UnderTheWire Groot Guide

here's how to solve the Groot level 5 → 6

Back to the Groot Guides

Previous Level Guide: Groot Level 4 → 5


Access

SSH: ssh groot5@groot.underthewire.tech -p 22

Password: destroyer

Info

The password for groot6 is the name of the workstation that the user with a username of “baby.groot” can log into as depicted in Active Directory PLUS the name of the file on the desktop

NOTE:
– If the workstation is “system1” and the file on the desktop is named “_log”, the password would be “system1_log”.
– The password will be lowercase no matter how it appears on the screen.

Theory

To get the password, as the description says, we're told to find the workstation of the user in the description there, and yeah, that's about it. So for that we, could use this command: we need to look through the active directory users, then filter by their name in the Security Account Manager, and well, search for the user, oh this was shorter than I thought, well yeah here's that command:

Get-ADUser -Filter 'samAccountName -like "baby.groot"'

Solution

Now that we are inside the shell, we can see what the second part of the command is with dir:

PS C:\users\Groot5\desktop> dir


    Directory: C:\users\Groot5\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/20/2020   3:38 PM              0 _enterprise

Now we can use the other command to find the workstation of that user:

PS C:\users\Groot5\desktop> Get-ADUser -Filter 'samAccountName -like "baby.groot"'


DistinguishedName : CN=Groot \ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech
Enabled           : False
GivenName         : Baby
Name              : Groot
ObjectClass       : user
ObjectGUID        : c938286d-f672-45b7-97ee-b371f0e39836
SamAccountName    : baby.groot
SID               : S-1-5-21-758131494-606461608-3556270690-2175
Surname           : Groot
UserPrincipalName : baby.groot

Huh doesn't seem to be here, I knew the command was too short, but it was just a gut feeling so I guess it doesn't count after all. Let's just include it in the properties and see if it works now:

PS C:\users\Groot5\desktop> Get-ADUser -Filter 'samAccountName -like "baby.groot"' -Properties userWorkstations


DistinguishedName : CN=Groot \ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech
Enabled           : False
GivenName         : Baby
Name              : Groot
ObjectClass       : user
ObjectGUID        : c938286d-f672-45b7-97ee-b371f0e39836
SamAccountName    : baby.groot
SID               : S-1-5-21-758131494-606461608-3556270690-2175
Surname           : Groot
UserPrincipalName : baby.groot
userWorkstations  : wk11

There it is... so let's just join that with the file in the directory, and this is our final password:

wk11_enterprise

And that's the password! Now we should be good to go to the next level.

https://underthewire.tech/groot-5
Next Level Guide: Groot Level 6 → Level 7