Under the Wire trains experienced, developing, and novice Information Technologists to use Windows PowerShell in a variety of situations through innovative and fun wargames.
Some things that may help you in the games are below.
- The Internet
- Get-Help
- Get-Command
- Get-Member
- The “Tab” key will help with finishing out commands
Century 0
Credentials: century1:century1 for century.underthewire.tech.
1
$ sshpass -p 'century1' ssh century1@century.underthewire.tech
Century 1
The password for Century2 is the build version of the instance of PowerShell installed on this system.
1
2
PS C:\users\century1\desktop> echo $PSVersionTable | findstr /i buildversion
BuildVersion 10.0.14393.3866
Century 2
The password for Century3 is the name of the built-in cmdlet that performs the wget like function within PowerShell PLUS the name of the file on the desktop.
Here’s a simple way to search for cmdlets and learn about them:
- Searching which cmdlet is related to web/webrequests.
1 2 3 4 5 6 7
PS C:\users\century2\desktop> Get-Command | Select-String webrequest Clear-WebRequestTracingSetting Clear-WebRequestTracingSettings Disable-WebRequestTracing Enable-WebRequestTracing Get-WebRequest Invoke-WebRequest
- Manual page for
Invoke-WebRequest:1 2 3 4 5 6 7
PS C:\users\century2\desktop> Get-Help Invoke-WebRequest NAME Invoke-WebRequest SYNOPSIS Gets content from a web page on the Internet. SYNTAX Invoke-WebRequest [-Uri] <Uri> . . . . .
- Example for
Invoke-WebRequest:1 2 3 4 5 6 7
PS C:\users\century2\desktop> get-help Invoke-WebRequest -examples NAME Invoke-WebRequest SYNOPSIS Gets content from a web page on the Internet. Example 1: Send a web request PS C:\>Invoke-WebRequest -URI http://www.bing.com?q=how+many+feet+in+a+mile
- Usage of
Invoke-WebRequest:1 2 3
PS C:\users\century2\desktop> Invoke-WebRequest -Uri http://84c52d11c785.ngrok.io -OutFile C:\windows\system32\spool\drivers\color\index.html PS C:\users\century2\desktop> Get-Content C:\windows\system32\spool\drivers\color\index.html Hello!
Directory listing of century2’s desktop:
1 2 3 4 5
PS C:\users\century2\desktop> Get-ChildItem Directory: C:\users\century2\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/30/2018 3:29 AM 693 443
Century 3
The password for Century4 is the number of files on the desktop.
1
2
3
4
5
6
7
8
9
10
11
PS C:\users\century3\desktop> Get-Command | Select-String measure
Measure-Command
Measure-Object
PS C:\users\century3\desktop> get-help Measure-Object
NAME
Measure-Object
SYNOPSIS
Calculates the numeric properties of objects, and the characters, words, and lines in string objects, such as files of text.
SYNTAX
Measure-Object [[-Property] <String[]>] . . . .
Usage of Measure-Object:
1
2
PS C:\users\century3\desktop> Get-ChildItem | Measure-Object
Count : 123
Century 4
The password for Century5 is the name of the file within a directory on the desktop that has spaces in its name.
1
2
3
PS C:\users\century4\desktop> Get-ChildItem -Recurse | Select-String ' '
Not Me
OpenMe\61580:1:Great Work! Keep it up.
Century 5
The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.
1
2
3
4
PS C:\users\century5\desktop> Get-ADDomain | Select-Object Name
Name
----
underthewire
1
2
3
4
5
PS C:\users\century5\desktop> Get-ChildItem
Directory: C:\users\century5\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:29 AM 54 3347
Century 6
The password for Century7 is the number of folders on the desktop.
1
2
PS C:\users\century6\desktop> Get-ChildItem -Recurse -Directory| Measure-Object
Count : 197
Century 7
The password for Century8 is in a readme file somewhere within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
1
2
PS C:\users\century7\desktop> gci C:\users\century7 -Recurse -Include "*readme*" | cat
7points
Century 8
The password for Century9 is the number of unique entries within the file on the desktop.
1
2
PS C:\users\century8\desktop> gc .\unique.txt | Sort-Object | Get-Unique | measure-object
Count : 696
Century 9
The password for Century10 is the 161st word within the file on the desktop.
1
2
PS C:\users\century9\desktop> (gc .\Word_File.txt -Delimiter ' ' -TotalCount 161)[-1]
pierid
Century 10
The password for Century11 is the 10th and 8th word of the Windows Update service description combined PLUS the name of the file on the desktop.
1
2
3
4
5
6
7
8
9
PS C:\users\century10\desktop> Get-Service "Windows Update"
Status Name DisplayName
------ ---- -----------
Stopped wuauserv Windows Update
PS C:\users\century10\desktop> Get-WmiObject Win32_Service -Filter "name='wuauserv'" | select-object *
PSComputerName : UTW
Name : wuauserv
. . . . . .
Password seems to be windowsupdates110:
1
2
3
4
5
6
7
8
9
10
PS C:\users\century10\desktop> Get-WmiObject Win32_Service -Filter "name='wuauserv'" | select-object description
description
-----------
Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this compu...
PS C:\users\century10\desktop> gci
Directory: C:\users\century10\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:34 AM 43 110
Century 11
The password for Century12 is the name of the hidden file within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
1
2
3
4
5
6
PS C:\users\century11\desktop> gci C:\users\century11 -File -Hidden -Recurse -Exclude *.ini,*.dat* -ErrorAction SilentlyContinue
Directory: C:\users\century11\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
--rh-- 8/30/2018 3:34 AM 30 secret_sauce
Century 12
The password for Century13 is the description of the computer designated as a Domain Controller within this domain PLUS the name of the file on the desktop.
1
2
3
4
5
6
7
PS C:\users\century12\desktop> Get-ADDomainController
ComputerObjectDN : CN=UTW,OU=Domain Controllers,DC=underthewire,DC=tech
DefaultPartition : DC=underthewire,DC=tech
Domain : underthewire.tech
Enabled : True
Forest : underthewire.tech
HostName : utw.underthewire.tech
Get-ADDomainController doesn’t show any description, grabbing the computer name ‘OTW’ and using that in Get-ADComputer. Also Get-ADComputer by-default doesn’t show description field.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PS C:\users\century12\desktop> Get-ADComputer UTW -Properties description
Description : i_authenticate
DistinguishedName : CN=UTW,OU=Domain Controllers,DC=underthewire,DC=tech
DNSHostName : utw.underthewire.tech
Enabled : True
Name : UTW
ObjectClass : computer
ObjectGUID : 5ca56844-bb73-4234-ac85-eed2d0d01a2e
SamAccountName : UTW$
SID : S-1-5-21-758131494-606461608-3556270690-1000
PS C:\users\century12\desktop> gci
Directory: C:\users\century12\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:34 AM 30 _things
---
Century 13
The password for Century14 is the number of words within the file on the desktop.
1
2
3
4
5
6
7
8
9
10
PS C:\users\century13\desktop> gc .\countmywords | measure-object -word
Lines Words Characters Property
----- ----- ---------- --------
755
PS C:\users\century13\desktop> gc .\countmywords -delimiter ' ' | measure-object
Count : 755
PS C:\users\century13\desktop> (gc .\countmywords -delimiter ' ').count
755
Century 14
The password for Century15 is the number of times the word “polo” appears within the file on the desktop.
1
2
PS C:\users\century14\desktop> (Get-Content .\countpolos -delimiter ' ' | Select-String -Pattern "^polo" -AllMatches).count
153