UnderTheWire Groot Guide

here's how to solve the Groot level 7 → 8

Back to the Groot Guides

Previous Level Guide: Groot Level 6 → 7


Access

SSH: ssh groot7@groot.underthewire.tech -p 22

Password: star-lord_rules

Info

The password for groot8 is the name of the dll, as depicted in the registry, associated with the “applockerfltr” service PLUS the name of the file on the desktop.

NOTE:
– The password will be lowercase no matter how it appears on the screen.
– If the name of the dll is “abc.dll” and the file on the desktop is named “_1234”, the password would be “abc_1234”.

Theory

To get the password, as the description says, we're told to find the name of the dll program in the applockerfltr service in the registry. So the command is basically just going to the services in the registry, and then using Where-Object, because as I've said before in one of these levels, you can't use stuff like the -Filter option and wildcards in the registry, so Where-Object is an option to work with, and just search applocker with that. And this is the command we get:

dir
Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | Where-Object {$_.Name -like '*applocker*'}

Solution

Now that we are inside the shell, we can see what the second part of the command is with dir:

PS C:\users\Groot7\desktop> dir


    Directory: C:\users\Groot7\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/31/2021   5:13 PM              0 _home

We can now use the other command to see the applockerfltr service:

PS C:\users\Groot7\desktop> Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | Where-Object {$_.Name -like '*applocker*'}


    Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services


Name                           Property
----                           --------
applockerfltr                  DisplayName     : @%systemroot%\system32\srpapi.dll,-102
                               ErrorControl    : 1
                               ImagePath       : system32\drivers\applockerfltr.sys
                               Start           : 3
                               Type            : 1
                               Description     : @%systemroot%\system32\srpapi.dll,-103
                               DependOnService : {FltMgr, AppID, AppIDSvc}

There it is, the property with the name of applockerfltr gives us a dll file path, we can just remove that path and extension to only get the name of the file, then join it with the name of the file in the desktop, and we get this:

srpapi_home

And that's the password! Now we should be good to go to the next level.

https://underthewire.tech/groot-7
Next Level Guide: Groot Level 8 → Level 9