Trebek 0 -> 5

Trebek 0 -> 1

Grab creds from the slack and login via SSH:

ssh trebek1@trebek.underthewire.tech

Password: trebek1

Trebek 1 -> 2

The password for trebek2 is the name of the script referenced in a deleted task as depicted in the event logs on the desktop.

Get-WinEvent -Path "security.evtx" | Where-Object -Property Message -Match 'deleted' | Format-List
Log Id: 4699
File: mess_cleaner.ps1

Password: mess_cleaner

Trebek 2 -> 3

The password for trebek3 is the name of the executable associated with the C-3PO service PLUS the name of the file on the user’s desktop.

Get-WmiObject win32_service | ?{$_.Name -like 'C-3PO'} | select PathName

Password: droid823

Trebek 3 -> 4

The password for trebek4 is the IP that the user Yoda last logged in from as depicted in the event logs on the desktop PLUS the name of the text file on the user’s desktop.

Get-WinEvent -Path "security.evtx" | Where-Object -Property Message -Match 'credential' | Where-Object -Property Message -Match 'yoda' | Format-List
Log Id: 4648

Password: 10.30.1.18address

Trebek 4 -> 5

The password for trebek5 is the last execution date of Microsoft Access PLUS the name of the text file on the user’s desktop.

Get-ChildItem C:\Windows\prefetch | Where-Object -Property Name -Match 'access' | select *

Password: 01/05/2017_red

PreviousOracle 10 -> 15 NextTrebek 5 -> 10

Last updated 3 years ago