UnderTheWire Cyborg Guide

here's how to solve the Cyborg level 5 → 6

Back to the Cyborg Guides

Previous Level Guide: Cyborg Level 4 → 5

Access

SSH: ssh cyborg5@cyborg.underthewire.tech -p 22

Password: bacon_eggs

Info

The password for cyborg6 is the last name of the user who has logon hours set on their account PLUS the name of the file on the desktop.

NOTE:
– If the last name is “fields” and the file on the desktop is called “_address”, then the password is “fields_address”.
– The password will be lowercase no matter how it appears on the screen.

▼ HINT:
https://technet.microsoft.com/en-us/library/ee617195.aspx

Theory

To get the password, we'll probably need a command to list every single property in the server and then we'll search it with something else. So we've got two commands, first the dir to get the name of the file in the desktop for the second part of the password, then get active directory user and then get every property of every user in the server, to then add something like where object to search stuff between every one of these to finally get the first part of the password. So the commands we got are like this:

dir
Get-ADUser -Filter * -Properties *

Solution

Firstly we'll use the dir command now that we are inside the shell:

PS C:\users\cyborg5\desktop> dir


    Directory: C:\users\cyborg5\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018  10:45 AM              0 _timer

Now let's use the other command to get the user with logon hours to get the first part of the password, we'll use the where object command like we did in the previous level to find the line or attribute where it has a name like hours or whatever that logon hours is:

PS C:\users\cyborg5\desktop> Get-ADUser -Filter * -Properties * | Where-Object { $_.Name -like "*hours*" }

Huh, it didn't give anything, let's try searching for the attribute in the members command to actually get information from a user:

PS C:\users\cyborg5\desktop> Get-ADUser -Filter * -Properties * | Get-Member -Name '*hours*'


   TypeName: Microsoft.ActiveDirectory.Management.ADUser

Name       MemberType Definition
----       ---------- ----------
logonHours Property   System.Byte[] logonHours {get;set;}

That makes more sense, now let's actually focus on getting the surname for the password, I'm also gonna include that logonHours stuff to see what all the fuss is about, also now that we know that the object is "logonHours", we can actually use the where object command to get these values:

PS C:\users\cyborg5\desktop> Get-ADUser -Filter * -Properties * | Where-Object { $_.logonHours } | Select Surname, logonHours

Surname logonHours
------- ----------
        {255, 255, 255, 255...}
Rowray  {0, 0, 0, 0...}

There we go! Now we can join the surname—remembering that it's always lowercase no matter what—with the file name from before, and we get this:

rowray_timer

And that's the password! Now we should be good to go to the next level.

https://underthewire.tech/cyborg-5
Next Level Guide: Cyborg Level 6 → Level 7

Explore My Website