0xBEN
/
Sign up to 0xBEN!
Already have an account? Sign in

UnderTheWire | Century

In this walkthrough, I demonstrate the methods I used to solve all of the Century challenges, 0 through 15, on Under the Wire.
0xBEN
9 min read
UnderTheWire | Century
https://underthewire.tech/century
In: UnderTheWire, PowerShell, CTF, Cybersecurity, Code, Easy Challenge

SSH Client

If you're running Windows 11 — the latest version of Windows at the time of writing — then, you already have access to the Windows Terminal app. If for some reason you do not, I recommend installing it, as you really don't need Putty to complete these exercises.

Windows Terminal - Free download and install on Windows | Microsoft Store
The Windows Terminal is a modern, fast, efficient, powerful, and productive terminal application for users of command-line tools and shells like Command Prompt, PowerShell, and WSL. Its main features include multiple tabs, panes, Unicode and UTF-8 character support, a GPU accelerated text rendering engine, and custom themes, styles, and configurations. This is an open source project and we welcome community participation. To participate please visit https://github.com/microsoft/terminal
Microsoft Store - Download apps, games & more for your Windows PCMicrosoft Corporation

Also, in most recent versions of Windows, the ssh.exe client and related binaries should already be installed and ready for use. Below, I've provided some examples of the most basic SSH syntax for connecting to the challenges.

ssh username@127.0.0.1

SSH using IP address

ssh username@domain.tld

SSH using FQDN

Century 0 -> 1

ℹ️
The credential for connecting is century1:century1
ssh -o 'StrictHostKeyChecking=no' century1@century.underthewire.tech

Use the StrictHostKeyChecking=no option to skip the key verification prompt

Connected to the challenge box and ready to dig in

Century 1 -> 2

The password for Century2 is the build version of the instance of PowerShell installed on this system.
$PSVersionTable.BuildVersion
Object output in table format
💡
Everything in PowerShell is an object, as PowerShell is an object-oriented programming (OOP) language. We can't use the object formatting as a password for the next challenge, so we should output it as a string.
[String]$PSVersionTable.BuildVersion

Use .NET type casting

$PSVersionTable.BuildVersion.ToString()

Or, use the ToString() method from the object

10.0.14393.7604

Password for century2

exit

Exit the challenge

Century 2 -> 3

The password for Century3 is the name of the built-in cmdlet that performs the wget like function within PowerShell PLUS the name of the file on the desktop.
ssh century2@century.underthewire.tech

No longer need the additional option, since the host key has already been added to the known hosts list

Connected and ready to get to work
Get-ChildItem

List the items in the Desktop directory

Using the ls alias for the Get-ChildItem cmdlet. The name of the file is 443
💡
The password is the cmdlet that performs like wget and the name of the file. And it will be lowercase.
Running Get-Command wget, we see it is aliased to Invoke-WebRequest

PowerShell, like bash and other unix-like shells, supports the action of aliasing commands. We use aliases to create a short word that maps to an otherwise longer command. Invoke-WebRequest is a lot longer than typing wget, hence the alias makes it more convenient to run the target command.

(Get-Command Invoke-WebRequest).Name.ToLower() + (Get-ChildItem -File).Name

One-liner to output the password for the next challenge, use the .ToLower() method to make the letters lowercase

invoke-webrequest443

The password for century3

exit

Exit the challenge

Century 3 -> 4

The password for Century4 is the number of files on the desktop.
ssh century3@century.underthewire.tech
Connected as century3
(Get-ChildItem -File).Count

Wrap the cmdlet in parentheses and call the .Count property

Get-ChildItem -File | Measure-Object

Pipe the output to the Measure-Object cmdlet

123

Password for century4

exit

Century 4 -> 5

The password for Century5 is the name of the file within a directory on the desktop that has spaces in its name.
ssh century4@century.underthewire.tech
Get-ChildItem -Recurse -File | Where-Object {$_.Directory.Name -like '* *'}

I'll break down the command in a series of bullet points:

  • -Recurse means we drill down into each subdirectory under Desktop
  • -File and select only files
  • Then, | Where-Object {$_.Directory.Name -like '* *'} is a filter saying
    • Process each file we've discovered in the Get-ChildItem cmdlet
    • Look at each file's parent directory name
    • Use * * to say that we'll match any character(s) separated by a space
6265

Password for century5

exit

Century 5 -> 6

The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.
ssh century5@century.underthewire.tech
💡
The short name or base name of the domain
Get-ADDomain | Select-Object Name

Use native Get-ADDomain cmdlet

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name.Split('.')[0]

Use .NET class to get the base name of the domain

💡
The syntax of .Split('.')[0] means that the text will be split into parts anywhere a . occurs. Therefore, underthewire.tech is split into two parts. And, in computing, counting starts from 0, because of the binary numbering system and transistor states, so we select the first of the two parts.
(Get-ADDomain).Name + (Get-ChildItem -File).Name

One-liner to output the password for century6

underthewire3347

password for century6

exit

Century 6 -> 7

The password for Century7 is the number of folders on the desktop. 
ssh century6@century.underthewire.tech
Get-ChildItem -Directory | Measure-Object

Pipe to Measure-Object

(Get-ChildItem -Directory).Count

Use the .Count property

197

Password for century7

exit

Century 7 -> 8

The password for Century8 is in a readme file somewhere within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
ssh century7@century.underthewire.tech
ℹ️
We need to recurse the user profile, but our current directory is C:\users\century7\desktop
Get-ChildItem -Recurse -File -Filter '*read*' ..

.. indicates the directory above this one

💡
In PowerShell, it's better to use the -Filter parameter as opposed to piping to Where-Object as you might see in some examples. This is because the filter happens at the cmdlet runtime, as opposed to collecting all files and then filtering using Where-Object. So, you'll experience better performance.
Get-ChildItem -Recurse -File -Filter '*read*' .. | Get-Content

We can pipe it to Get-Content to read the contents of the file

7points

Password for century8

exit

Century 8 -> 9

The password for Century9 is the number of unique entries within the file on the desktop.
ssh century8@century.underthewire.tech
Use gci alias of Get-ChildItem to find target file
Get-Content .\unique.txt | Sort-Object -Unique | Measure-Object

Use the -Unique switch with Sort-Object to filter on unique occurrences

💡
You could also do | Select-Object -Unique | Measure-Object
696

Password for century9

exit

Century 9 -> 10

The password for Century10 is the 161st word within the file on the desktop.
ssh century9@century.underthewire.tech
Use the ls alias of Get-ChildItem to find the target file
Use the cat alias of Get-Content to read the current contents of the file

If we try and select any particular line of the file, this is going to fail. This is because the words of the file are all occurring on one long line and there's no way for PowerShell to distinguish where one word starts and ends.

💡
We need to use some string manipulation to split the big long string of words into multiple words
(cat .\Word_File.txt) -split ' '

Split the text into multiple lines

Index 0 is the first word in the file. This is because in computing, a transistor can be on or off, so zero is a valid state. Therefore, we begin counting from 0.
(cat .\Word_File.txt) -split ' ' | Select-Object -Index 160

Select the 161st word from the file

💡
Again, since we start counting at 0 in computing, we need to offset 161 - 1 to get the 161st word.
pierid
exit

Century 10 -> 11

The password for Century11 is the 10th and 8th word of the Windows Update service description combined PLUS the name of the file on the desktop.
ssh century10@century.underthewire.tech
(Get-CimInstance win32_service -Filter 'DisplayName like "Windows Update"').Description.Split(' ')[9,7].ToLower()

Use the Get-CimInstance to query the win32_service class and filter on "Windows Update". Then, split the Description property by spaces and choose the 10th and 8th words.

💡
Using the Get-Service cmdlet does not include the Description property with the object output. Also, recall that we have to do 10 - 1 and 8 - 1 because of the words starting from 0. We also want to use ToLower() to ensure the password is lowercase.
-join(Get-CimInstance win32_service -Filter 'DisplayName like "Windows Update"').Description.Split(' ')[9,7].ToLower() + (ls -File).Name

One-liner to output the password for century11

windowsupdates110

Password for century11

exit

Century 11 -> 12

The password for Century12 is the name of the hidden file within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
ssh century11@century.underthewire.tech
💡
We need to search the entire user profile, but are currently in the Desktop directory.
cd ..
Get-ChildItem -Hidden -Recurse -File -ErrorAction SilentlyContinue | Select-Object -Unique Name

Use the -ErrorAction SilentlyContinue parameter to suppress error output and select only unique hidden file names

secret_sauce

Password for century12

exit

Century 12 -> 13

The password for Century13 is the description of the computer designated as a Domain Controller within this domain PLUS the name of the file on the desktop.
ssh century12@century.underthewire.tech
Get-ADDomainController | Select-Object -ExpandProperty Name

Use ActiveDirectory cmdlet to get the domain controller name

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers.Name

Use .NET reflection to get the domain controller name

Get-ADComputer -Filter 'Name -like "UTW"' -Properties Description | Select-Object -ExpandProperty Description

Use the PowerShell -Filter to filter on the domain computer using the name found before

(Get-ADComputer -Filter 'Name -like "UTW"' -Properties Description).Description.ToLower() + (ls -File).Name.ToLower()

One-liner to output the password for century13

i_authenticate_things

Password for century13

exit

Century 13 -> 14

The password for Century14 is the number of words within the file on the desktop. 
ssh century13@century.underthewire.tech
Target file
(-split(cat .\countmywords)).Count

Use the -split operator to split the file into lines and an outer layer of parentheses and the .Count property to find the number of words

755

Password for century14

exit

Century 14 -> 15

The password for Century15 is the number of times the word “polo” appears within the file on the desktop.
ssh century14@century.underthewire.tech
Target file
(cat .\countpolos) -split ' ' -like 'polo' | Measure-Object

Split on spaces to output words on new lines, then use -like 'polo' to filter on exact matches and finally, pipe to Measure-Object

153

Password for century 15

exit
Written by
0xBEN

0xBEN

View all posts
Comments
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.