# Trebek 5 -> 10

## Trebek 5 -> 6

The password for trebek6 is the name of the executable that is starting at 3/23/2017 8:08:53 PM via the Software Protection service as depicted in the event log on the desktop.

```
Get-WinEvent -Path .\application.evtx | Where-Object -Property TimeCreated -eq "3/23/2017 8:08:53 PM" | Format-List
Log Id: 900
```

```
Password: wlms
```

## Trebek 6 -> 7

 The password for trebek7 is the total number of DLLs within the “C:\program files\adobe\” folder and it’s subfolders **PLUS** the name of the file on the desktop.

```
Get-ChildItem -Recurse -Include *.dll “C:\program files\adobe\” | Measure-Object
```

```
Password: 40_reader
```

## Trebek 7 -> 8

 The password for trebek8 is the name of the program set to run prior to login if sticky keys are activated **PLUS** the name of the file on the desktop.

```
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
```

```
Password: han_solo99
```

{% hint style="info" %}
Hints given in the page and look for sticky keys executable
{% endhint %}

{% hint style="info" %}
Awesome trick for persistence
{% endhint %}

## Trebek 8 -> 9

The password for trebek9 the first 8 bytes of the file located on the desktop. Combine the answer together with NO spaces.

```
Get-Content .\Clone_Trooper_data.pdf -Encoding byte -Total 8 | Write-Host -NoNewLine
```

```
Password: 779014403000
```

## Trebek 9 -> 10

 The password for trebek10 is the name of the potentially rogue share on the system **PLUS** the name of the file on the desktop.

```
Get-SMBShare
```

```
Password: shoretroopers$_hiding
```