Previous Level Guide: Groot Level 5 → 6
Access
SSH: ssh groot6@groot.underthewire.tech -p 22
Password: wk11_enterprise
Info
The password for groot7 is the name of the program that is set to start when this user logs in PLUS the name of the file on the desktop. NOTE: – Omit the executable extension. – If the program is “mspaint” and the file on the desktop is named “_log”, the password would be “mspaint_log”. – The password will be lowercase no matter how it appears on the screen. ▼ HINT : https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
Theory
To get the password, as the description says, we're told to find the name of the program at startup, or well, when the user enters in the system at startup, we've already seen this kind of stuff before in another one of these levels, I don't remember, but I do remember this command. I'm not gonna get into the specifics of it because it's pretty self-explanatory, but the gist is that it lists all programs that open at startup, so when the user logs in after turning on their computer, stuff like that. So the command looks like this:
Get-CimInstance Win32_StartupCommand
Solution
Now that we are inside the shell, we can see what the second part of the command is with dir:
PS C:\users\Groot6\desktop> dir Directory: C:\users\Groot6\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/21/2020 1:24 PM 0 _rules
Now we can use the other command to see the startup programs:
PS C:\users\Groot6\desktop> Get-CimInstance Win32_StartupCommand Command User Caption ------- ---- ------- underthewire\Groot6 New Value #1 underthewire\Groot6 New Value #2 underthewire\Groot6 New Value #3 underthewire\Groot6 New Value #4 C:\star-lord.exe underthewire\Groot6 star-lord
I'm gonna go out on a limb, and say that it's the star-lord one, not only is it the only one with a path, but also the only one that makes sense, because the others are just newly created values. So we can grab that name, removing the C part of the path and the extension to get the "name" of the file, or just copy the caption, so let's just join that with the file in the directory, and this is our final password:
star-lord_rules
And that's the password! Now we should be good to go to the next level.
https://underthewire.tech/groot-6Next Level Guide: Groot Level 7 → Level 8