Table of Content
- Introduction
- Learning Objectives
- Room Prerequisites
- Prerequisites Done ✅
- Basic System Information
- Network Troubleshooting
- Files and Disk Management
- Task and Process Management
- Conclusion
Introduction
Everyone prefers a graphical user interface (GUI) until they master a command-line interface (CLI).
There are many reasons for that. One reason is that GUIs are usually intuitive. If someone offers you a GUI interface you are unfamiliar with, you can quickly poke around and discover a non-trivial part. Compare this with dealing with a CLI, i.e., a prompt.
CLI need to have a learning curve; however as u master the CLI its the most efficient way to do a work, for and example how many click do u need to view the IP address? u can view IP address using CLI with one word and enter.
There are many other advantages to using a CLI besides speed and efficiency. We will mention a few:
- Lower resource usage: CLIs require fewer system resources than graphics-intensive GUIs. In other words, you can run your CLI system on older hardware or systems with limited memory. If you are using cloud computing, your system will require lower resources, which in turn will lower your bill.
- Automation: While you can automate GUI tasks, creating a batch file or script with the commands you need to repeat is much easier.
- Remote management: CLI makes it very convenient to use SSH to manage a remote system such as a server, router, or an IoT device. This approach works well on slow network speeds and systems with limited resources.
Learning Objectives
The purpose of this room is to teach you how to use MS Windows Command Prompt cmd.exe, the default command-line interpreter in the Windows environment. We will learn how to use the command line to:
- Display basic system information
- Check and troubleshoot network configuration
- Manage files and folders
- Check running processes
Room Prerequisites
Before starting this room, you should have finished the Windows and AD Fundamentals module.
Prerequisites not met lol, gotta do the Windows and AD Fundamentals and come back xD Here is theWindows and AD Fundamentals >>>
Prerequisites Done ✅
You can use the SSH client on the AttackBox to connect to MACHINE_IP with the following credentials:
- Username:
user - Password:
Tryhackme123!
Establishing an SSH Connection from the AttackBox
If this is the first time you initiate an SSH connection from the AttackBox to a target system, the steps are shown in the screenshot below, and they are the following:
- Start the AttackBox’s terminal by clicking the terminal icon marked with 1.
- To connect to the target VM, issue the command
ssh user@MACHINE_IPasuseris the username in this case. - Because this is your first time connecting to this target VM, you will be asked to trust this connection. Answer with yes as marked with 3.
- Enter your password
Tryhackme123!. Please note that the password will not appear as you type it.
Questions
- What is the default command line interpreter in the Windows environment?
- cmd.exe
Basic System Information
set
Understanding the Path Environment Variable in Windows
The Path environment variable in Windows tells the system where to look for executable files when you run a command in the terminal. If a command or program isn’t in one of the directories listed in the Path, Windows won’t recognize it unless you provide the full path.
How It Works
- When you type a command (e.g.,
python), Windows looks in the directories listed in thePathenvironment variable, in the order they appear. - If the executable file (e.g.,
python.exe) is found, the command runs. - If it’s not found, you get an error:
‘python’ is not recognized as an internal or external command, operable program or batch file.Viewing the Path
You can use the set command to view your current Path:
set PathAdding to the Path
Temporary (Current Session Only)
You can add a directory to the Path temporarily: set Path=C:\MyCustomDir;%Path%
Permanent
To make the change permanent, use the setx command: setx Path "C:\MyCustomDir;%Path%"
Why is the Path Important?
Without the correct directories in the Path, you would need to type the full path to run programs. For example:
C:\Python39\python.exe script.pyWith C:\Python39 in the Path, you can just type:
python script.pyver
Let’s use the ver command to determine the operating system (OS) version. The terminal below shows an example output.
user@WINSRV2022-CORE C:\Users\user>ver
Microsoft Windows [Version 10.0.20348.2655]systeminfo
We can run the systeminfo command to list various information about the system such as OS information, system details, processor and memory. The terminal below shows a snippet of the displayed output.
user@WINSRV2022-CORE C:\Users\user>systeminfo
Host Name: WINSRV2022-CORE
OS Name: Microsoft Windows Server 2022 Datacenter
OS Version: 10.0.20348 N/A Build 20348
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00454-60000-00001-AA763
Original Install Date: 4/23/2024, 7:36:29 PM
System Boot Time: 1/12/2025, 12:04:56 PM
System Manufacturer: Amazon EC2
System Model: t3a.micro
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version: Amazon EC2 1.0, 10/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 980 MB
Available Physical Memory: 147 MB
Virtual Memory: Max Size: 1,300 MB
Virtual Memory: Available: 380 MB
Virtual Memory: In Use: 920 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 4 Hotfix(s) Installed.
[01]: KB5041948
[02]: KB5041160
[03]: KB5032310
[04]: KB5041590
Network Card(s): 1 NIC(s) Installed.
[01]: Amazon Elastic Network Adapter
Connection Name: Ethernet
DHCP Enabled: Yes
DHCP Server: 10.10.0.1
IP address(es)
[01]: 10.10.250.118
[02]: fe80::b9a0:662c:4e2e:e69f
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.Tips
Before moving on, it is good to mention a couple of tricks.
First, you can pipe it through more if the output is too long. Then, you can view it page after page by pressing the space bar button. To demonstrate this, try running driverquery and compare it with running driverquery | more. In the latter, you can display the output page by page and you can exit it using CTRL + C.
help- Provides help information for a specific commandcls- Clears the Command Prompt screen.
Questions
- What is the OS version of the Windows VM?
- 10.0.20348.2655
- What is the hostname of the Windows VM?
- WINSRV2022-CORE
Network Troubleshooting
Most of us are used to looking up MS Windows network configuration from the GUI interface. The command-line interface provides many networking-related commands to look up your current configuration, check ongoing connections, and troubleshoot networking issues.
Network Configuration
You can check your network information using ipconfig. The terminal output below shows our IP address, subnet mask, and default gateway.
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : eu-west-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::90df:4861:ba40:f2a8%4
IPv4 Address. . . . . . . . . . . : 10.10.230.237
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.0.1You can also use ipconfig /all for more information about your network configuration. As shown in the terminal below, we can view our DNS servers and confirm that DHCP is enabled.
C:\>ipconfig /all
Ethernet adapter Ethernet 3:
Connection-specific DNS Suffix . : eu-west-1.compute.internal
Description . . . . . . . . . . . : Amazon Elastic Network Adapter
Physical Address. . . . . . . . . : 02-B7-DF-1D-0D-99
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::90df:4861:ba40:f2a8%4(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.230.237(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Wednesday, May 1, 2024 2:38:05 PM
Lease Expires . . . . . . . . . . : Wednesday, May 1, 2024 4:08:07 PM
Default Gateway . . . . . . . . . : 10.10.0.1
DHCP Server . . . . . . . . . . . : 10.10.0.1
DHCPv6 IAID . . . . . . . . . . . : 134353458
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-27-E3-D1-2B-0E-F8-30-D0-72-3F
DNS Servers . . . . . . . . . . . : 10.0.0.2
NetBIOS over Tcpip. . . . . . . . : EnabledNetwork Troubleshooting
One common troubleshooting task is checking if the server can access a particular server on the Internet. The command syntax is ping target_name. Inspired by ping-pong, we send a specific ICMP packet and listen for a response. If a response is received, we know that we can reach the target and that the target can reach us.
Let’s find out if we reach example.com. In the terminal output below, we can see that we have successfully received four replies. Furthermore, we got some statistics; for instance, the average round trip time is 78 milliseconds.
C:\>ping example.com
Pinging example.com [93.184.215.14] with 32 bytes of data:
Reply from 93.184.215.14: bytes=32 time=78ms TTL=52
Reply from 93.184.215.14: bytes=32 time=78ms TTL=52
Reply from 93.184.215.14: bytes=32 time=78ms TTL=52
Reply from 93.184.215.14: bytes=32 time=78ms TTL=52
Ping statistics for 93.184.215.14:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 78ms, Maximum = 78ms, Average = 78msAnother valuable tool for troubleshooting is tracert, which stands for trace route. The command tracert target_name traces the network route traversed to reach the target. Without getting into more details, it expects the routers on the path to notify us if they drop a packet because its time-to-live (TTL) has reached zero. The terminal output below shows that we passed through 15 routers before reaching our target.
C:\>tracert example.com
Tracing route to example.com [93.184.215.14]
over a maximum of 30 hops:
1 59 ms 32 ms 42 ms ec2-3-248-240-3.eu-west-1.compute.amazonaws.com [3.248.240.3]
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 <1 ms 13 ms <1 ms 100.100.2.56
10 15 ms 11 ms 11 ms ae-42.a03.londen12.uk.bb.gin.ntt.net [131.103.117.104]
11 17 ms 11 ms 12 ms ae-14.r20.londen12.uk.bb.gin.ntt.net [129.250.3.248]
12 81 ms 80 ms 80 ms ae-7.r20.nwrknj03.us.bb.gin.ntt.net [129.250.6.147]
13 83 ms 83 ms 86 ms ae-0.a02.nycmny17.us.bb.gin.ntt.net [129.250.3.9]
14 79 ms 79 ms 96 ms ce-0-3-0.a02.nycmny17.us.ce.gin.ntt.net [128.241.1.14]
15 81 ms 86 ms 79 ms ae-67.core1.nyd.edgecastcdn.net [152.195.68.135]
16 78 ms 78 ms 78 ms 93.184.215.14
Trace complete.More Networking Commands
One networking command worth knowing is nslookup. It looks up a host or domain and returns its IP address. The syntax nslookup example.com will look up example.com using the default name server; however, nslookup example.com 1.1.1.1 will use the name server one.one.one.one. The terminal below shows the output of both commands. The results are identical; however, you can see that the answers were retrieved from different name servers.
Terminal
C:\>nslookup example.com
Server: ip-10-0-0-2.eu-west-1.compute.internal
Address: 10.0.0.2
Non-authoritative answer:
Name: example.com
Addresses: 2606:2800:21f:cb07:6820:80da:af6b:8b2c
93.184.215.14
C:>nslookup example.com 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1
Non-authoritative answer:
Name: example.com
Addresses: 2606:2800:21f:cb07:6820:80da:af6b:8b2c
93.184.215.14The final networking command we will cover in this room is netstat. This command displays current network connections and listening ports. A basic netstat command with no arguments will show you established connections, as shown below. In this case, we only have one SSH connection; we figured out it is SSH because it is bound to port 22.
Terminal
C:\>netstat
Active Connections
Proto Local Address Foreign Address State
TCP 10.10.230.237:22 ip-10-11-81-126:53486 ESTABLISHEDIf you are curious about the other options, you can run netstat -h, where -h displays the help page. We opted for the following options:
-adisplays all established connections and listening ports-bshows the program associated with each listening port and established connection-oreveals the process ID (PID) associated with the connection-nuses a numerical form for addresses and port numbers
We combine these four options and execute the netstat -abon command. The result is quite long, but we display the first few lines in the terminal below. It is clear now that the executable sshd.exe is responsible for listening for incoming connections on port 22, as shown in the first line. We can also see the process ID (PID) associated with each connection.
Terminal
C:\>netstat -abon
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 2116
[sshd.exe]
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 820
RpcSs
[svchost.exe]
[...]
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 2036
[spoolsv.exe]
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 584
Can not obtain ownership information
TCP 0.0.0.0:49686 0.0.0.0:0 LISTENING 592
[lsass.exe]
TCP 10.10.230.237:22 10.11.81.126:53486 ESTABLISHED 2116
[sshd.exe]
[...]Questions
- Which command can we use to look up the server’s physical address (MAC address)?
- ipconfig /all
- What is the name of the process listening on port 3389?
- TermService
- What is the subnet mask?
- 255.255.0.0
Files and Disk Management
I. Directory Management
cd(change directory): Navigates the file system.cd: Shows the current directory.cd target_directory: Changes to the specified directory.cd ..: Moves up one directory level.
dir(directory): Lists files and subdirectories.dir /a: Shows hidden and system files.dir /s: Shows files and subdirectories recursively.
tree: Displays a hierarchical tree view of directories.mkdir(make directory): Creates a new directory.rmdir(remove directory): Deletes an empty directory.
II. File Management
type filename: Displays the contents of a text file (usemorefor large files).copy source destination: Copies a file. (e.g.,copy file1.txt file2.txt)move source destination: Moves a file. (e.g.,move file1.txt new_folder)delorerase filename: Deletes a file.- Wildcard Characters (
*): Use*to specify multiple files (e.g.,copy *.txt backup_foldercopies all.txtfiles).
Example:
cd Documents
dir /b # Lists only filenames (no details)
mkdir project_x
copy *.txt project_x
move report.docx project_x
del *.tmp
treeThis concisely covers the core command-line commands for file and directory manipulation in Windows. Remember to use caution when deleting files or directories using del and rmdir, as these actions are irreversible without backups.
Questions
- What are the file’s contents in C:\Treasure\Hunt?
- THM{CLI_POWER}
Task and Process Management
I. Listing Processes
The tasklist command displays a list of currently running processes. The output includes the process name, process ID (PID), session information, and memory usage.
tasklistBecause the output can be lengthy, filtering options are available. Use /FI to specify filter criteria. For example:
tasklist /FI "IMAGENAME eq notepad.exe" # Lists only notepad.exe processes
tasklist /FI "PID eq 1234" # Lists the process with PID 1234
tasklist /FI "MEMUSAGE gt 10000" # Lists processes using more than 10MB of memoryUse tasklist /? to see all available filter options.
II. Terminating Processes
To terminate a process, use the taskkill command with the /PID option, followed by the process ID.
taskkill /PID 1234This forcefully terminates the process. If the process doesn’t respond, it might require a forced termination. You can add the /F option for this:
taskkill /F /PID 1234Caution: Terminating crucial system processes can lead to system instability. Exercise caution when using taskkill.
III. Example Scenario
- List all running processes:
tasklist - Find processes named
chrome.exe:tasklist /FI "IMAGENAME eq chrome.exe" - Identify the PID of a specific
chrome.exeinstance (e.g., PID 5678). - Terminate that Chrome instance:
taskkill /F /PID 5678
Questions
- What command would you use to find the running processes related to notepad.exe?
- tasklist /FI “imagename eq notepad.exe”
- What command can you use to kill the process with PID 1516?
- taskkill /PID 1516
Conclusion
In this room, we focused on the most practical commands for accessing a networked system over the command line.
We intentionally omitted a few common commands as we didn’t see a real value for including them in a beginner room. We mention them below so that you know that the command line can be used for other tasks.
chkdsk: checks the file system and disk volumes for errors and bad sectors.driverquery: displays a list of installed device drivers.sfc /scannow: scans system files for corruption and repairs them if possible.
It is important to remember all the commands covered in the previous tasks; moreover, it is equally important to know that /? can be used with most commands to display a help page.
In this room, we used the command more in two ways:
- Display text files:
more file.txt - Pipe long output to view it page by page:
some_command | more
Equipped with this knowledge, we now know how to display the help page of a new command and how to display long output one page at a time.
Now that you know the Windows command line, it is time to move to the Windows PowerShell room.
Questions
- The command
shutdown /scan shut down a system. What is the command you can use to restart a system?- shutdown /r
- What command can you use to abort a scheduled system shutdown?
- shutdown /a