Previous Level Guide: Groot Level 4 → 5
Access
SSH: ssh groot5@groot.underthewire.tech -p 22
Password: destroyer
Info
The password for groot6 is the name of the workstation that the user with a username of “baby.groot” can log into as depicted in Active Directory PLUS the name of the file on the desktop NOTE: – If the workstation is “system1” and the file on the desktop is named “_log”, the password would be “system1_log”. – The password will be lowercase no matter how it appears on the screen.
Theory
To get the password, as the description says, we're told to find the workstation of the user in the description there, and yeah, that's about it. So for that we, could use this command: we need to look through the active directory users, then filter by their name in the Security Account Manager, and well, search for the user, oh this was shorter than I thought, well yeah here's that command:
Get-ADUser -Filter 'samAccountName -like "baby.groot"'
Solution
Now that we are inside the shell, we can see what the second part of the command is with dir:
PS C:\users\Groot5\desktop> dir Directory: C:\users\Groot5\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/20/2020 3:38 PM 0 _enterprise
Now we can use the other command to find the workstation of that user:
PS C:\users\Groot5\desktop> Get-ADUser -Filter 'samAccountName -like "baby.groot"' DistinguishedName : CN=Groot \ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech Enabled : False GivenName : Baby Name : Groot ObjectClass : user ObjectGUID : c938286d-f672-45b7-97ee-b371f0e39836 SamAccountName : baby.groot SID : S-1-5-21-758131494-606461608-3556270690-2175 Surname : Groot UserPrincipalName : baby.groot
Huh doesn't seem to be here, I knew the command was too short, but it was just a gut feeling so I guess it doesn't count after all. Let's just include it in the properties and see if it works now:
PS C:\users\Groot5\desktop> Get-ADUser -Filter 'samAccountName -like "baby.groot"' -Properties userWorkstations DistinguishedName : CN=Groot \ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech Enabled : False GivenName : Baby Name : Groot ObjectClass : user ObjectGUID : c938286d-f672-45b7-97ee-b371f0e39836 SamAccountName : baby.groot SID : S-1-5-21-758131494-606461608-3556270690-2175 Surname : Groot UserPrincipalName : baby.groot userWorkstations : wk11
There it is... so let's just join that with the file in the directory, and this is our final password:
wk11_enterprise
And that's the password! Now we should be good to go to the next level.
https://underthewire.tech/groot-5Next Level Guide: Groot Level 6 → Level 7