Previous Level Guide: Groot Level 0 → 1
Access
SSH: ssh groot1@groot.underthewire.tech -p 22
Password: groot1
Info
The password for groot2 is the last five alphanumeric characters of the MD5 hash of this system’s hosts file. NOTE: – The password will be lowercase no matter how it appears on the screen. IMPORTANT: Once you feel you have completed the Groot1 challenge, start a new connection to the server, and log in with the username of Groot2 and this password will be the answer from Groot1. If successful, close out the Groot1 connection and begin to solve the Groot2 challenge. This concept is repeated over and over until you reach the end of the game.
Theory
To get the password we'll use the session we entered in the previous level, and from there we have to get the MD5 hash of the system hosts file, this all sounded easy until I remembered that I have no clue how to use MD5 in PowerShell, although I do know how to in CMD. So yeah for this challenge we are going to go into Windows CMD and use certutil, which is the only way I know to get the hash of a file in windows shells. For that we'll use the certutil command, hashing for a file for MD5. Now all we need is where the system hosts is located. And a quick look through windows documentation tells us it's in drivers/etc/hosts inside System32. So yeah here's the command, we'll see how we put the file later:
cmd certutil -hashfile FileName.ext MD5
Solution
Because we're already inside of the PowerShell from the previous level, we can go ahead and go into CMD:
Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. Under the Wire... PowerShell Training for the People! PS C:\users\Groot1\desktop> cmd Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\users\Groot1\desktop>
Perfect, so it does let us go into CMD, now let's do that certutil command and see if we get it:
C:\users\Groot1\desktop>certutil -hashfile C:\Windows\System32\drivers\etc\hosts MD5 MD5 hash of file C:\Windows\System32\drivers\etc\hosts: 6eec08310bd5328ffc8fb72cd8e464c3 CertUtil: -hashfile command completed successfully.
There we go, we got the MD5 of the system's hosts, now let's take the last five characters, and because they're already lowercase, we have these last five chars:
464c3
And that's the password! Now we should be good to go to the next level.
https://underthewire.tech/groot-1Next Level Guide: Groot Level 2 → Level 3