Under The Wire
This post is an overview of my time working through the wargame “century” found in underthewire
My PowerShell skills are… lacking. I very often need to look up How to do X, how to do Y, you get the idea. So I’ve decided to change that by working through UnderTheWire wargames, an interactive way to get familiar with PowerShell. When I was starting out in the linux world OverTheWire wargames were a tremendous help, I am confident the same will apply here. I am starting with Century the first of the available games.
Century - 0 -> 1
login to the machine
Creds
century1:century1
connect with ssh
ssh century1@century.underthewire.tech
all further ssh connections will be in this format (I think, if different I will elaborate) so I won’t repeat these for each challenge
Century - 1 -> 2
The password for Century2 is the build version of the instance of PowerShell installed on this system.
After some time fumbling looking for the wrong thing I found:
PS C:\users\century1\desktop> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.14393.3866
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.3866
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
BuildVersion 10.0.14393.3866
century2:10.0.14393.3866
Century - 2 -> 3
The password for Century3 is the name of the built-in cmdlet that performs the wget like function within PowerShell PLUS the name of the file on the desktop.
we get the filename with a simple dir
filename: 443
I think the command hinted at is Invoke-WebRequest but whether it requires it asforementioned or in the shorthand iwr will require trial and error
The former was correct so with converting to lowercase the credentials are century3:invoke-webrequest443
Century - 3 -> 4
The password for Century4 is the number of files on the desktop.
with some stack-overflow browsing I have my answer
Write-Host ( Get-ChildItem C:\users\century3\desktop | Measure-Object).Count;
century4:123
Century - 4 -> 5
The password for Century5 is the name of the file within a directory on the desktop that has spaces in its name.
I think I am misunderstanding this one somehow. I thought the file inside the directory should have spaces in it’s name so I came up with the command
Get-ChildItem -Path .\ -Recurse | Where-Object {$_.Name -like "* *"}
but this only returns the directory Not Me
reading again I think maybe it means a file within Not Me but this directory
with some trial and error there is a file in OpenMe called 61580 which turned out to be the password, but since neither have whitespace in their name I am at a total loss as to what the intended solution was here.
regardless I got through, here are the creds century5:61580
Century - 5 -> 6
The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.
running:
PS C:\users\century5\desktop> get-addomain
AllowedDNSSuffixes : {}
ChildDomains : {}
ComputersContainer : CN=Computers,DC=underthewire,DC=tech
DeletedObjectsContainer : CN=Deleted Objects,DC=underthewire,DC=tech
DistinguishedName : DC=underthewire,DC=tech
DNSRoot : underthewire.tech
DomainControllersContainer : OU=Domain Controllers,DC=underthewire,DC=tech
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-758131494-606461608-3556270690
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=underthewire,DC=tech
Forest : underthewire.tech
InfrastructureMaster : utw.underthewire.tech
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {cn={ECB4A7C0-B4E1-41B1-9E89-161CFA679999},cn=policies,cn=system,DC=underthewire,DC=tech, CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=underthewire,DC=tech}
LostAndFoundContainer : CN=LostAndFound,DC=underthewire,DC=tech
ManagedBy :
Name : underthewire
NetBIOSName : underthewire
ObjectClass : domainDNS
ObjectGUID : bdccf3ad-b495-4d86-a94c-60f0d832e6f0
ParentDomain :
PDCEmulator : utw.underthewire.tech
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=underthewire,DC=tech
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {utw.underthewire.tech}
RIDMaster : utw.underthewire.tech
SubordinateReferences : {DC=ForestDnsZones,DC=underthewire,DC=tech, DC=DomainDnsZones,DC=underthewire,DC=tech, CN=Configuration,DC=underthewire,DC=tech}
SystemsContainer : CN=System,DC=underthewire,DC=tech
UsersContainer : CN=Users,DC=underthewire,DC=tech
Name : underthewire
I believe what we are looking for is underthewire grabbing the filename on the desktop of 3347 I try
century6:underthewire3347
which is correct
Century - 6 -> 7
The password for Century7 is the number of folders on the desktop. I believe this should just be a tweak on our earlier command to count directories
Write-Host ( Get-ChildItem . -Attributes Directory | Measure-Object).Count;
I actually repeated without -Attributes Directory and it gave the same number, so filtering was really necessary but still good practice
century7:197
Century - 7 -> 8
The password for Century8 is in a readme file somewhere within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
I think here I can reuse the recursive filename search technique I used when looking for the whitespace
running:
Get-ChildItem -Path .\ -Recurse | Where-Object {$_.Name -like "*readme*"}
we find it immediately inside of the downloads folder
century8:7points
Century - 8 -> 9
The password for Century9 is the number of unique entries within the file on the desktop.
with some quick research I put together a command to get an array of the unique content that can then be put into the count structure I’ve used before
Get-Content .\unique.txt | Select-Object -unique
Write-Host (Get-Content .\unique.txt | Select-Object -unique | Measure-Object).Count
we get 696 unqiue entries, trying this as a password we get in
century9:696
Century - 9 -> 10
The password for Century10 is the 161st word within the file on the desktop.
My first thought is that I can do this somehow through get content, so I will try to figure it out by reading the help page of the command, at least for a while before I have to resort to google :)
hmm not that helpful immediately (or I am oblivious) but I know it returns an array of content, maybe I can simply index it?
with
(get-content .\Word_File.txt)[161]
I am returned i so clearly I am indexing the characters instead of the words, If I can make it return the words in the array this approach should work. I seen a delimiter option in the help command, maybe this is the delimiter to split upon.
(get-content .\Word_File.txt -Delimiter " ")[161]
this returns nonapplicabness exactly what I wanted. Now provided these arrays are not zero indexed (for some reason I have a feeling this might be the case?) we should get into the next level
century10:nonapplicabness
yes it seems I was wrong the array is zero indexed… repeating the command with an index of 160
(get-content .\Word_File.txt -Delimiter " ")[160]
we get pierid
century10:pierid
Century 10 -> 11
The password for Century11 is the 10th and 8th word of the Windows Update service description combined PLUS the name of the file on the desktop.
with the techniques I’ve developed so far, all I need is how to get the Windows Update service description, I resorted to google here
with some trial and erro of a few commands I arrived at
(get-wmiobject win32_service | where-object {$_.Name -like "*wuauserv*"} | Select Description).Description
a little dirty but does the trick
now to index this for the words we want
upon trying this I realised I forgot to split the string into an array
(get-wmiobject win32_service | where-object {$_.Name -like "*wuauserv*"} | Select Description).Description.Split(" ")
indexing for the 8th element (7th index) we get updates
indexing for the 10th element (9th index) we get windows
combining with the filename 110 from the desktop we get
centruy11:windowsupdates110
Century 11-> 12
The password for Century12 is the name of the hidden file within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
we can do this with a command similar to the recursive search from before, adding the -Hidden argument
Get-ChildItem -Path .\ -Recurse -Hidden
quite a bit of permission denied but we see the file secret_sauce in downloads
century12:secret_sauce
Century 12-> 13
The password for Century13 is the description of the computer designated as a Domain Controller within this domain PLUS the name of the file on the desktop.
filename: _things
it took quite a while to find the right command, eventually I settled on
Get-adcomputer -filter * -Property Description
we see a description of i_authenticate so we have century13:i_authenticate_things
Century 13-> 14
The password for Century14 is the number of words within the file on the desktop.
we can do similar to before, split into array -> put into count structure used above
Write-Host (get-content .\countmywords -delimiter " " | measure-object).count
755
century14:755
Century 14-> 15
The password for Century15 is the number of times the word “polo” appears within the file on the desktop.
I used a sligthly different approach to counting here to mix things up
(get-content .\countpolos -delimiter " " | select-string -pattern "^polo").length
Final Thoughts
A good wargame, I definitely learned some tricks around manipulating objects in powershell that I didn’t know when I started. I look forward to the next stage.