Cyborg 10 -> 15

Cyborg 10 -> 11

The password for cyborg11 is the description of the Applocker Executable deny policy for ill_be_back.exe PLUS the name of the file on the desktop.

Get-AppLockerPolicy -Effective -Xml

Password: terminated!99

Additional useful stuff:
1. See examples: Get-Help Get-AppLockerPolicy -examples
2. Find location of a file:
Get-ChildItem -Path c:\ -Recurse *.exe -ErrorAction SilentlyContinue |  ?{$_.name -eq "ill_be_back.exe"}

Cyborg 11 -> 12

The password for cyborg12 is located in the IIS log. The password is not Mozilla or Opera.

Find the IIS log file:
Get-ChildItem -Path C:\ -Recurse *.log -ErrorAction SilentlyContinue | Select-String "Internet Information Services" -List | Select Path
Finding the password:
Get-Content C:\inetpub\logs\logfiles\w3svc1\u_ex160413.log | Select-String "password" -Exclude "Mozilla,Opera"

Password: spaceballs

Dunno why the access denied errors won't hide, need to fix

Cyborg 12 -> 13

The password for cyborg13 is the first four characters of the base64 encoded full path to the file that started the i_heart_robots service PLUS the name of the file on the desktop.

Get-WmiObject win32_service | ?{$_.Name -like 'i_heart_robots'} | select pathname

Password: yzpc_heart

Cyborg 13 -> 14

The password cyborg14 is the number of days the refresh interval is set to for DNS aging for the underthewire.tech zone PLUS the name of the file on the desktop.

Get-DnsServerZoneAging -ZoneName "underthewire.tech"

Password: 22_days

Do with WMI later

Cyborg 14 -> 15

The password for cyborg15 is the caption for the DCOM application setting for application ID {59B8AFA0-229E-46D9-B980-DDA2C817EC7E} PLUS the name of the file on the desktop.

Get-WmiObject win32_DCOMApplicationSetting | ?{$_.AppID -eq '{59B8AFA0-229E-46D9-B980-DDA2C817EC7E}'} | select caption

Password: propshts_objects

PreviousCyborg 5 -> 10 NextGroot 0 -> 5

Last updated 4 years ago

Was this helpful?