Link: Advent Of Cyber 3 on TryHackMe
Complete the username: p.....
Command: net users
Answer: pepper
What is the OS version?
Command: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Answer: 10.0.17763 N/A Build 17763
What backup service did you find running on the system?
Command: wmic service list | Out-File -FilePath dump.txt
Here I am dumping it into a file for convenience's sake, but probably avoid doing this during an engagement.
Answer: IperiusSvc
What is the path of the executable for the backup service you have identified?
Answer: C:\Program Files (x86)\Iperius Backup\IperiusService.exe
Run the whoami command on the connection you have received on your attacking machine. What user do you have?
Step 1:
Get evil.bat created.
Step 2:
Create the backup job.
Step 3:
Set the destination.
Step 4:
Set up the pre-script.
Step 5:
Start the listener: nc -lvnp 1234
Step 6:
Start the backup as a service:
Step 7:
Profit!
Answer: the-grinch-hack\thegrinch
What is the content of the flag.txt file?
Answer: THM-736635221
The Grinch forgot to delete a file where he kept notes about his schedule! Where can we find him at 5:30?
Answer: jazzercize