Overview
Going to be trying my hand at Under the Wire - Cyborg. This is a PowerShell challange with 16 different challenges all related to doing things in PowerShell. It will probably take a lot of documentation reading. But, I’m sure it will be fun.
Cyborg 0 -> 1
The goal of this level is to log into the game. Do the following in order to achieve this goal.
- Obtain the initial credentials via the #StartHere channel on our Slack (link). Once you are in the channel, scroll to top to see the credentials.
- After obtaining the credentials, connect to the server via SSH. You will need a SSH client such as Putty. The host that you will be connecting to is cyborg.underthewire.tech, on port 22.
- When prompted, use the credentials for the applicable game found in the #StartHere Slack channel.
- You have successfully connected to the game server when your path changes to “PS C:\Users\Cyborg1\desktop>”.
Solution
This is merely the introduction portion of the challenge. All that needs to be done is SSH into the box using the following command. Before doing so, sign up for the Slack instance is required.
ssh cyborg1@cyborg.underthewire.tech
Once signed in the following prompt should show.
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
Under the Wire... PowerShell Training for the People!
PS C:\users\cyborg1\desktop>
Now it’s time to get started on the actual work.
Cyborg 1 -> 2
The password for cyborg2 is the state that the user Chris Rogers is from as stated within Active Directory.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
- “State” refers to the location within the country and NOT the “state” of the account (enabled/ disabled).
IMPORTANT:
Once you feel you have completed the Cyborg1 challenge, start a new connection to the server, and log in with the username of Cyborg2 and this password will be the answer from Cyborg1. If successful, close out the Cyborg1 connection and begin to solve the Cyborg2 challenge. This concept is repeated over and over until you reach the end of the game.
Solution
Before starting, I wanted to examine the naming scheme for users. Can be useful to examine this for the next challenge. Below is a brief overview of the naming scheme that was chosen for users.
Looks like users are displayed by their LastName, FirstName in
the Name object. So, I’ll base my search based on that.
PS C:\users\cyborg1\desktop> Get-ADUser -Identity Arianne.Rothmiller
DistinguishedName : CN=Rothmiller\, Arianne \ ,OU=T-85,OU=X-Wing,DC=underthewire,DC=tech
Enabled : False
GivenName : Arianne
Name : Rothmiller, Arianne
ObjectClass : user
ObjectGUID : bd15e65c-9b6f-4997-b61d-e603232b0a7e
SamAccountName : Arianne.Rothmiller
SID : S-1-5-21-758131494-606461608-3556270690-1500
Surname : Rothmiller
UserPrincipalName : Arianne.Rothmiller
After a little trial and error. I was able to find Chris Rogers. Just needed to use the right filter. I filtered all of the Active Directory accounts by Name with any name that was like Rogers. Utilized the wildcard regular expression to make finding it easier.
PS C:\users\cyborg1\desktop> Get-ADUser -Filter "Name -like 'Rogers*'"
DistinguishedName : CN=Rogers\, Chris\ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech
Enabled : False
GivenName : Chris
Name : Rogers, Chris
ObjectClass : user
ObjectGUID : ee6450f8-cf70-4b1d-b902-a837839632bd
SamAccountName : chris.rogers
SID : S-1-5-21-758131494-606461608-3556270690-2177
Surname : Rogers
UserPrincipalName : chris.rogers
The following command was used to obtain the State name for Chris
Rogers. To include it in the otuput of the command I needed to use the
-Properties section with the State property so I could see
it. The output below is redacted in the State property so things
aren’t ruined for everyone.
PS C:\users\cyborg1\desktop> Get-ADUser -Identity Chris.Rogers -Properties State
DistinguishedName : CN=Rogers\, Chris\ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech
Enabled : False
GivenName : Chris
Name : Rogers, Chris
ObjectClass : user
ObjectGUID : ee6450f8-cf70-4b1d-b902-a837839632bd
SamAccountName : chris.rogers
SID : S-1-5-21-758131494-606461608-3556270690-2177
State : REDACTED
Surname : Rogers
UserPrincipalName : chris.rogers
Can confirm though that I can SSH into the cyber2 account with
the following command, though.
ssh cyborg2@cyborg.underthewire.tech
Below is the prompt to confirm. Now I will continue moving through the challenges.
indows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
Under the Wire... PowerShell Training for the People!
PS C:\users\cyborg2\desktop>
Cyborg 2 -> 3
The password for cyborg3 is the host A record IP address for CYBORG718W100N PLUS the name of the file on the desktop.
NOTE:
– If the IP is “10.10.1.5” and the file on the desktop is called “_address”, then the password is “10.10.1.5_address”. – The password will be lowercase no matter how it appears on the screen.
Solution
Objective of this challenge is to obtain the IP address of the machine
CYBORG718W100N and the name of the file that’s on the desktop.
To do this, I utilized the Resolve-DnsName Cmdlet. This will
resolve the name of the machine to its IP address. In the output, it
provides the IP Address of the workstation in the IPAddress
section.
Yes. I redacted the IP address.
PS C:\users\cyborg2\desktop> Resolve-DnsName -Name CYBORG718W100N | Format-List
Name : CYBORG718W100N.underthewire.tech
Type : A
TTL : 3600
DataLength : 4
Section : Answer
IPAddress : 172.I.AM.REDACTED
To obtain the name of the file that’s on the desktop. I used the
Get-ChildItem Cmdlet to list the contents of the current
directory. File is there.
PS C:\users\cyborg2\desktop> Get-ChildItem
Directory: C:\users\cyborg2\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 10:45 AM 0 _ipv4
With the information provided to me. I used the following command to
ssh into the cyborg3 account.
ssh cyborg3@cyborg.underthewire.tech
Below is the prompt for cyborg3 to confirm successful connection
to the account.
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
Under the Wire... PowerShell Training for the People!
PS C:\users\cyborg3\desktop>
Cyborg 3 -> 4
The password for cyborg4 is the number of users in the Cyborg group within Active Directory PLUS the name of the file on the desktop.
NOTE: – If the number of users is “20” and the file on the desktop is called “_users”, then the password is “20_users”. – The password will be lowercase no matter how it appears on the screen.
Solution
To solve this challenge, I obtained the count of all the Cyborg
group members using the following command. This can be completed using
the Get-ADGroupMember Cmdlet and passing the identity of the
group into the Cmdlet. Also obtains the count of objects. Though, the
output has been redacted so I’m not spoiling the fun for anyone else.
PS C:\users\cyborg3\desktop> (Get-ADGroupMember -Identity Cyborg).Count
REDACTED
Checked the name of the file using the Get-ChildItem Cmdlet. Name
of the file is provided in the output.
PS C:\users\cyborg3\desktop> Get-ChildItem
Directory: C:\users\cyborg3\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 10:45 AM 0 _objects
Checked that the password obtained could SSH into the cyborg4
user.
ssh cyborg4@cyborg.underthewire.tech
Confirmation that this challenge is completed using the prompt provided below.
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
Under the Wire... PowerShell Training for the People!
PS C:\users\cyborg4\desktop>
Cyborg 4 -> 5
The password for cyborg5 is the PowerShell module name with a version number of 8.9.8.9 PLUS the name of the file on the desktop.
NOTE: – If the module name is “bob” and the file on the desktop is called “_settings”, then the password is “bob_settings”. – The password will be lowercase no matter how it appears on the screen.
Solution
PS C:\users\cyborg4\desktop> Get-ChildItem
Directory: C:\users\cyborg4\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 10:45 AM 0 _eggs