Previous Level Guide: Groot Level 3 → 4
Access
SSH: ssh groot4@groot.underthewire.tech -p 22
Password: 5
Info
The password for groot5 is the name of the Drax subkey within the HKEY_CURRENT_USER (HKCU) registry hive. NOTE: – The password will be lowercase no matter how it appears on the screen.
Theory
To get the password, as the description says, we're told to find the name of a subkey inside the `HKEY_CURRENT_USER` registry hive that's under a parent key containing "Drax" in the name. Important note here: because PowerShell's registry provider doesn't support the `-Filter` option or wildcards for key names specifically, we can use a recursive enumeration and pipe it over to `Where-Object` to try and find these keys.
For that we can make this command. It recursively enumerates all keys under HKCU:\, then ignoring any error with the `-ErrorAction SilentlyContinue` option. The output is then piped to Where-Object which searches for any registry keys that contains the string "Drax" in it's full freaking path. Then when we get the output of this command, as the description says, the name of this subkey is the password, and just put it in lowercase if it has some uppercase letters and that should be it. Finally, the command we can use for doing all of that is this right here:
Get-ChildItem HKCU:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -like '*Drax*'}
Solution
Now that we are inside the shell, we can run the command from theory and get the password, and it doesn't seem to have any uppercase so it's just that:
PS C:\users\Groot4\desktop> Get-ChildItem HKCU:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -like '*Drax*'}
Hive: HKEY_CURRENT_USER\Software\Microsoft\Assistance
Name Property
---- --------
Drax destroyer : test
Hive: HKEY_CURRENT_USER\Software\Microsoft\Assistance\Drax
Name Property
---- --------
destroyer
And that's the password! Now we should be good to go to the next level.
https://underthewire.tech/groot-4Next Level Guide: Groot Level 5 → Level 6