Windows Fundamentals
Hack The Box Walkthroughs â‹… Academy â‹… Windows Fundamentals
Introduction
Introduction to Windows
Windows is an operating system developed and managed by Microsoft. There are many versions of Windows operating systems, which differ by their version number and by their intended use (server vs personal).
We can find out information about our operating system in PowerShell using the Get-WmiObject
cmdlet. The following command, for example, allows us to view the version and build number of our operating system.
We can also view processes with the win32_Process
class to get a process listing, view services with win32_Service
and view input-output information with win32_Bios
.
In addition to accessing a computer running Windows locally, we can remotely access a computer running Windows over a network using the Remote Desktop Protocol (RDP) and the target computer's IP address. Remote access methods include:
Virtual Private Networks (VPN)
Secure Shell (SSH)
File Transfer Protocol (FTP)
Virtual Network Computing (VNC)
Windows Remote Management (or PowerShell Remoting) (WinRM)
Remote Desktop Protocol (RDP)
xfreerdp
Core of the Operating System
Operating System Structure
In Windows operating systems, the root directory is <drive_letter>:\
(<drive_letter>
is commonly C). The root directory, or boot partition, is where the operating system is installed. Other physical and virtual drives are assigned other letters.
The directory structure of the root directory is as follows:
Perflogs: Can hold Windows performance logs but is empty by default.
Program Files: On 32-bit systems, all 16-bit and 32-bit programs are installed here. On 64-bit systems, only 64-bit programs are installed here.
Program Files (x86): 32-bit and 16-bit programs are installed here on 64-bit editions of Windows.
ProgramData: This is a hidden folder that contains data that is essential for certain installed programs to run. This data is accessible by the program no matter what user is running it.
Users: This folder contains user profiles for each user that logs onto the system and contains the two folders Public and Default.
Default: This is the default user profile template for all created users. Whenever a new user is added to the system, their profile is based on the Default profile.
Public: This folder is intended for computer users to share files and is accessible to all users by default. This folder is shared over the network by default but requires a valid network account to access.
AppData: Per user application data and settings are stored in a hidden user subfolder (i.e., cliff.moore\AppData). Each of these folders contains three subfolders. The Roaming folder contains machine-independent data that should follow the user's profile, such as custom dictionaries. The Local folder is specific to the computer itself and is never synchronized across the network. LocalLow is similar to the Local folder, but it has a lower data integrity level. Therefore it can be used, for example, by a web browser set to protected or safe mode.
Windows: The majority of the files required for the Windows operating system are contained here.
System, System32, SysWOW64: Contains all DLLs required for the core features of Windows and the Windows API. The operating system searches these folders any time a program asks to load a DLL without specifying an absolute path.
WinSxS: The Windows Component Store contains a copy of all Windows components, updates, and service packs.
The Windows equivalent of cd <directory>
is dir <directory>
. As with Linux, we can use the tree
utility to see the directory structure of a path or disk.
File System
Windows has BOOKMARK
FAT32 (File Allocation Table) is widely used across many types of storage devices such as USB memory sticks and SD cards but can also be used to format hard drives.
NTFS (New Technology File System) is the default Windows file system since Windows NT 3.1. In addition to making up for the shortcomings of FAT32, NTFS also has better support for metadata and better performance due to improved data structuring.
Here's the information from the table formatted in a markdown bulleted list:
Full Control: Allows reading, writing, changing, deleting of files/folders.
Modify: Allows reading, writing, and deleting of files/folders.
List Folder Contents: Allows for viewing and listing folders and subfolders as well as executing files. Folders only inherit this permission.
Read and Execute: Allows for viewing and listing files and subfolders as well as executing files. Files and folders inherit this permission.
Write: Allows for adding files to folders and subfolders and writing to a file.
Read: Allows for viewing and listing of folders and subfolders and viewing a file's contents.
Traverse Folder: This allows or denies the ability to move through folders to reach other files or folders, even without permissions to list the directory contents or view the files along the way.
The icacls
can be used to view and set permissions.
Inherit permissions:
(CI)
: container inherit(OI)
: object inherit(IO)
: inherit only(NP)
: do not propagate inherit(I)
: permission inherited from parent container
Access permissions
F
 : full accessD
 :  delete accessN
 :  no accessM
 :  modify accessRX
 :  read and execute accessR
 :  read-only accessW
:  write-only access
NTFS vs. Share Permissions
The Server Message Block protocol
(SMB
) is used in Windows to connect shared resources like files and printers.
NTFS and Share permissions are different. NTFS also includes special permissions. NTFS permissions apply to the system where the folder and files are hosted. Share permissions apply when the folder is being accessed through SMB, typically from a different system over the network. Note that Windows Defender Firewall could potentially block access to the SMB share.
See HTB Windows Fundamentals for creating, managing, and viewing shares.
Working with Services & Processes
Windows Services & Processes
Services allow for the creation and management of long-running processes. Windows services are managed via the Service Control Manager (SCM) system, accessible via the services.msc
MMC add-in.
Windows has three categories of services: Local Services, Network Services, and System Services. Services can usually only be created, modified, and deleted by users with administrative privileges.
Critical services:
Certainly! Here's the table converted into a markdown bulleted list:
smss.exe: Session Manager SubSystem. Responsible for handling sessions on the system.
csrss.exe: Client Server Runtime Process. The user-mode portion of the Windows subsystem.
wininit.exe: Starts the Wininit file .ini file that lists all of the changes to be made to Windows when the computer is restarted after installing a program.
logonui.exe: Used for facilitating user login into a PC.
lsass.exe: The Local Security Authentication Server verifies the validity of user logons to a PC or server. It generates the process responsible for authenticating users for the Winlogon service.
services.exe: Manages the operation of starting and stopping services.
winlogon.exe: Responsible for handling the secure attention sequence, loading a user profile on logon, and locking the computer when a screensaver is running.
System: A background system process that runs the Windows kernel.
svchost.exe with RPCSS: Manages system services that run from dynamic-link libraries (files with the extension .dll) such as "Automatic Updates," "Windows Firewall," and "Plug and Play." Uses the Remote Procedure Call (RPC) Service (RPCSS).
svchost.exe with Dcom/PnP: Manages system services that run from dynamic-link libraries (files with the extension .dll) such as "Automatic Updates," "Windows Firewall," and "Plug and Play." Uses the Distributed Component Object Model (DCOM) and Plug and Play (PnP) services.
These are critical processes: Windows Logon Application, System, System Idle Process, Windows Start-Up Application, Client Server Runtime, Windows Session Manager, Service Host, and Local Security Authority Subsystem Service (LSASS) process.
lsass.exe
is the process that is responsible for enforcing the security policy on Windows systems and is thus a high value target.
The SysInternals Tools suite is a set of portable Windows applications that can be used to administer Windows systems (for the most part without requiring installation). Processes Explorer, in particular, can show which handles and DLL processes are loaded when a program runs.
Task Manager provides information about running processes, system performance, running services, startup programs, logged-in users/logged in user processes, and services.
Service Permissions
It is highly recommended to create an individual user account to run critical network services. These are referred to as service accounts.
Most services run with LocalSystem privileges by default which is the highest level of access allowed on an individual Windows OS. Not all applications need Local System account-level permissions, so it is beneficial to perform research on a case-by-case basis when considering installing new applications in a Windows environment.
See module to learn how to examine service permissions using services.msc, the sc command in Windows command line, and Get-Acl in PowerShell.
Interacting with Windows
Windows Sessions
There are two types of sessions.
Interactive (local logon): initiated by a user authenticating to a local or domain system by entering their credentials
Non-interactive: initiated by three non-interactive accounts (listed below) by the Windows operating system to automatically start services and applications without requiring user interaction
Here's the table converted into a markdown bulleted list:
Local System Account: Also known as the
NT AUTHORITY\SYSTEM
account, this is the most powerful account in Windows systems. It is used for a variety of OS-related tasks, such as starting Windows services. This account is more powerful than accounts in the local administrators group.Local Service Account: Known as the
NT AUTHORITY\LocalService
account, this is a less privileged version of the SYSTEM account and has similar privileges to a local user account. It is granted limited functionality and can start some services.Network Service Account: This is known as the
NT AUTHORITY\NetworkService
account and is similar to a standard domain user account. It has similar privileges to the Local Service Account on the local machine. It can establish authenticated sessions for certain network services.
Interacting with the Windows Operating System
You can use GUI, RDP (remote desktop protocol), Windows command line, or PowerShell.
Execution policies may need to be changed for certain scripts to run:
Sure thing! Here's that table converted into a markdown bulleted list:
AllSigned: All scripts can run, but a trusted publisher must sign scripts and configuration files. This includes both remote and local scripts. We receive a prompt before running scripts signed by publishers that we have not yet listed as either trusted or untrusted.
Bypass: No scripts or configuration files are blocked, and the user receives no warnings or prompts.
Default: This sets the default execution policy,
Restricted
for Windows desktop machines andRemoteSigned
for Windows servers.RemoteSigned: Scripts can run but requires a digital signature on scripts that are downloaded from the internet. Digital signatures are not required for scripts that are written locally.
Restricted: This allows individual commands but does not allow scripts to be run. All script file types, including configuration files (
.ps1xml
), module script files (.psm1
), and PowerShell profiles (.ps1
) are blocked.Undefined: No execution policy is set for the current scope. If the execution policy for ALL scopes is set to undefined, then the default execution policy of
Restricted
will be used.Unrestricted: This is the default execution policy for non-Windows computers, and it cannot be changed. This policy allows for unsigned scripts to be run but warns the user before running scripts that are not from the local intranet zone.
Windows Management Instrumentation (WMI)
WMI is a subsystem of PowerShell that provides system administrators with powerful tools for system monitoring. WMI can be used through PowerShell.
Here's the provided table converted into a markdown bulleted list:
WMI service: The Windows Management Instrumentation process, which runs automatically at boot and acts as an intermediary between WMI providers, the WMI repository, and managing applications.
Managed objects: Any logical or physical components that can be managed by WMI.
WMI providers: Objects that monitor events/data related to a specific object.
Classes: These are used by the WMI providers to pass data to the WMI service.
Methods: These are attached to classes and allow actions to be performed. For example, methods can be used to start/stop processes on remote machines.
WMI repository: A database that stores all static data related to WMI.
CIM Object Manager: The system that requests data from WMI providers and returns it to the application requesting it.
WMI API: Enables applications to access the WMI infrastructure.
WMI Consumer: Sends queries to objects via the CIM Object Manager.
Further Windows Usage
Microsoft Management Console (MMC)
The MMC can be used to group snap-ins, or administrative tools, to manage hardware, software, and network components within a Windows host, and to create and distribute custom tools.
Type mmc
in the Start Menu. Browse to File -> Add
or Remove Snap-ins, and add the snap-ins you wish. Then, save your snap-ins as a .msc file.
Windows Subsystem for Linux (WSL)
Windows Subsystem for Linux (WSL) allows Linux binaries to run on Windows. After enabling WSL and installing a Linux distro, we gain access to a Linux shell with the standard Linux directory structure. We can also access Windows files through the /mnt
directory in WSL.
Diving Deeper & Close Out
Desktop Experience vs. Server Core
Windows Server Core is minimalistic server environment that only contains key server functionality. Server Core has lower management requirements, a smaller attack surface, and uses less disk space and memory than its traditional desktop counterpart, which is referred to as Desktop Experience. Unlike Desktop Experience, which uses a graphical user interface (GUI), all configuration and maintenance tasks are performed via the command-line, PowerShell, or remote management. Because it focuses on usability over efficiency, Windows Desktop Experience includes applications such as Mmc.exe and Control Panel that are not available on Server Core.
Windows Security
Each of the security principals on the system has a unique security identifier (SID). The system automatically generates SIDs
Each SID has a pattern:
(SID)-(revision level)-(identifier-authority)-(subauthority1)-(subauthority2)-(etc)
Certainly! Here's the information from the table in a markdown bulleted list format:
S: SID - Identifies the string as a SID.
1: Revision Level - To date, this has never changed and has always been
1
.5: Identifier-authority - A 48-bit string that identifies the authority (the computer or network) that created the SID.
21: Subauthority1 - This is a variable number that identifies the user's relation or group described by the SID to the authority that created it. It tells us in what order this authority created the user's account.
674899381-4069889467-2080702030: Subauthority2 - Tells us which computer (or domain) created the number.
1002: Subauthority3 - The RID that distinguishes one account from another. Tells us whether this user is a normal user, a guest, an administrator, or part of some other group.
The Registry is a hierarchical database in Windows critical for the operating system. It stores low-level settings for the Windows operating system and applications that choose to use it. It is divided into computer-specific and user-specific data. We can open the Registry Editor by typing regedit
from the command line or Windows search bar.
See the module for details on Security Accounts Manager (SAM), Access Control Entries (ACE), User Account Control (UAC), registry keys, whitelisting applications, AppLocker, Local Group Policy, and Windows Defender Antivirus.
Skills Assessment - Windows Fundamentals
Last updated