UnderTheWire - Century
Last updated
Last updated
First, connect to century using ssh. The username and password for this level are given in the slack channel.
This level is cleared when the directory is now changed into 'C:\users\century1\desktop'
To get the password, we need to check the Powershell version detail which include the build version. So the password for century2 is '10.0.14393.4583'
The wget alternative to powershell is Invoke-WebRequest. The file name in the desktop is '443'. So, by combining the two findings will give the password 'invoke-webrequest443'.
Since the password is the number of files in the desktop, we can use Measure-Object to count the files exist.
The clue is a directory with spaces in its name. To find the directory, we can use Get-ChildItem -Directory to list out all directories. Then, we can use Where-Object to filter the name which contain spaces. From here, we found the 'Can You Open Me' directory.
The file name inside this directory is 5548, which is the password.
Since we are logged in to the system, we can use Get-ADDomain on local computer to find the name of the domain.
The password for the next level is the number of folders (read: directories) in the desktop. Similar to previous level, we can use Measure-Object.
The aim of this level is to find a readme file which located in the specific directories. We can use Get-ChildItem including file extension filter. Since most of readme file is .md file, we can filter only .md file.
The output shows all .md file found from the server. Only 1 file found which match the level's hint. We found a readme.md file in \Downloads directory.
Moving to the \Downloads directory give us 2 readme files. Reading the readme.txt shows the password for next level.
The password for this level is the number of entries in the .txt file. Opening the .txt shows the list of strings.
To find the number of entries, we can use .length method.
Alternatively, we can use .count method which serves similar purpose.
The content in Word_File.txt is the words displayed in one line.
Use split to load each word into an array.
Then return the 160th entry (-1 as the array will start at zero).
The password is included in the Windows Update service description. So, first we check the services for the computer and it returns the long list.
Next, we filter out the specific term we are looking for. In this case, we search for services with the word 'update'. Here we can see the windows update named 'wuauserv'.
Try using 'select' command but it returns nothing.
Since Get-Service returns a limited set of information, we can use Get-WmiObject to get more information.
From the description and the file name in desktop directory, we can get the password 'windowsupdates110'.
The password for century12 is a hidden file in some specific directories listed. To find the hidden file, we can use Get-ChildItem (gci) with hidden attributes parameter. Since gci will go through all directories, an error is expected. So, I make sure to include 'ErrorAction' silent to hide error output.
After that, we can see the only file in the right directory that match the hint. So, the password for century12 is secret_sauce.
We can start with the easier task by finding out the name of the file in the desktop.
Next, we can use Get-ADDomainController to find the information about the domain controller. The information include the computer name, 'UTW'.
From the information gained, we can use Get-ADComputer to find the information of the specific Active Directory Computer. Combining both findings, we can get the password for century13, 'i_authenticate_things'.
755
To get the password, first we can use delimiter paramater before using findstr command to detect every word 'polo'. Counting the polo words returns the password.
Alternatively, we can use select-string command with pattern and allmatches parameter to find the word polo.
Using the password obtained from century14, we can log into century15 which mark the end of the Century challenge. All the best!