# Oracle 10 -> 15

## Oracle 10 -> 11

The password for oracle11 is the .biz site the user has previously navigated to.

```
Get-Item 'HKCU:\Software\Microsoft\Internet Explorer\TypedURLs'
```

```
Password: yondu
```

## Oracle 11 -> 12

The password for oracle12 is the drive letter associated with the mapped drive that this user has.

```
Get-ChildItem 'HKCU:\Network'
```

```
Password: m
```

{% hint style="info" %}
<https://social.technet.microsoft.com/Forums/ie/en-US/65eb8a2f-988f-40a7-b6ff-616a050c8efc/list-all-mapped-drives-for-all-users-that-have-logged-into-a-computer?forum=ITCG>
{% endhint %}

## Oracle 12 -> 13

The password for oracle13 is the IP of the system that this user has previously established a remote desktop with.

```
Get-ChildItem 'HKCU:\Software\Microsoft\Terminal Server Client'
```

```
Password: 192.168.2.3
```

{% hint style="info" %}
<https://www.techsupportall.com/how-to-remove-remote-desktop-connection-history-name-ip-entries/>
{% endhint %}

## Oracle 13 -> 14

&#x20;The password for oracle14 is the name of the user who created the Galaxy security group as depicted in the event logs on the desktop **PLUS** the name of the text file on the user’s desktop.

```
Get-WinEvent -Path .\security.evtx | Where-Object -Property Message -Match 'Galaxy' | Format-List
Log Id: 4727
```

```
Password: gamora88
```

{% hint style="info" %}
<https://4sysops.com/archives/search-the-event-log-with-the-get-winevent-powershell-cmdlet/>
{% endhint %}

## Oracle 14 -> 15

&#x20;The password for oracle15 is the name of the user who added the user Bereet to the Galaxy security group as depicted in the event logs on the desktop **PLUS** the name of the text file on the user’s desktop.

```
Get-WinEvent -Path .\security.evtx | Where-Object -Property Message -Match 'bereet' | Format-List
Log Id: 4728
```

```
Password: nebula2112
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybertuna.gitbook.io/underthewire/oracle/oracle-10-greater-than-15.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.