✏️
Write-Ups
  • 💫UnderTheWire - Century
  • 🤖UnderTheWire - Cyborg
Powered by GitBook
On this page

UnderTheWire - Cyborg

PreviousUnderTheWire - Century

Last updated 2 years ago

Cyborg 0

The password for cyborg1 is given in the slack channel.

Cyborg 1 > 2

The password for cyborg2 is included in Chris Rogers's information detail, in which reside within the Active Directory. The first step is to find the Chris's user information through filtering. However, the information for Chris's state is hidden by default.

So, -properties parameter can be used to view the specific attribute.

Cyborg 2 > 3

To find the password, we need the IP address for host CYBORG718W100N. Resolve-DnsName is the PowerShell equivalent for Linux's nslookup

Combining the address with the name of file in desktop, we can get the password for cyborg3.

Cyborg 3 > 4

To find the number of members in Cyborg group, we can use the count method.

Combining the number and file name returns the password for cyborg4.

Cyborg 4 > 5

To find the module with version '8.9.8.9', we can view all modules which are available in the server. From the list of modules, the name for module with desired version can be seen.

Combining the name of the module and the file name returns the password for cyborg5.

Cyborg 5 > 6

To find the user with the logon hours set, we need to determine the attribute name related to logon by using findstr. From here, we found the logonHours attribute which can be used.

We can filter logonHours with specified value while using Get-ADUser. Since the logonHours should not be empty (it is set), asterisk is used.

Combining the user's last name and file's name returns the password for cyborg6.

Cyborg 6 > 7

In cyborg6, 3 files are found. All 3 files contains the same base64 encoded string.

Using a simple script to decode the encoded string will return the password for cyborg7.

Cyborg 7 > 8

From reading, the list of Run registry key are:

  1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

  4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

To view the file in the specified path, Get-Item command is used. Trying to get item from Local Machine returns nothing.

Since the hint says the program runs automatically when cyborg7 logged in, we try to check in Current User disk. It then returns the name of the executable file, which is the password for cyborg8.

Cyborg 8 > 9

Given in cyborg8 is a .png file.

To view the data stream of the image file, -stream parameter is used. From the data shown, a stream name 'Zone.Identifier' is found.

Using the stream name to get the specific metadata returns the zone ID for the image file, which is the password for cyborg9.

Cyborg 9 > 10

To obtain the name of the attribute related to phone number, findstr command is used with Get-ADUser which return the attribute name.

Use the attribute name to filter the user information based on phone number.

Executing the command returns the user with matching phone number. The first name of the user is a part of the password.

Combining the first name with file name in desktop returns the password for cyborg10.

Cyborg 10 > 11

Cyborg 11 > 12

🤖
  • Cyborg 0
  • Cyborg 1 > 2
  • Cyborg 2 > 3
  • Cyborg 3 > 4
  • Cyborg 4 > 5
  • Cyborg 5 > 6
  • Cyborg 6 > 7
  • Cyborg 7 > 8
  • Cyborg 8 > 9
  • Cyborg 9 > 10
  • Cyborg 10 > 11
  • Cyborg 11 > 12