question : taskkill /PID 1516

Task 5 is now Complete !

Task 6 : Conclusion

Task 6 — Question 1 : The command shutdown /s can shut down a system. What is the command you can use to restart a system?

The Command: shutdown /r can be used to restart the system just like the command shutdown /s that can shutdown the system .

The /r option in the shutdown command specifies a system restart.
This is useful for rebooting the system from the command line.

Answer to This Question : shutdown /r

shutdown /r

Task 6 Question 2 : What command can you use to abort a scheduled system shutdown?

Similarly as above the Command: shutdown /a can be used to abort a system shutdown

The /a option aborts any scheduled shutdown that is pending, allowing you to cancel a shutdown or restart that has been previously scheduled.

Answer to this Question : shutdown /a

shutdown /a 

Our last Task , Task 6 is now completed !

Congratulations ! We have solved the room together !

Hope you have enjoyed solving this room as much i did

if you want to get the latest Try Hack Me writeups delivered , go ahead and follow me on Medium and also hit the notify via email

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

https://app.hackthebox.com/users/1585635

My TryHackMe Profile Page →

https://tryhackme.com/p/SuNnY

if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button

Thank you !
SuNnY