SSH Client

If you're running Windows 11 — the latest version of Windows at the time of writing — then, you already have access to the Windows Terminal app. If for some reason you do not, I recommend installing it, as you really don't need Putty to complete these exercises.

Windows Terminal - Free download and install on Windows | Microsoft Store

The Windows Terminal is a modern, fast, efficient, powerful, and productive terminal application for users of command-line tools and shells like Command Prompt, PowerShell, and WSL. Its main features include multiple tabs, panes, Unicode and UTF-8 character support, a GPU accelerated text rendering engine, and custom themes, styles, and configurations. This is an open source project and we welcome community participation. To participate please visit https://github.com/microsoft/terminal

Microsoft Store - Download apps, games & more for your Windows PCMicrosoft Corporation

Also, in most recent versions of Windows, the ssh.exe client and related binaries should already be installed and ready for use. Below, I've provided some examples of the most basic SSH syntax for connecting to the challenges.

ssh username@127.0.0.1

ssh username@domain.tld

Groot 0 -> 1

ssh -o 'StrictHostKeyChecking=no' groot1@groot.underthewire.tech

Groot 1 -> 2

The password for groot2 is the last five alphanumeric characters of the MD5 hash of this system’s hosts file.

Get-FileHash -Algorithm MD5 -Path C:\Windows\System32\drivers\etc\hosts

-join((Get-FileHash -Algorithm MD5 -Path C:\Windows\System32\drivers\etc\hosts).Hash.ToLower().ToCharArray() | Select-Object -Last 5)

I'll explain the command in a series of bullet points:

• Always work your way inisde-out from the inner-most enclosing
• Inner-most command is Get-FileHash -Algorithm MD5 -Path C:\Windows\System32\drivers\etc\hosts
• Wrap it in parentheses and select the Hash property from the object
  • Then, convert the string to lowercase with .ToLower() method
  • Then, convert it to a series of characters with .ToCharArray() method
• Pipe to Select-Object and target the last five characters of the character array with -Last 5
• Finally, wrap all of that in yet another set of parentheses and -join to merge the character array back into a string

464c3

exit

Groot 2 -> 3

The password for groot3 is the word that is made up from the letters in the range of 1,481,110 to 1,481,117 within the file on the desktop.

ssh groot2@groot.underthewire.tech

-join(cat .\elements.txt)[1481110..1481117]

hiding

exit

Groot 3 -> 4

The password for groot4 is the number of times the word “beetle” is listed in the file on the desktop.

ssh groot3@groot.underthewire.tech

(cat .\words.txt).Split(' ') -like 'beetle' | Measure-Object

5

exit

Groot 4 -> 5

The password for groot5 is the name of the Drax subkey within the HKEY_CURRENT_USER (HKCU) registry hive.

ssh groot4@groot.underthewire.tech

Get-ChildItem HKCU:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -like '*Drax*'}

destroyer

exit

Groot 5 -> 6

The password for groot6 is the name of the workstation that the user with a username of “baby.groot” can log into as depicted in Active Directory PLUS the name of the file on the desktop.

ssh groot5@groot.underthewire.tech

Get-ADUser -Filter 'samAccountName -like "baby.groot"' -Properties userWorkstations

(Get-ADUser -Filter 'samAccountName -like "baby.groot"' -Properties userWorkstations).userWorkstations + (ls -File).Name

wk11_enterprise

exit

Groot 6 -> 7

The password for groot7 is the name of the program that is set to start when this user logs in PLUS the name of the file on the desktop.

ssh groot6@groot.underthewire.tech

Get-CimInstance Win32_StartupCommand

Get-CimInstance Win32_StartupCommand -Filter 'not Command like ""'

(Get-CimInstance Win32_StartupCommand -Filter 'not Command like ""').Command.Split('\\')[1].Split('\.')[0] + (ls -File).Name

I'll explain the command in a series of bullet points:

• The first .Split('\\')[1] takes C:\star-lord.exe and splits it into:
  • C: — index 0
  • star-lord.exe — index 1
• The second .Split('\.') split star-lord.exe into:
  • star-lord — index 0
  • exe — index 1
• Then we concatenate + with the name of the file on the Desktop

star-lord_rules

exit

Groot 7 -> 8

The password for groot8 is the name of the dll, as depicted in the registry, associated with the “applockerfltr” service PLUS the name of the file on the desktop.

ssh groot7@groot.underthewire.tech

Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | Where-Object {$_.Name -like '*applocker*'}

Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | Where-Object {$_.Name -like '*applocker*'} | Get-ItemProperty -Name DisplayName

(Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | Where-Object {$_.Name -like '*applocker*'} | Get-ItemProperty -Name DisplayName).DisplayName.Split('\\')[-1].Split('\.')[0] + (ls -File).Name

srpapi_home

exit

Groot 8 -> 9

The password for groot9 is the description of the firewall rule blocking MySQL PLUS the name of the file on the desktop.

ssh groot8@groot.underthewire.tech

Get-NetFirewallRule -Action Block | Where-Object {$_.DisplayName -like '*mysql*'}

(Get-NetFirewallRule -Action Block | Where-Object {$_.DisplayName -like '*mysql*'}).Description + (ls -File).Name

call_me_starlord

exit

Groot 9 -> 10

The password for groot10 is the name of the OU that doesn’t have accidental deletion protection enabled PLUS the name of the file on the desktop.

ssh groot9@groot.underthewire.tech

Get-ADOrganizationalUnit -Filter * -Properties * | Get-Member -Name '*del*'

Get-ADOrganizationalUnit -Filter * -Properties ProtectedFromAccidentalDeletion | Where-Object {-not $_.ProtectedFromAccidentalDeletion}

(Get-ADOrganizationalUnit -Filter * -Properties ProtectedFromAccidentalDeletion | Where-Object {-not $_.ProtectedFromAccidentalDeletion}).Name.ToLower() + (ls -File).Name

t-25_tester

exit

Groot 10 -> 11

The password for groot11 is the one word that makes the two files on the desktop different.

ssh groot10@groot.underthewire.tech

Compare-Object (cat new.txt) (cat old.txt)

taserface

exit

Groot 11 -> 12

The password for groot12 is within an alternate data stream (ADS) somewhere on the desktop.

ssh groot11@groot.underthewire.tech

Get-ChildItem -File | Get-Item -Stream * | Select-Object FileName, Stream

Get-Content C:\users\Groot11\desktop\TPS_Reports04.pdf -Raw -Stream secret

spaceships

exit

Groot 12 -> 13

The password for groot13 is the owner of the Nine Realms folder on the desktop.

ssh groot12@groot.underthewire.tech

Get-Acl '.\Nine Realms'

(Get-Acl '.\Nine Realms' | Select-Object -ExpandProperty Owner).Split('\\')[1].ToLower()

airwolf

exit

Groot 13 -> 14

The password for groot14 is the name of the Registered Owner of this system as depicted in the Registry PLUS the name of the file on the desktop.

ssh groot13@groot.underthewire.tech

Get-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'

Get-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' | Get-ItemProperty -Name 'RegisteredOwner'

(Get-Item 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' | Get-ItemProperty -Name 'RegisteredOwner').RegisteredOwner.ToLower() + (ls -File).Name

utw_team_ned

exit

Groot 14 -> 15

The password for groot15 is the description of the share whose name contains “task” in it PLUS the name of the file on the desktop.

ssh groot14@groot.underthewire.tech

Get-SmbShare -Name Task*

(Get-SmbShare -Name Task*).Description + (ls -File).Name

scheduled_things_8

exit