UnderTheWire Groot Guide

here's how to solve the Groot level 6 → 7

Back to the Groot Guides

Previous Level Guide: Groot Level 5 → 6

Access

SSH: ssh groot6@groot.underthewire.tech -p 22

Password: wk11_enterprise

Info

The password for groot7 is the name of the program that is set to start when this user logs in PLUS the name of the file on the desktop.

NOTE:
– Omit the executable extension.
– If the program is “mspaint” and the file on the desktop is named “_log”, the password would be “mspaint_log”.
– The password will be lowercase no matter how it appears on the screen.

▼ HINT :
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order

Theory

To get the password, as the description says, we're told to find the name of the program at startup, or well, when the user enters in the system at startup, we've already seen this kind of stuff before in another one of these levels, I don't remember, but I do remember this command. I'm not gonna get into the specifics of it because it's pretty self-explanatory, but the gist is that it lists all programs that open at startup, so when the user logs in after turning on their computer, stuff like that. So the command looks like this:

Get-CimInstance Win32_StartupCommand

Solution

Now that we are inside the shell, we can see what the second part of the command is with dir:

PS C:\users\Groot6\desktop> dir


    Directory: C:\users\Groot6\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/21/2020   1:24 PM              0 _rules

Now we can use the other command to see the startup programs:

PS C:\users\Groot6\desktop> Get-CimInstance Win32_StartupCommand

Command          User                Caption
-------          ----                -------
                 underthewire\Groot6 New Value #1
                 underthewire\Groot6 New Value #2
                 underthewire\Groot6 New Value #3
                 underthewire\Groot6 New Value #4
C:\star-lord.exe underthewire\Groot6 star-lord

I'm gonna go out on a limb, and say that it's the star-lord one, not only is it the only one with a path, but also the only one that makes sense, because the others are just newly created values. So we can grab that name, removing the C part of the path and the extension to get the "name" of the file, or just copy the caption, so let's just join that with the file in the directory, and this is our final password:

star-lord_rules

And that's the password! Now we should be good to go to the next level.

https://underthewire.tech/groot-6
Next Level Guide: Groot Level 7 → Level 8

Explore My Website