Previous Level Guide: Groot Level 6 → 7
Access
SSH: ssh groot7@groot.underthewire.tech -p 22
Password: star-lord_rules
Info
The password for groot8 is the name of the dll, as depicted in the registry, associated with the “applockerfltr” service PLUS the name of the file on the desktop. NOTE: – The password will be lowercase no matter how it appears on the screen. – If the name of the dll is “abc.dll” and the file on the desktop is named “_1234”, the password would be “abc_1234”.
Theory
To get the password, as the description says, we're told to find the name of the dll program in the applockerfltr service in the registry. So the command is basically just going to the services in the registry, and then using Where-Object, because as I've said before in one of these levels, you can't use stuff like the -Filter option and wildcards in the registry, so Where-Object is an option to work with, and just search applocker with that. And this is the command we get:
dir Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | Where-Object {$_.Name -like '*applocker*'}
Solution
Now that we are inside the shell, we can see what the second part of the command is with dir:
PS C:\users\Groot7\desktop> dir Directory: C:\users\Groot7\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/31/2021 5:13 PM 0 _home
We can now use the other command to see the applockerfltr service:
PS C:\users\Groot7\desktop> Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | Where-Object {$_.Name -like '*applocker*'} Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Name Property ---- -------- applockerfltr DisplayName : @%systemroot%\system32\srpapi.dll,-102 ErrorControl : 1 ImagePath : system32\drivers\applockerfltr.sys Start : 3 Type : 1 Description : @%systemroot%\system32\srpapi.dll,-103 DependOnService : {FltMgr, AppID, AppIDSvc}
There it is, the property with the name of applockerfltr gives us a dll file path, we can just remove that path and extension to only get the name of the file, then join it with the name of the file in the desktop, and we get this:
srpapi_home
And that's the password! Now we should be good to go to the next level.
https://underthewire.tech/groot-7Next Level Guide: Groot Level 8 → Level 9