# Trebek 0 -> 5 ## Trebek 0 -> 1 Grab creds from the slack and login via SSH: ``` ssh trebek1@trebek.underthewire.tech ``` ``` Password: trebek1 ``` ## Trebek 1 -> 2 The password for trebek2 is the name of the script referenced in a deleted task as depicted in the event logs on the desktop. ``` Get-WinEvent -Path "security.evtx" | Where-Object -Property Message -Match 'deleted' | Format-List Log Id: 4699 File: mess_cleaner.ps1 ``` ``` Password: mess_cleaner ``` ## Trebek 2 -> 3 The password for trebek3 is the name of the executable associated with the C-3PO service **PLUS** the name of the file on the user’s desktop. ``` Get-WmiObject win32_service | ?{$_.Name -like 'C-3PO'} | select PathName ``` ``` Password: droid823 ``` ## Trebek 3 -> 4 The password for trebek4 is the IP that the user Yoda last logged in from as depicted in the event logs on the desktop **PLUS** the name of the text file on the user’s desktop. ``` Get-WinEvent -Path "security.evtx" | Where-Object -Property Message -Match 'credential' | Where-Object -Property Message -Match 'yoda' | Format-List Log Id: 4648 ``` ``` Password: 10.30.1.18address ``` ## Trebek 4 -> 5 The password for trebek5 is the last execution date of Microsoft Access **PLUS** the name of the text file on the user’s desktop. ``` Get-ChildItem C:\Windows\prefetch | Where-Object -Property Name -Match 'access' | select * ``` ``` Password: 01/05/2017_red ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybertuna.gitbook.io/underthewire/trebek/trebek-0-greater-than-15.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.