Groot 5 -> 10

Groot 5 -> 6

The password for groot6 is the name of the workstation that the user with a username of “baby.groot” can log into as depicted in Active Directory PLUS the name of the file on the desktop

Get-AdUser -Filter "SamAccountName -eq 'baby.groot'" -Property LogonWorkstations

Password: wk11_enterprise

Groot 6 -> 7

The password for groot7 is the name of the program that is set to start when this user logs in PLUS the name of the file on the desktop.

Get-ChildItem HKCU:\Software\Microsoft\Windows\CurrentVersion
Look for the 'run' key

Password: star-lord_rules

Groot 7 -> 8

The password for groot8 is the name of the dll, as depicted in the registry, associated with the “applockerfltr” service PLUS the name of the file on the desktop.

Get-Item HKLM:\SYSTEM\CurrentControlSet\Services\applockerfltr

Password: srpapi_home

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree

Groot 8 -> 9

The password for groot9 is the description of the firewall rule blocking MySQL PLUS the name of the file on the desktop.

Get-NetFirewallRule -DisplayName MySQL | select Description

Password: call_me_starlord

https://docs.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2019-ps

Groot 9 -> 10

The password for groot10 is the name of the OU that doesn’t have accidental deletion protection enabled PLUS the name of the file on the desktop.

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -match $False} | select name

Password: t-25_tester