UnderTheWire Century Guide

here's how to solve the Century level 10 → 11

Back to the Century Guides

Previous Level Guide: Century Level 9 → 10

Access

SSH: ssh century10@century.underthewire.tech -p 22

Password: pierid

Info

The password for Century11 is the 10th and 8th word of the Windows Update service description combined PLUS the name of the file on the desktop.

NOTE:
– The password will be lowercase no matter how it appears on the screen.
– If the 10th and 8th word of the service description is “apple” and “juice” and the name of the file on the desktop is “88”, the password would be “applejuice88”.

Theory

There's not much to go off of, but we could maybe just use Get-Service, and look for one that's named Windows Update, and keep going from there with whatever the system gives us from these. So yeah not much, just look for service and dir to get the name of the file:

Get-Service
dir

Solution

Now that we are in the desktop, first we'll use dir to know the name of the file, and then check the services:

PS C:\users\century10\desktop> dir


    Directory: C:\users\century10\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018   3:34 AM             43 110

PS C:\users\century10\desktop> Get-Service

Status   Name               DisplayName
------   ----               -----------
Running  ADWS               Active Directory Web Services
Stopped  AJRouter           AllJoyn Router Service
Stopped  ALG                Application Layer Gateway Service
Running  Appinfo            Application Information
Stopped  AppMgmt            Application Management
...
Stopped  WpnUserService_... Windows Push Notifications User Ser...
Stopped  WSearch            Windows Search
Stopped  wuauserv           Windows Update
Running  wudfsvc            Windows Driver Foundation - User-mo...
Stopped  XblAuthManager     Xbox Live Auth Manager
Stopped  XblGameSave        Xbox Live Game Save

Looks like "windows update" is here, with a code name of "wuauserv", I'm gonna try to look at the service:

PS C:\users\century10\desktop> Get-Service wuauserv

Status   Name               DisplayName
------   ----               -----------
Stopped  wuauserv           Windows Update

Oh, that's just a command to look up the info, we can use Get-Member to get more info about this service:

PS C:\users\century10\desktop> Get-Service wuauserv | Get-Member


   TypeName: System.ServiceProcess.ServiceController

Name                      MemberType    Definition
----                      ----------    ----------
Name                      AliasProperty Name = ServiceName
RequiredServices          AliasProperty RequiredServices = ServicesDependedOn
Disposed                  Event         System.EventHandler Disposed(System.Object, System.EventArgs)
Close                     Method        void Close()
Continue                  Method        void Continue()
CreateObjRef              Method        System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
...

Doesn't look like there's anything of use for us in here, maybe Select-Object might be better:

PS C:\users\century10\desktop> Get-Service wuauserv | Select-Object *


Name                : wuauserv
RequiredServices    : {rpcss}
CanPauseAndContinue : False
CanShutdown         : False
CanStop             : False
DisplayName         : Windows Update
DependentServices   : {}
MachineName         : .
ServiceName         : wuauserv
ServicesDependedOn  : {rpcss}
ServiceHandle       :
Status              : Stopped
ServiceType         : Win32ShareProcess
StartType           : Manual
Site                :
Container           :

Okay, I think I'm starting to understand this a bit. It's a win32 process because of that "ServiceType : Win32ShareProcess", I remember that it's a win32 process. So basically, there's a specific command that is exactly what we need, Get-WmiObject. Although, finding stuff with this command can get pretty complicated, so I just checked the Microsoft Learn page for the command, and for some reason, one of the examples that the page gives you is literally the exact command we need to use to find the description of this wuauserv thing (it's the example four of the page, here):

PS C:\users\century10\desktop> Get-WmiObject -Query "select * from win32_service where name='wuauserv'"


ExitCode  : 0
Name      : wuauserv
ProcessId : 0
StartMode : Manual
State     : Stopped
Status    : OK

Uhm, yeah, I forgot I have to specify to look for the object/class info, not just see the process, so just a Select-Object at the end should work:

PS C:\users\century10\desktop> Get-WmiObject -Query "select * from win32_service where name='wuauserv'" | Select-Object *


PSComputerName          : UTW
Name                    : wuauserv
Status                  : OK
ExitCode                : 0
DesktopInteract         : False
ErrorControl            : Normal
PathName                : C:\Windows\system32\svchost.exe -k netsvcs
ServiceType             : Share Process
StartMode               : Manual
__GENUS                 : 2
__CLASS                 : Win32_Service
__SUPERCLASS            : Win32_BaseService
__DYNASTY               : CIM_ManagedSystemElement
__RELPATH               : Win32_Service.Name="wuauserv"
__PROPERTY_COUNT        : 26
__DERIVATION            : {Win32_BaseService, CIM_Service, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER                : UTW
__NAMESPACE             : root\cimv2
__PATH                  : \\UTW\root\cimv2:Win32_Service.Name="wuauserv"
AcceptPause             : False
AcceptStop              : False
Caption                 : Windows Update
CheckPoint              : 0
CreationClassName       : Win32_Service
DelayedAutoStart        : False
Description             : Enables the detection, download, and installation of updates for Windows and other programs.
                          If this service is disabled, users of this computer will not be able to use Windows Update
                          or its automatic updating feature, and programs will not be able to use the Windows Update
                          Agent (WUA) API.
DisplayName             : Windows Update
InstallDate             :
ProcessId               : 0
ServiceSpecificExitCode : 0
Started                 : False
StartName               : LocalSystem
State                   : Stopped
SystemCreationClassName : Win32_ComputerSystem
SystemName              : UTW
TagId                   : 0
WaitHint                : 0
Scope                   : System.Management.ManagementScope
Path                    : \\UTW\root\cimv2:Win32_Service.Name="wuauserv"
Options                 : System.Management.ObjectGetOptions
ClassPath               : \\UTW\root\cimv2:Win32_Service
Properties              : {AcceptPause, AcceptStop, Caption, CheckPoint...}
SystemProperties        : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers              : {dynamic, Locale, provider, UUID}
Site                    :
Container               :

That's a lot of information, but basically, the description is just this (look, I even highlighted the eighth and tenth words):

Enables the detection, download, and installation of updates for Windows and other programs.
If this service is disabled, users of this computer will not be able to use Windows Update
or its automatic updating feature, and programs will not be able to use the Windows Update
Agent (WUA) API.

Finally! We got the description of it, now we can join those tenth and eighth words with the name of the file at the start, and we get this password:

windowsupdates110

And that's the password! Now we should be good to go to the next level.

https://underthewire.tech/century-10
Next Level Guide: Century Level 11 → Level 12

Explore My Website