Trebek 5 -> 10

Trebek 5 -> 6

The password for trebek6 is the name of the executable that is starting at 3/23/2017 8:08:53 PM via the Software Protection service as depicted in the event log on the desktop.

Get-WinEvent -Path .\application.evtx | Where-Object -Property TimeCreated -eq "3/23/2017 8:08:53 PM" | Format-List
Log Id: 900

Password: wlms

Trebek 6 -> 7

The password for trebek7 is the total number of DLLs within the “C:\program files\adobe\” folder and it’s subfolders PLUS the name of the file on the desktop.

Get-ChildItem -Recurse -Include *.dll “C:\program files\adobe\” | Measure-Object

Password: 40_reader

Trebek 7 -> 8

The password for trebek8 is the name of the program set to run prior to login if sticky keys are activated PLUS the name of the file on the desktop.

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"

Password: han_solo99

Hints given in the page and look for sticky keys executable

Awesome trick for persistence

Trebek 8 -> 9

The password for trebek9 the first 8 bytes of the file located on the desktop. Combine the answer together with NO spaces.

Get-Content .\Clone_Trooper_data.pdf -Encoding byte -Total 8 | Write-Host -NoNewLine

Password: 779014403000

Trebek 9 -> 10

The password for trebek10 is the name of the potentially rogue share on the system PLUS the name of the file on the desktop.

Get-SMBShare

Password: shoretroopers$_hiding