A walk outside the sandbox

Home Blog Cheat Sheets MacOS Tips Area 51 About

[CTF] Under the Wire 3 - Groot



UnderTheWire is an awesome website that hosts a number of PowerShell-based wargames meant to help Infosecurity people, either get started with or improve their PowerShell skills. I believe challenges and wargames like this one are a great way to learn by doing as they often cover rare and less known situations and involve problem solving. Other very interesting wargames I’ve written about are OverTheWire, Nebula, Binar Master.

The UnderTheWire wargames could be described as designed for Windows security professionals, Blue Team members or security tools designers. Currently there are 5 sets of levels of increasing difficulty.

In this post I’ll go through my solutions to the third batch of 15 levels - Groot. These are very instructive and cover a wide range of topics like:

  • File hashing
  • Working with Windows registry
  • More Active Directory related tasks
  • Getting information about filesystems
  • Managing firewall rules
  • Diffing files
  • Working with SMB shares
  • Getting BIOS info

For the solutions to the other games check:

Before starting, I wanted to say a huge thank you to the creators of these games for the effort of designing and hosting them, and making them available for free for everyone!

Groot 1

The password for groot2 is the last five digits of the MD5 hash of this system's hosts file.

We connect to Groot with groot1/groot1.

In this first level we learn about the Get-FileHash cmdlet:

PS C:\Users\groot1\Documents> Get-FileHash -Path C:\Windows\System32\drivers\etc\hosts -Algorithm MD5

Algorithm       Hash                                     Path
---------       ----                                     ----
MD5             FFEB2134EF23012F8B838C89C9404            C:\Windows\System32\drivers\etc\hosts

So the password for level 2 is: 049f3.

Groot 2

The password for groot3 is the word that is made up from the letters in the range of 1,481,110 to 1,481,117 within the file on the desktop.

Nothing difficult here either:

PS C:\Users\groot2\Documents> (Get-Content -Path ..\Desktop\elements.txt)[1481111..1481117] -join ""

And we have the password for level 3: hiding.

Groot 3

The password for groot4 is the number of times the word "beetle" is listed in the file on the desktop.

This task is very similar with Century14 but with a catch. In this case the file is just one huge line with multiple occurrences of the pattern word:

PS C:\Users\groot3> (Get-Content -Path .\Desktop\words.txt | Measure-Object -Line).Lines
PS C:\Users\groot3> $a = Get-Content -Path .\Desktop\words.txt | Select-String -Pattern beetle  -AllMatches
PS C:\Users\groot3> $a.Matches.Count

The password for level 4 is simply: 5.

Groot 4

The password for groot5 is the name of the Drax subkey within the HKEY_CURRENT_USER (HKCU) registry hive.

Working with Windows Registry is very easy - we can browse it the same way we browse the file system. First we’ll search for the Drax subkey then list its properties:

PS HKCU:\> Get-ChildItem -Path hkcu:\ -Recurse | Select-String drax


PS C:\Users\groot4\Documents> Get-ChildItem  -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Telephony\Drax"

    Hive: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Telephony\Drax

Name                           Property
----                           --------

The password for level 5 is: destroyer.

Groot 5

The password for groot6 is the name of workstation that user with a username of baby.groot can log into as depicted in Active Directory PLUS the name of the file on the desktop.

First the file on the Desktop:

PS C:\Users\groot5\Documents> ls ..\Desktop

    Directory: C:\Users\groot5\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/16/2017  11:02 PM              0 _local

Then we need to filter for the User-Workstations attribute:

PS C:\Users\groot5\Documents> (Get-ADUser baby.groot -Properties *).userWorkstations

So the password for level 6 is: wk11_local.

Groot 6

The password for groot7 is the name of program that is set to start when this user logs in.

Very Similar with Cyborg 7:

PS C:\Users\groot6\Documents> Get-WmiObject Win32_StartupCommand | Select-Object Name, command, Location, User  | Format-List

Name     : Star-Lord
command  : c:\windows\star-lord_rules.exe
Location : HKU\S-1-5-21-3968311752-1263969649-2303472966-1111\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User     : UNDERTHEWIRE\groot6

The password for level 7 is the name of the executable, without the extension: star-lord_rules.

The article mentioned in the Hint section is not needed to solve this but it’s a good read: Windows Registry Persistence, Part 2: The Run Keys and Search-Order

Groot 7

The password for groot8 is the filesystem label name of the media in the cd-rom PLUS the name of the file on the desktop.

The file on the Desktop:

PS C:\Users\groot7\Documents> ls ..\Desktop

    Directory: C:\Users\groot7\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/16/2017  11:09 PM              0 _secret

We can solve this using WMI and query the CDROM using the Win32_CDROMDrive class:

PS C:\Users\groot7\Documents> Get-WmiObject -Class Win32_CDROMDrive -Property *

Caption                   Drive Manufacturer             VolumeName
-------                   ----- ------------             ----------
Microsoft Virtual DVD-ROM D:    (Standard CD-ROM drives) Blueprints

Or using a pure PowerShell approach using the Get-Volume cmdlet:

PS C:\Users\groot7\Documents> Get-Volume -DriveLetter D

DriveLetter FileSystemLabel FileSystem DriveType HealthStatus SizeRemaining    Size
----------- --------------- ---------- --------- ------------ -------------    ----
D           Blueprints      UDF        CD-ROM    Healthy                0 B 1.17 MB

The password for level 8 is: blueprints_secret.

Groot 8

The password for groot9 is the name of the firewall rule blocking MySQL.

Another very straighforward one:

PS C:\Users\groot8\Documents> Get-NetFirewallRule -Action Block

Name                  : {6d538bfa-e465-415a-be33-d5b9e88edae8}
DisplayName           : MySQL Guardian
Description           : call_me_starlord
DisplayGroup          :

The password for level 9 is: call_me_starlord.

Groot 9

The password for groot10 is the last date that Rocket Raccoon's password was changed PLUS the name of the file on the desktop.

More Active Directory! To solve this we can verify the Pwd-Last-Set attribute or, even quicker, the PasswordLastSet field:

PS C:\Users\groot9\Documents> Get-ADUser -Filter 'Name -like "*raccoon*"' -Properties passwordlastset,pwdLastSet

DistinguishedName : CN=Rocket Raccoon,OU=Groot,DC=UNDERTHEWIRE,DC=TECH
Enabled           : False
GivenName         : Rocket
Name              : Rocket Raccoon
ObjectClass       : user
ObjectGUID        : 66a520a2-67cd-46a9-b9a8-7dbc0aabc613
PasswordLastSet   : 6/14/2017 11:11:43 PM
pwdLastSet        : 131419555034241061

If using the pwdLastSet attribute, we need to convert the timestamp to human readable format:

PS C:\Users\groot9\Documents> $pwdLastSet = (Get-ADUser -Filter 'Name -like "*raccoon*"' -Properties pwdLastSe
PS C:\Users\groot9\Documents> [datetime]::fromFileTime($pwdLastSet)
Wednesday, June 14, 2017 11:11:43 PM

And the file on the Desktop:

PS C:\Users\groot9\Documents>ls ..\Desktop

   Directory: C:\Users\groot9\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/16/2017  11:10 PM              0 _set

The password for level 10 is: 06/14/2017_set.

Groot 10

The password for groot11 is the one word that makes the two files on the desktop different.

PS C:\Users\groot10\Documents> Compare-Object (Get-Content ..\Desktop\old.txt) (Get-Content ..\Desktop\new.txt)

InputObject SideIndicator
----------- -------------
taserface   =>

The password for level 11: taserface.

Groot 11

The password for groot12 is within an alternate data stream (ADS) somewhere on the desktop.

We’ll show all the alternate streams for all the files on the Desktop and focus on any stream other than $DATA:

PS C:\Users\groot11\Documents>  Get-Item ..\Desktop\* -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\groot11\Desktop\TPS_Reports04.pdf:hidden_data.txt
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\groot11\Desktop
PSChildName   : TPS_Reports04.pdf:hidden_data.txt
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\groot11\Desktop\TPS_Reports04.pdf
Stream        : hidden_data.txt
Length        : 12

PS C:\Users\groot11\Documents>  Get-Content -Path ..\Desktop\TPS_Reports04.pdf -Stream hidden_data.txt

On to level 12: spaceships.

Groot 12

The password for groot13 is the owner of the Nine Realms folder on the desktop.

The Get-Acl cmdlet is very useful to obtain security descriptors for files, folders and even registry keys:

PS C:\Users\groot12\Documents> Get-Acl '..\Desktop\Nine Realms'

    Directory: C:\Users\groot12\Desktop

Path        Owner                      Access
----        -----                      ------
Nine Realms UNDERTHEWIRE\Administrator UNDERTHEWIRE\grand.master Allow  FullControl...

PS C:\Users\groot12\Documents> Get-ADUser grand.master

DistinguishedName : CN=Grandmaster,OU=Groot,DC=UNDERTHEWIRE,DC=TECH
Enabled           : False
GivenName         : Grandmaster
Name              : Grandmaster

Getting closer to the last level: grandmaster.

Groot 13

The password for groot14 is the last six numbers of the system's BIOS serial number PLUS the name of the file on the desktop.

This one shows the great variety of tasks that we can solve using PowerShell:

PS C:\Users\groot13\Documents> Get-WmiObject Win32_bios

SMBIOSBIOSVersion : Hyper-V UEFI Release v1.0
Manufacturer      : Microsoft Corporation
Name              : Hyper-V UEFI Release v1.0
SerialNumber      : 2793-3787-3388-8191-6162-3850-49
Version           : VRTUAL - 1

And the file on the Desktop:

PS C:\Users\groot13\Documents> ls ..\Desktop

    Directory: C:\Users\groot13\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/16/2017  11:23 PM              0 _ted

Concatenating the two we have the password for the last level: 385049_ted.

Groot 14

The password for groot15 is the description of the share whose name contains "tasks" in it PLUS the name of the file on the desktop.

The file:

PS C:\Users\groot14\Documents> ls ..\Desktop

    Directory: C:\Users\groot14\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        12/8/2017  10:23 AM              0 _4

And the SMB share:

PS C:\Users\groot14\Documents> Get-SmbShare -Name "*tasks*"

Name  ScopeName Path Description
----  --------- ---- -----------
tasks *              scheduled_things

An effortless final level: scheduled_things_4. Looking forward to the last two sets of challenges!