📔
UnderTheWire
  • Introduction
  • Century
    • Century 0 -> 5
    • Century 5 -> 10
    • Century 10 -> 15
  • Cyborg
    • Cyborg 0 -> 5
    • Cyborg 5 -> 10
    • Cyborg 10 -> 15
  • Groot
    • Groot 0 -> 5
    • Groot 5 -> 10
    • Groot 10 ->15
  • Oracle
    • Oracle 0 -> 5
    • Oracle 5 -> 10
    • Oracle 10 -> 15
  • Trebek
    • Trebek 0 -> 5
    • Trebek 5 -> 10
    • Trebek 10 -> 15
Powered by GitBook
On this page
  • Trebek 0 -> 1
  • Trebek 1 -> 2
  • Trebek 2 -> 3
  • Trebek 3 -> 4
  • Trebek 4 -> 5

Was this helpful?

  1. Trebek

Trebek 0 -> 5

Trebek 0 -> 1

Grab creds from the slack and login via SSH:

ssh trebek1@trebek.underthewire.tech
Password: trebek1

Trebek 1 -> 2

The password for trebek2 is the name of the script referenced in a deleted task as depicted in the event logs on the desktop.

Get-WinEvent -Path "security.evtx" | Where-Object -Property Message -Match 'deleted' | Format-List
Log Id: 4699
File: mess_cleaner.ps1
Password: mess_cleaner

Trebek 2 -> 3

The password for trebek3 is the name of the executable associated with the C-3PO service PLUS the name of the file on the user’s desktop.

Get-WmiObject win32_service | ?{$_.Name -like 'C-3PO'} | select PathName
Password: droid823

Trebek 3 -> 4

The password for trebek4 is the IP that the user Yoda last logged in from as depicted in the event logs on the desktop PLUS the name of the text file on the user’s desktop.

Get-WinEvent -Path "security.evtx" | Where-Object -Property Message -Match 'credential' | Where-Object -Property Message -Match 'yoda' | Format-List
Log Id: 4648
Password: 10.30.1.18address

Trebek 4 -> 5

The password for trebek5 is the last execution date of Microsoft Access PLUS the name of the text file on the user’s desktop.

Get-ChildItem C:\Windows\prefetch | Where-Object -Property Name -Match 'access' | select *
Password: 01/05/2017_red
PreviousOracle 10 -> 15NextTrebek 5 -> 10

Last updated 4 years ago

Was this helpful?