UnderTheWire Groot Guide

Previous Level Guide: Groot Level 10 → 11

Access

SSH: ssh groot11@groot.underthewire.tech -p 22

Password: taserface

Info

The password for groot12 is within an alternate data stream (ADS) somewhere on the desktop.

NOTE:
– The password will be lowercase no matter how it appears on the screen.

Theory

To get the password, as the description says, we're told to find the alternate stream of a file in the desktop. For that, we can use a command to look up all the streams inside the current directory, it's this simple command, get all the file items, then the stream of all of these, then just get the filename and their stream, because then it'll be a really big and messy-to-look-through data dump. Then the second command, which is just putting the filename in it, and getting the content of the file from the different stream. And the commands look like this:

Get-ChildItem -File | Get-Item -Stream * | Select-Object FileName, Stream
Get-Content filename.ext -Raw -Stream stream_name

Solution

Now that we are inside the shell, we can use the first command to see what the streams might be:

PS C:\users\Groot11\desktop> Get-ChildItem -File | Get-Item -Stream * | Select-Object FileName, Stream

FileName                                    Stream
--------                                    ------
C:\users\Groot11\desktop\TPS_Reports01.txt  :$DATA
C:\users\Groot11\desktop\TPS_Reports02.doc  :$DATA
C:\users\Groot11\desktop\TPS_Reports03.txt  :$DATA
C:\users\Groot11\desktop\TPS_Reports04.pdf  :$DATA
C:\users\Groot11\desktop\TPS_Reports04.pdf  secret
C:\users\Groot11\desktop\TPS_Reports05.xlsx :$DATA
C:\users\Groot11\desktop\TPS_Reports06.pptx :$DATA

Oh, look at that, a secret stream between all the normal data files. Let's just put that file in the command from earlier to get their "secret" stream:

PS C:\users\Groot11\desktop> Get-Content TPS_Reports04.pdf -Raw -Stream secret
spaceships

And that's the password! Now we should be good to go to the next level.