Hack The Box

Operating System Structure

In Windows operating systems, the root directory is "drive_letter>"\ (commonly C drive). The root directory (also known as the boot partition) is where the operating system is installed. Other physical and virtual drives are assigned other letters, for example, Data (E:). The directory structure of the boot partition is as follows:

  • Perflogs - Can hold Windows performance logs but is empty by default.
  • Program Files - On 32-bit systems, all 16-bit and 32-bit programs are installed here. On 64-bit systems, only 64-bit programs are installed here.
  • Program Files (x86) - 32-bit and 16-bit programs are installed here on 64-bit editions of Windows.
  • ProgramData This is a hidden folder that contains data that is essential for certain installed programs to run. This data is accessible by the program no matter what user is running it.
  • Users - This folder contains user profiles for each user that logs onto the system and contains the two folders Public and Default.
  • Default - This is the default user profile template for all created users. Whenever a new user is added to the system, their profile is based on the Default profile<.
  • Public This folder is intended for computer users to share files and is accessible to all users by default. This folder is shared over the network by default but requires a valid network account to access.
  • AppData - Per user application data and settings are stored in a hidden user subfolder (i.e., cliff.moore\AppData). Each of these folders contains three subfolders. The Roaming folder contains machine-independent data that should follow the user's profile, such as custom dictionaries. The Local folder is specific to the computer itself and is never synchronized across the network. LocalLow is similar to the Local folder, but it has a lower data integrity level. Therefore it can be used, for example, by a web browser set to protected or safe mode.
  • Windows -The majority of the files required for the Windows operating system are contained here.
  • System, System32, SysWOW64 - Contains all DLLs required for the core features of Windows and the Windows API. The operating system searches these folders any time a program asks to load a DLL without specifying an absolute path.
  • WinSxS - The Windows Component Store contains a copy of all Windows components, updates, and service packs.

Exploring Directories Using Command Line

We can explore the file system using the dir command.

C:\htb> dir c:\ /a Volume in drive C has no label. Volume Serial Number is F416-77BE Directory of c:\ 08/16/2020 10:33 AM $Recycle.Bin 06/25/2020 06:25 PM $WinREAgent 07/02/2020 12:55 PM 1,024 AMTAG.BIN 06/25/2020 03:38 PM Documents and Settings [C:\Users] 08/13/2020 06:03 PM 8,192 DumpStack.log 08/17/2020 12:11 PM 8,192 DumpStack.log.tmp 08/27/2020 10:42 AM 37,752,373,248 hiberfil.sys 08/17/2020 12:11 PM 13,421,772,800 pagefile.sys 12/07/2019 05:14 AM PerfLogs 08/24/2020 10:38 AM Program Files 07/09/2020 06:08 PM Program Files (x86) 08/24/2020 10:41 AM ProgramData 06/25/2020 03:38 PM Recovery 06/25/2020 03:57 PM 2,918 RHDSetup.log 08/17/2020 12:11 PM 16,777,216 swapfile.sys 08/26/2020 02:51 PM System Volume Information 08/16/2020 10:33 AM Users 08/17/2020 11:38 PM Windows 7 File(s) 51,190,943,590 bytes 13 Dir(s) 261,310,697,472 bytes free
C:\htb> tree "c:\Program Files (x86)\VMware"

Volume serial number is F416-77BE

C:\PROGRAM FILES (X86)\VMWARE ├───VMware VIX │ ├───doc │ │ ├───errors │ │ ├───features │ │ ├───lang │ │ │ └───c │ │ │ └───functions │ │ └───types │ ├───samples │ └───Workstation-15.0.0 │ ├───32bit │ └───64bit └───VMware Workstation ├───env ├───hostd │ ├───coreLocale │ │ └───en │ ├───docroot │ │ ├───client │ │ └───sdk │ ├───extensions │ │ └───hostdiag │ │ └───locale │ │ └───en │ └───vimLocale │ └───en ├───ico ├───messages │ ├───ja │ └───zh_CN ├───OVFTool │ ├───env │ │ └───en │ └───schemas │ ├───DMTF │ └───vmware ├───Resources ├───tools-upgraders └───x64

The tree command can provide us with a large amount of information. The following command can be used to walk through all the files in the C drive, one screen at a time. This command can be modified to be run against any directory

Operating System Structure

tree c:\ /f | more