Try Hack Me Featured

Try Hack Me - Investigating Windows

A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.

Marios Daskalas

22 Apr 2026 • 4 min read

Try Hack Me

Howdy my fellow Cyber Enthusiasts! Welcome to another room Try Hack Me offers! So let's dive in! 😄

Click on the "Start Machine" and a couple of minutes later a target machine will pop up, combined with a Windows Virtual Machine on the right-side of your screen.

💡

Whats the version and year of the windows machine?

Inside the Windows Machine, open up the Powershell and type the following command to find out the information that we are looking for regarding the Operating System.

 Get-ComputerInfo -Property "Os*"

💡

Which user logged in last?

In the Powershell type the following command and see the available users in the system.

net user

You can append the user to see some information about them.

net user Administrator
net user Jenny
net user John

Simply compare the login dates and answer the question.

💡

When did John log onto the system last?
Answer format: MM/DD/YYYY H:MM:SS AM/PM

Simple! Just use the above command for John to find the answer. Easy, right?

💡

What IP does the system connect to when it first starts?

On startup it runs C:\TMP\p.exe and connects to the following IP Address.

💡

What two accounts had administrative privileges (other than the Administrator user)?
Answer format: List them in alphabetical order.

To see all accounts that have administrative privileges run the following command.

(Get-LocalGroupMember “Administrators”).Name

💡

Whats the name of the scheduled task that is malicious.

Open up Task Scheduler and inspect the running tasks.

This is interesting. It seems like a netcat listener on a specific port. That seems malicious.

💡

What file was the task trying to run daily?

This is easy. The name of the powershell script.

💡

What port did this file listen locally for?

This is the port that the nc.ps1 is listening.

💡

When did Jenny last logon?

We've touched this before. Run the below command to find information about her.

net user Jenny

💡

At what date did the compromise take place?
Answer format: MM/DD/YYYY

Inside the Task Scheduler we can see when the tasks were being created. Let's try that! 😮

💡

During the compromise, at what time did Windows first assign special privileges to a new logon?
Answer format: MM/DD/YYYY HH:MM:SS AM/PM

Open up Event Viewer -> Windows Logs -> Security

We now know the date of the compromise, so adjust the date and time accordingly.

After a bit of searching we need the Event ID 4672.

💡

What tool was used to get Windows passwords?

Remember the C:\TMP folder? A bit of searching revealed the Mimikatz tool.

💡

What was the attackers external control and command servers IP?

Well, we need to check our hosts file to answer that one.

The file C:\Windows\System32\drivers\etc\hosts is a system configuration file in Windows that maps hostnames (domain names) to IP addresses locally, allowing the computer to override DNS lookups. It is commonly used for blocking websites, redirecting domains, or testing network configurations.

💡

What was the extension name of the shell uploaded via the servers website?

A common path that a Windows machine hosts a server is the following.

C:\inetpub\wwwroot\ is the default root directory for websites hosted on Microsoft IIS (Internet Information Services). It contains the web files (HTML, scripts, assets) that are served to users when they access the local or hosted website.

💡

What was the last port the attacker opened?

Open up Windows Firewall -> InBound Rules -> "Allow outside connections for development"

💡

Check for DNS poisoning, what site was targeted?

Check again the C:\Windows\System32\drivers\etc\hosts file. The answer lies in here. 😄

Congratulations! You have solved this room! 🎉 🎉 🎉

Sign up for more like this.