UnderTheWire Cyborg is a more advanced PowerShell problem set than UnderTheWire Century. It requires a Windows terminal just like Century.
Cyborg 1
Password
cyborg1
Challenge
The password for cyborg2 is the state that the user Chris Rogers is from as stated within Active Directory.
NOTE: – The password will be lowercase no matter how it appears on the screen. – “State” refers to the location within the country and NOT the “state” of the account (enabled/ disabled).
Solution
PS C:\users\cyborg1\desktop> get-aduser -filter * | ?{$_.GivenName -eq 'Chris'}
DistinguishedName : CN=Rogers\, Chris\ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech
Enabled : False
GivenName : Chris
Name : Rogers, Chris
ObjectClass : user
ObjectGUID : ee6450f8-cf70-4b1d-b902-a837839632bd
SamAccountName : chris.rogers
SID : S-1-5-21-758131494-606461608-3556270690-2177
Surname : Rogers
UserPrincipalName : chris.rogers
PS C:\users\cyborg1\desktop> get-aduser chris.rogers -properties * | select-object -exp state
kansasCyborg 2
Password
kansas
Challenge
The password for cyborg3 is the host A record IP address for CYBORG718W100N PLUS the name of the file on the desktop.
Solution
PS C:\users\cyborg2\desktop> get-dnsserverzone
ZoneName ZoneType IsAutoCreated IsDsIntegrated IsReverseLookupZone IsSigned
-------- -------- ------------- -------------- ------------------- --------
_msdcs.underthewire.tech Primary False True False False
0.in-addr.arpa Primary True False True False
127.in-addr.arpa Primary True False True False
255.in-addr.arpa Primary True False True False
TrustAnchors Primary False True False False
underthewire.tech Primary False True False False
PS C:\users\cyborg2\desktop> get-dnsserverresourcerecord -zonename underthewire.tech | ?{$_.hostname -eq 'CYBORG718W100N'} | select-object -exp recorddata
IPv4Address PSComputerName
----------- --------------
172.31.45.167
PS C:\users\cyborg2\desktop> ls
Directory: C:\users\cyborg2\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/26/2022 2:14 PM 0 _ipv4Cyborg 3
Password
172.31.45.167_ipv4
Challenge
The password for cyborg4 is the number of users in the Cyborg group within Active Directory PLUS the name of the file on the desktop.
Solution
PS C:\users\cyborg3\desktop> ls
Directory: C:\users\cyborg3\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/26/2022 2:14 PM 0 _objects
PS C:\users\cyborg3\desktop> get-adgroupmember -identity cyborg | measure | select -exp count
88Cyborg 4
Password
88_objects
Challenge
The password for cyborg5 is the PowerShell module name with a version number of 8.9.8.9 PLUS the name of the file on the desktop.
Solution
PS C:\users\cyborg4\desktop> get-module -ListAvailable | ?{$_.version -eq '8.9.8.9'}
Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Manifest 8.9.8.9 bacon Get-bacon
PS C:\users\cyborg4\desktop> ls
Directory: C:\users\cyborg4\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 10:45 AM 0 _eggs
Cyborg 5
Password
bacon_eggs
Challenge
The password for cyborg6 is the last name of the user who has logon hours set on their account PLUS the name of the file on the desktop.
Solution
PS C:\users\cyborg5\desktop> get-aduser -filter * -properties name,logonhours | ?{$_.logonhours -GE 0} DistinguishedName : CN=Administrator,CN=Users,DC=underthewire,DC=tech
Enabled : True
GivenName :
logonhours : {255, 255, 255, 255...}
Name : Administrator
ObjectClass : user
ObjectGUID : 427058c2-1d57-4e49-a23d-204865b502ae
SamAccountName : Administrator
SID : S-1-5-21-758131494-606461608-3556270690-500
Surname :
UserPrincipalName :
DistinguishedName : CN=Rowray\, Benny \ ,OU=T-85,OU=X-Wing,DC=underthewire,DC=tech
Enabled : False
GivenName : Benny
logonhours : {0, 0, 0, 0...}
Name : Rowray, Benny
ObjectClass : user
ObjectGUID : c9aad4f3-3e4f-46b5-84db-2bb7105796dd
SamAccountName : Benny.Rowray
SID : S-1-5-21-758131494-606461608-3556270690-1647
Surname : Rowray
UserPrincipalName : Benny.Rowray
PS C:\users\cyborg5\desktop> ls
Directory: C:\users\cyborg5\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 10:45 AM 0 _timer
Cyborg 6
Password
rowray_timer
Challenge
The password for cyborg7 is the decoded text of the string within the file on the desktop.
NOTE: – The password is the last word of the string. For example, if it is “I like PowerShell”, the password would be “powershell”. – The password will be lowercase no matter how it appears on the screen. – There are no spaces in the answer.
Solution
PS C:\users\cyborg6\desktop> cat .\cypher.txt
YwB5AGIAZQByAGcAZQBkAGQAbwBuAA==
PS C:\users\cyborg6\desktop> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("YwB5AGIAZQByAGcAZQBkAGQAbwBuAA=="))
c y b e r g e d d o n
PS C:\users\cyborg6\desktop> [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String("YwB5AGIAZQByAGcAZQBkAGQAbwBuAA=="))
cybergeddonCyborg 7
Password
cybergeddon
Challenge
The password for cyborg8 is the executable name of a program that will start automatically when cyborg7 logs in.
Solution
PS C:\users\cyborg7\desktop> Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List
Name : SKYNET
command : C:\program files\SkyNet\skynet.exe
Location : HKU\S-1-5-21-758131494-606461608-3556270690-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User : underthewire\cyborg7Cyborg 8
Password
skynet
Challenge
The password for cyborg9 is the Internet zone that the picture on the desktop was downloaded from.
Solution
PS C:\users\cyborg8\desktop> get-item .\1_qs5nwlcl7f_-SwNlQvOrAw.png -stream *
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\users\cyborg8\desktop\1_qs5nwlcl7f_-SwNlQvOrAw.png::$DATA
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\users\cyborg8\desktop
PSChildName : 1_qs5nwlcl7f_-SwNlQvOrAw.png::$DATA
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\users\cyborg8\desktop\1_qs5nwlcl7f_-SwNlQvOrAw.png
Stream : :$DATA
Length : 60113
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\users\cyborg8\desktop\1_qs5nwlcl7f_-SwNlQvOrAw.png:Zone.Identi
fier
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\users\cyborg8\desktop
PSChildName : 1_qs5nwlcl7f_-SwNlQvOrAw.png:Zone.Identifier
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\users\cyborg8\desktop\1_qs5nwlcl7f_-SwNlQvOrAw.png
Stream : Zone.Identifier
Length : 26
PS C:\users\cyborg8\desktop> gc .\1_qs5nwlcl7f_-SwNlQvOrAw.png:Zone.Identifier
[ZoneTransfer]
ZoneId=4Cyborg 9
Password
4
Challenge
PS C:\users\cyborg9\desktop> get-aduser -filter * -Properties * | ?{$_.officephone -eq '876-5309' -or $_.homephone -eq '876-5309'}
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 0
badPwdCount : 0
CannotChangePassword : False
CanonicalName : underthewire.tech/X-Wing/T-65/Garick, Onita
Certificates : {}
City :
CN : Garick, Onita
codePage : 0
Company :
CompoundIdentitySupported : {}
Country :
countryCode : 0
Created : 8/30/2018 3:28:22 AM
createTimeStamp : 8/30/2018 3:28:22 AM
Deleted :
Department :
Description :
DisplayName : Garick, Onita
DistinguishedName : CN=Garick\, Onita \ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech
Division :
DoesNotRequirePreAuth : False
dSCorePropagationData : {1/1/1601 12:00:00 AM}
EmailAddress : [email protected]
EmployeeID :
EmployeeNumber :
Enabled : False
Fax :
GivenName : Onita
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isDeleted :
KerberosEncryptionType : {}
LastBadPasswordAttempt :
LastKnownParent :
lastLogoff : 0
lastLogon : 0
LastLogonDate :
LockedOut : False
logonCount : 0
LogonWorkstations :
mail : [email protected]
Manager :
MemberOf : {}
MNSLogonAccount : False
MobilePhone :
Modified : 8/30/2018 10:45:41 AM
modifyTimeStamp : 8/30/2018 10:45:41 AM
msDS-User-Account-Control-Computed : 8388608
Name : Garick, Onita
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=underthewire,DC=tech
ObjectClass : user
ObjectGUID : 5fc5bb5b-272a-4b70-877a-ed774029e247
objectSid : S-1-5-21-758131494-606461608-3556270690-2124
Office :
OfficePhone : 876-5309
Organization :
OtherName :
PasswordExpired : True
PasswordLastSet :
PasswordNeverExpires : False
PasswordNotRequired : False
POBox :
PostalCode :
PrimaryGroup : CN=Domain Users,CN=Users,DC=underthewire,DC=tech
primaryGroupID : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 0
SamAccountName : Onita.Garick
sAMAccountType : 805306368
ScriptPath :
sDRightsEffective : 0
ServicePrincipalNames : {}
SID : S-1-5-21-758131494-606461608-3556270690-2124
SIDHistory : {}
SmartcardLogonRequired : False
sn : Garick
State :
StreetAddress :
Surname : Garick
telephoneNumber : 876-5309
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 514
userCertificate : {}
UserPrincipalName : Onita.Garick
uSNChanged : 19945
uSNCreated : 19357
whenChanged : 8/30/2018 10:45:41 AM
whenCreated : 8/30/2018 3:28:22 AM
PS C:\users\cyborg9\desktop> ls
Directory: C:\users\cyborg9\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 10:45 AM 0 99
Cyborg 10
Password
onita99
Challenge
The password for cyborg11 is the description of the Applocker Executable deny policy for ill_be_back.exe PLUS the name of the file on the desktop.
Solution
PS C:\users\cyborg10\desktop> get-applockerpolicy -effective -xml
<AppLockerPolicy Version="1"><RuleCollection Type="Appx" EnforcementMode="NotConfigured" /><RuleCollection Type="Dll" EnforcementMode="NotConfigured" /><RuleCollection Type="Exe" EnforcementMode="NotConfigured"><FilePathRule Id="cf7f9744-e5de-4189-8499-236666a32796" Name="C:\Users\cyborg10\Documents\ill_be_back.exe" Description="terminated!" UserOrGroupSid="S-1-1-0" Action="Deny"><Conditions><FilePathCondition Path="C:\Users\cyborg10\Documents\ill_be_back.exe" /></Conditions></FilePathRule></RuleCollection><RuleCollection Type="Msi" EnforcementMode="NotConfigured" /><RuleCollection Type="Script" EnforcementMode="NotConfigured" /></AppLockerPolicy><AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Exe" EnforcementMode="NotConfigured">
<FilePathRule Id="cf7f9744-e5de-4189-8499-236666a32796" Name="C:\Users\cyborg10\Documents\ill_be_back.exe" Description="terminated!" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="C:\Users\cyborg10\Documents\ill_be_back.exe" />
</Conditions>
</FilePathRule>
</RuleCollection>
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>PS C:\users\cyborg10\desktop> ls
Directory: C:\users\cyborg10\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 10:45 AM 0 99
Cyborg 11
Password
terminated!99
Challenge
The password for cyborg12 is located in the IIS log. The password is not Mozilla or Opera.
Solution
PS C:\users\cyborg11\desktop> gc C:\inetpub\logs\logfiles\w3svc1\u_ex160413.log | select-string password
2016-04-13 04:14:12 W3SVC1 Century 172.31.45.65 GET / - 80 - 172.31.45.65 HTTP/1.1 LordHelmet/5.0+(CombTheDesert)+Password+is:spaceballs - - century.underthewire.tech 200 0 0 925 118 0
Cyborg 12
Password
spaceballs
Challenge
The password for cyborg13 is the first four characters of the base64 encoded full path to the file that started the i_heart_robots service PLUS the name of the file on the desktop.
Solution
PS C:\users\cyborg12\desktop> get-wmiobject win32_service | ?{$_.name -eq 'i_heart_robots'} | select *
PSComputerName : UTW
Name : i_heart_robots
Status : OK
ExitCode : 1077
DesktopInteract : False
ErrorControl : Normal
PathName : c:\windows\system32\cmd.exe
ServiceType : Own Process
StartMode : Disabled
__GENUS : 2
__CLASS : Win32_Service
__SUPERCLASS : Win32_BaseService
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_Service.Name="i_heart_robots"
__PROPERTY_COUNT : 26
__DERIVATION : {Win32_BaseService, CIM_Service, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER : UTW
__NAMESPACE : root\cimv2
__PATH : \\UTW\root\cimv2:Win32_Service.Name="i_heart_robots"
AcceptPause : False
AcceptStop : False
Caption : i_heart_robots
CheckPoint : 0
CreationClassName : Win32_Service
DelayedAutoStart : False
Description : I be lovin some metal bots!
DisplayName : i_heart_robots
InstallDate :
ProcessId : 0
ServiceSpecificExitCode : 0
Started : False
StartName : LocalSystem
State : Stopped
SystemCreationClassName : Win32_ComputerSystem
SystemName : UTW
TagId : 0
WaitHint : 0
Scope : System.Management.ManagementScope
Path : \\UTW\root\cimv2:Win32_Service.Name="i_heart_robots"
Options : System.Management.ObjectGetOptions
ClassPath : \\UTW\root\cimv2:Win32_Service
Properties : {AcceptPause, AcceptStop, Caption, CheckPoint...}
SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers : {dynamic, Locale, provider, UUID}
Site :
Container :
PS C:\users\cyborg12\desktop> [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("c:\windows\system32\cmd.exe"))
YwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAGMAbQBkAC4AZQB4AGUA
PS C:\users\cyborg12\desktop> ls
Directory: C:\users\cyborg12\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 10:45 AM 0 _heart
Cyborg 13
Password
ywa6_heart
Challenge
https://underthewire.tech/cyborg-13 The password cyborg14 is the number of days the refresh interval is set to for DNS aging for the underthewire.tech zone PLUS the name of the file on the desktop.
Solution