Skip to main content

67 posts tagged with "cybersecurity"

View All Tags

Windows PowerShell

Shubham
Cybersecurity Enthusiast

Introduction

okay let me go through it straight forward

PowerShell is basically Windows' upgraded command-line.
it replaces old cmd with something way more powerful because it works with objects instead of plain text.

lame language definition:
it's cmd but on steroids — lets you automate, manage system stuff, and chain commands easily

formal definition:
PowerShell is a task-based command-line shell and scripting language built on .NET, designed for system automation and configuration management.


Cmdlets (Commands)

PowerShell doesn't use traditional commands like ls, cat, etc.
it uses cmdlets which follow the pattern:
Verb-Noun

lame language definition:
cmdlets are special built-in functions that perform small, focused actions

formal definition:
cmdlets are lightweight .NET-based commands used within PowerShell for performing administrative tasks.

some basic cmdlets:

Get-Command
lists all available commands

Get-Help
shows documentation for any cmdlet

Get-Alias
shows shortcut names for commands

these three are your starting trio.


just like linux, you move around directories and view things.
but names are different in powershell.

Set-Location → change directory
Get-ChildItem → list files/folders
New-Item → create a file/folder
Remove-Item → delete things
Copy-Item / Move-Item → copy / move files

lame language definition:
same file operations as linux/mac, only the cmd names are different

formal definition:
PowerShell uses provider-based access to systems like filesystem, registry, etc., allowing cmdlets to interact with them as structured objects.


Piping & Filtering (MOST important)

this is where powershell becomes overpowered compared to cmd.

you pass objects, not text.
this means downstream commands can read properties directly.

example concepts:

Where-Object → filter
Select-Object → pick properties
Sort-Object → sort results

lame language definition:
you're not messing with strings. you're passing real data with fields like Name, Id, Path, etc.

formal definition:
PowerShell pipelines transfer .NET objects between cmdlets, enabling structured querying, transformation, and automation.


Managing Processes & Services

PowerShell is a system admin tool at heart.
so it gives full access to OS-level components:

Get-Process → list running processes
Stop-Process → kill a process
Get-Service → list services
Start-Service / Stop-Service → control services

lame language definition:
you can inspect or control what is running on the machine using simple commands

formal definition:
PowerShell exposes OS process and service management through object-based cmdlets, allowing precise control and automation.


System & Network Information

powershell can show system details cleanly:

  • network config
  • environment variables
  • event logs
  • hardware info
  • registry

some common areas:

Get-NetIPConfiguration
Test-Connection (like ping but object-based)
Get-EventLog


Why PowerShell is Important in Cybersecurity

attackers love powershell
admins love powershell
everyone basically uses it

because:

  • it’s preinstalled on all windows systems
  • lets you automate enumeration
  • can access registry, services, files, processes
  • can download payloads, run scripts, and move laterally
  • allows powerful recon without extra tools

lame language definition:
if you know powershell, you can control a windows machine like a pro

formal definition:
PowerShell is widely adopted in offensive and defensive security due to its deep system access, scripting capabilities, and ubiquity across Windows environments.


Conclusion

all powershell concepts boil down to this:

instead of text, you're working with objects — which makes system automation, enumeration, and control extremely powerful.

if you understand cmdlets, pipelines, filtering, and basic system commands,
you already understand the core of PowerShell.

`

Windows and Active Directory Fundamentals

Shubham
Cybersecurity Enthusiast

Windows Architecture

okay let me go through it straight forward

windows internally is divided into system components like kernel, services, processes, registry, users, permissions etc.
understanding these is important because almost all attacks or security issues come from misconfigured services, weak permissions, or exposed shares.

lame language definition:
windows is layers of background programs + settings + user accounts working together

formal definition:
Windows OS is a multitasking operating system built on the NT architecture, consisting of the kernel, system services, user mode processes, the registry database, and a security subsystem enforcing authentication and authorization.


Users, Groups & Permissions

windows security fundamentally relies on accounts and groups.

your machine has:

  • local accounts → users on the device
  • groups → collections of users (Admin, Users, Guests etc.)
  • privileges → what they can or cannot do

lame language definition:
groups decide your power level in the system

formal definition:
Windows uses discretionary access control (DAC) where access tokens containing SIDs (security identifiers) determine permissions on resources.

important ones:

Administrators → full control
Users → standard, limited
SYSTEM → highest privilege (more than admin)


File System & NTFS Permissions

NTFS is the default file system.
it supports ACLs (access control lists) — which define exactly who can read, write, execute something.

permissions include:

  • FullControl
  • Modify
  • ReadExecute
  • Write
  • Read

lame language definition:
every file/folder has a list of “allowed people” and “what they can do”

formal definition:
NTFS implements per-object discretionary access control using ACEs linked to user or group SIDs, enabling granular file system security.


The Registry

registry = the huge configuration database for windows.
everything from installed programs to startup items to system policies lives here.

important hives:

  • HKEY_LOCAL_MACHINE (HKLM) → system-wide settings
  • HKEY_CURRENT_USER (HKCU) → settings for the logged-in user

lame language definition:
registry is windows’ brain storing all configuration

formal definition:
the Windows Registry is a hierarchical database storing system, user, and application configuration accessed via registry APIs.

attackers often abuse registry for persistence.


Windows Services & Processes

services = background programs
processes = running programs

you’ll often check them during enumeration.

useful concepts:

  • services can run as SYSTEM
  • misconfigured services can be escalated
  • startup type: auto, manual, disabled
  • process tree shows parent-child relationships

lame language definition:
services are programs that run even when no one is logged in

formal definition:
Windows services are long-running executables managed by the Service Control Manager (SCM), often running with elevated privileges.


Event Viewer (Logs)

windows logs everything meaningful: logons, errors, privilege changes, network events, etc.
important logs for security:

  • Security
  • System
  • Application

lame language definition:
event viewer is where you spy on what happened on the system

formal definition:
event logs are structured records generated by system components, applications, and security subsystems stored using the Windows Event Log API.


Networking (Windows Context)

important tools:

  • ipconfig → interface info
  • netstat → active connections
  • net commands → users, shares, groups
  • ping, tracert, nslookup → basic diagnostics

common enum areas:

  • open shares
  • firewall rules
  • RDP status
  • running services over ports

Windows Shares (SMB)

SMB allows sharing folders/printers across network.
enumeration often reveals misconfigured shares.

share types:

  • C$, ADMIN$, IPC$ → administrative
  • custom shares → may expose sensitive files

lame language definition:
SMB is like “network folders” that anyone on LAN can access if allowed

formal definition:
Server Message Block (SMB) is a network file-sharing protocol enabling access to files and services over TCP/IP.


PowerShell (Quick Summary)

PowerShell is the backbone of Windows automation and recon.

important ideas:

  • everything is an object
  • pipelines pass objects
  • cmdlets follow Verb-Noun pattern
  • easy access to registry, services, WMI, CIM, processes

you've already covered this in detail in the previous writeup.


Active Directory (AD)

What is Active Directory

AD is basically identity + permission management for large networks (like companies) using Windows machines.

lame language definition:
AD is a system that controls “who you are” and “what you can do” inside a company network

formal definition:
Active Directory is a directory service built on LDAP and Kerberos, providing centralized authentication, authorization, and policy management within Windows domains.


Domain, OU, Users, Groups

in AD, machines and users belong to a domain (example: corp.local).

objects inside AD are organized into:

  • Users
  • Groups
  • Computers
  • Organizational Units (OUs)

lame language definition:
domain = company network
OU = folders to organize users/computers

formal definition:
OUs are containers in AD enabling hierarchical organization and targeted Group Policy application.


Domain Controllers (DC)

domain controller = server that runs AD services.

it handles:

  • login authentication (Kerberos)
  • directory lookups (LDAP)
  • group policies

lame language definition:
DC is the boss server that decides if you can log in or not

formal definition:
a Domain Controller is a Windows server hosting AD DS, responsible for authentication, authorization, and domain policy enforcement.


Kerberos (Authentication)

Kerberos is default authentication in AD.

flow (very simplified):

  1. user requests a TGT
  2. DC verifies identity
  3. DC issues a TGT
  4. user uses TGT to access services

lame language definition:
kerberos gives you a “ticket” proving who you are

formal definition:
Kerberos is a network authentication protocol using symmetric cryptography and ticket-based identity validation.


Group Policy (GPO)

GPOs apply settings to many users/computers at once:

  • password policies
  • software restrictions
  • login scripts
  • firewall rules
  • drive mappings

lame language definition:
admins use GPOs so they don’t have to configure 500 computers manually

formal definition:
Group Policy is a centralized configuration management feature applying domain-level policies via AD.


AD Enumeration (Security Context)

attackers and defenders both enumerate AD for:

  • user lists
  • group memberships
  • misconfigured permissions
  • service accounts
  • SPNs (for kerberoasting)
  • unconstrained delegation
  • password policy weaknesses

tools commonly used:

  • net commands
  • PowerShell (Get-ADUser, Get-ADComputer, Get-ADGroup)
  • bloodhound / sharphound

Conclusion

windows fundamentals + active directory fundamentals combine into one big idea:

windows controls security using accounts, permissions, groups, services, registry, and processes — and AD extends this model to whole networks using domains, policies, and centralized authentication.

understanding these core systems is enough to navigate almost any Windows/AD cybersecurity task.

`

Natas Level 2

Shubham
Cybersecurity Enthusiast

Natas 2

so in this level you will see there is nothing in the html, css and js when you inspect the element ... so we got the hint from there, that there a folder named files by looking at the line <img src="files/pixel.png>

so now we will navigate to the files by adding /files in the end
there you will see users.txt
in that you will find password for natas 3

`

Natas Level 3

Shubham
Cybersecurity Enthusiast

Natas 3

Theory

Today’s internet is indexed by search-engine crawlers, such that Google and Co know what content exists on websites to improve search engine results. The robots.txt file exists on servers to tell these crawlers and other web bots, which part of the website can be visited. It allows defining a user-agent aka for what specific bot the rules should be, and which page of the website the user-agent is not allowed to visit.

User-agent: Googlebot
Disallow: /nogooglebot/

User-agent: *
Allow: /

Sitemap: https://www.example.com/sitemap.xml

Here, for all crawlers/bots the whole website can be visited, except Google’s crawler, which cannot visit the ’nogooglebot’ directory. Also noticeable is the sitemap link. A sitemap is another file to give web crawlers information about the website. It is important to be aware that the ‘robots.txt’ file does NOT serve a security purpose. The disallowed pages can still be visited and might still show up in search engines. Read more about this file in the (Google Developer Docs)[https://developers.google.com/search/docs/crawling-indexing/robots/create-robots-txt].

Solution

Opening the website and looking at the source code, we can find a comment, which gives us a hint: .

This sound like the robots.txt file, I explained in the theory section. Navigating to the site: http://natas3.natas.labs.overthewire.org/robots.txt reveals that the file exists and it shows a disallowed path. Navigating to this path, again leads to a public directory with a ‘user.txt’ file, which contains the password to the next level.

`

Natas Level 4

Shubham
Cybersecurity Enthusiast

Natas 4

Theory

The communication between the client (our machine) and the server (that hosts the website) is done by a request-response. We sent a request for a certain page and the server sends the response with the content. Generally, they will follow different protocols and structures, which depend on the service. In this case, it is HTTP (Hypertext Transfer Protocol). The request generally includes the request method (GET, POST,…), the requested URL and the protocol version. However, it can also include additional, potentially needed information, through so-called request headers. There are many such fields, some more common than others. Relevant ones for this challenge are ‘Authorization’, which would include the credentials for the website and ‘Referer’, which is the URL/webpage from which the request is sent. Generally, all this is handled by our browser and we do not have to worry about it. It is however possible to manipulate requests.

Solution

  1. open the burpsuite
  2. turn the intercept on
  3. then click on the "refresh page" button
image
  1. send the request to the repeater
  2. open the repeater tab and edit the "Referer: http://natas4.natas.labs.overthewire.org/" to "Referer: http://natas5.natas.labs.overthewire.org/"
  3. then send the request again ...
  4. you will see that you have been authorised and you will get the password of natas 5
    `

Natas Level 5

Shubham
Cybersecurity Enthusiast

Natas 5

Theory

http is a stateless protocol: each request is independent and the server does not keep session state by default. to provide a continuous experience (for example, a logged-in session) servers send small pieces of data called http cookies to the client. the browser stores these cookies and sends them back with subsequent requests so the server can associate requests with a session or particular user.
a cookie is just a key=value pair (plus optional attributes like domain, path, expires, http-only, secure). because cookies live on the client side, a user (or an attacker) can inspect and modify them unless the server uses additional protections. depending on how the server interprets the cookie value, simple changes on the client side can change the server’s behavior — for example toggling an authentication flag.
in this level the application decides whether you are “logged in” based on a cookie value. by examining and altering that cookie you can change the perceived session state and gain access if the server relies solely on client-supplied cookie data.

Solution

  1. open the burp suite
  2. navigate to proxy tab
  3. turn on the intercept and open http://natas5.natas.labs.overthewire.org/
  4. right click and send it to repeater
  5. in the inspector section you will find request headers section
  6. in that cookie value will be loggedin=0
  7. change that to zero and apply changes then send the request ... in the response section you will see the password for natas 6
image

`

Natas Level 6

Shubham
Cybersecurity Enthusiast

Natas 6

Solution

when you will click "view sourcecode" ... source code will showup there you will see <? ?> this is php
PHP in HTML is enclosed in the following tags: <? ?> or <?php ?>. Variables start with a $ sign and the content of forms sent with a POST request can be accessed with the special $_POST variable.
Another important part for this level is that it is possible to include code from other files into a file, by using include or require.

since we can see one thing named includes/secret.inc
so visit http://natas6.natas.labs.overthewire.org/includes/secret.inc

you will see a blank page ... because since it does not show us an error, something is happening, PHP code is running, which does not include any visual output

so inspect and you will find the secret key like this:

?
$secret = "****************";
?

now you got the secret and then paste it in the box ... you will get password to natas 7 ... and there you go! `

Natas Level 7

Shubham
Cybersecurity Enthusiast

Natas 7

Solution

if we click on about, the web server will append /index.php?page=about to the end of the url
if we view the page source ../ we see a comment in both pages:
hint: password for webuser natas8 is in /etc/natas_webpass/natas8

if we try to visit /etc/natas_webpass/natas8 directly ... we will encounter Not Found error.

but if we try to visit it while we are in home ... that is: http://natas7.natas.labs.overthewire.org/index.php?page=home/etc/natas_webpass/natas8

we will get a warning which goes like

Warning: include(home/etc/natas_webpass/natas8): failed to open stream: No such file or directory in /var/www/natas/natas7/index.php on line 21

Warning: include(): Failed opening 'home/etc/natas_webpass/natas8' for inclusion (include_path='.:/usr/share/php') in /var/www/natas/natas7/index.php on line 21

error messages are frequently useful for getting a working exploit ... you can see that the web server tried and failed to open filename "home", and also told us the file path.
from here ... we can either use an absolute file path (ex: /etc/passwd) or a relative file path (../../../../etc/passwd).

lets use the absolute file path option, and navigate to http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8. This will include the flag file and display it to us.

`

Bandit Level 12 → 13

Shubham
Cybersecurity Enthusiast

Login: ssh bandit12@bandit.labs.overthewire.org -p 2220
Password: 7x16WNeHIi5YkIhWsfFIqoognUTyj9Q4

task

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level, it is helpful to create a directory under /tmp in which you can work.

theory lil bit

  1. xxd: A tool that creates a hexdump of a given file or standard input. It can also do the reverse, which is what we need here using the -r flag to turn a hexdump back into a binary file.
  2. file: This command is your best friend here. It determines the file type by looking at the "magic bytes" (header) of the file, telling you if it's a Gzip, Bzip2, or Tar archive.
  3. Decompression Commands:
    • gzip/gunzip: Handles .gz files.
    • bzip2/bunzip2: Handles .bz2 files.
    • tar: Handles .tar files using -xf (extract file).
  4. Workflow: The process is iterative: check the file type with file, rename it to have the correct extension, decompress it, and repeat until you get ASCII text.

solution

# Create a working directory
bandit12@bandit:~$ mktemp -d
/tmp/tmp.50qnmYRfkb
bandit12@bandit:~$ cd /tmp/tmp.50qnmYRfkb
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ cp ~/data.txt .

# Reverse the hexdump
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ xxd -r data.txt > binary

# Repeated decompression based on 'file' command output
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file binary
binary: gzip compressed data...
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ mv binary b.gz && gunzip b.gz

bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file b
b: bzip2 compressed data...
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ mv b file.bz2 && bunzip2 file.bz2

bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file file
file: gzip compressed data...
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ mv file file.gz && gunzip file.gz

bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file file
file: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ tar -xf file

bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ tar -xf data5.bin

bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file data6.bin
data6.bin: bzip2 compressed data...
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ mv data6.bin data.bz2 && bunzip2 data.bz2

bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file data
data: POSIX tar archive (GNU)
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ tar -xf data

bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file data8.bin
data8.bin: gzip compressed data...
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ mv data8.bin hello.gz && gunzip hello.gz

# Final Result
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ file hello
hello: ASCII text
bandit12@bandit:/tmp/tmp.50qnmYRfkb$ cat hello
The password is FO5dwFsc0cbaIiH0h8J2eUks2vdTDwAn

`