Trebek 0 -> 5
Trebek 0 -> 1
Grab creds from the slack and login via SSH:
ssh trebek1@trebek.underthewire.tech
Password: trebek1
Trebek 1 -> 2
The password for trebek2 is the name of the script referenced in a deleted task as depicted in the event logs on the desktop.
Get-WinEvent -Path "security.evtx" | Where-Object -Property Message -Match 'deleted' | Format-List
Log Id: 4699
File: mess_cleaner.ps1
Password: mess_cleaner
Trebek 2 -> 3
The password for trebek3 is the name of the executable associated with the C-3PO service PLUS the name of the file on the user’s desktop.
Get-WmiObject win32_service | ?{$_.Name -like 'C-3PO'} | select PathName
Password: droid823
Trebek 3 -> 4
The password for trebek4 is the IP that the user Yoda last logged in from as depicted in the event logs on the desktop PLUS the name of the text file on the user’s desktop.
Get-WinEvent -Path "security.evtx" | Where-Object -Property Message -Match 'credential' | Where-Object -Property Message -Match 'yoda' | Format-List
Log Id: 4648
Password: 10.30.1.18address
Trebek 4 -> 5
The password for trebek5 is the last execution date of Microsoft Access PLUS the name of the text file on the user’s desktop.
Get-ChildItem C:\Windows\prefetch | Where-Object -Property Name -Match 'access' | select *
Password: 01/05/2017_red
Last updated
Was this helpful?