There are remarkable amount of resources available today to help newcomers and seasoned pros polish their skills. One such resource is overthewire.org which provides a set of free challenges ranging from beginner linux to web app security, to exploitation and reverse-engineering.
Underthewire.tech is a off-shoot project created by two co-workers. They enjoyed the overthewire challenges and were inspired to create a similar set of challenges but in a windows environment using PowerShell. The first "wargame", called Century focuses on administrative tasks and familiarization with PowerShell commands.
Players connect to each challenge via ssh, with the usernames, in a schema of wargame+level_number so level 2 for century is century2. The password for each level is found in via the access that previous level grants on the target system. Each challenge starts with a clue to how to obtain the next password. Usually there is a new command they're trying to teach, or a script you need to write in order to obtain the desired result. Both Overthewire and Underthewire encourage players to dive into man/Get-Help pages to find the answer to the clues.
Personally I find UndertheWire a good resource however I did get turned around once or twice due to the challenges being a little unclear, and likely me just moving to fast... I've decided to write this post because occasionally we all need a little push, a little nudge in the right direction.
I believe in the old adage "You can lead a horse to water..." so I will include screen shots of the commands I used, but will not give the actual passwords for each level
The password for Century2 is the build version of the instance of PowerShell installed on this system.
NOTE:- The format is as follows: **.*.*****.****- Include all periods- Be sure to look for build version and NOT PowerShell version
Once you feel you have completed the Century1 challenge, start a new connection to the server, and log in with the username of Century2 and this password will be the answer from Century1. If successful, close out the Century1 connection and begin to solve the Century2 challenge. This concept is repeated over and over until you reach the end of the game.
NOTE:- The password will be lowercase no matter how it appears on the screen.- If the 10th and 8th word of the service description is "apple" and "juice" and the name of the file on the desktop is "88", the password would be "applejuice88".
(Source: https://underthewire.tech/century/century10.htm)
good place to start... Get-Help Service
Underthewire.tech is a off-shoot project created by two co-workers. They enjoyed the overthewire challenges and were inspired to create a similar set of challenges but in a windows environment using PowerShell. The first "wargame", called Century focuses on administrative tasks and familiarization with PowerShell commands.
Players connect to each challenge via ssh, with the usernames, in a schema of wargame+level_number so level 2 for century is century2. The password for each level is found in via the access that previous level grants on the target system. Each challenge starts with a clue to how to obtain the next password. Usually there is a new command they're trying to teach, or a script you need to write in order to obtain the desired result. Both Overthewire and Underthewire encourage players to dive into man/Get-Help pages to find the answer to the clues.
Personally I find UndertheWire a good resource however I did get turned around once or twice due to the challenges being a little unclear, and likely me just moving to fast... I've decided to write this post because occasionally we all need a little push, a little nudge in the right direction.
I believe in the old adage "You can lead a horse to water..." so I will include screen shots of the commands I used, but will not give the actual passwords for each level
Century0
Level 0 - pretty simple.
You need to join the underthewire slack channel (underthewire.herokuapp.com) and find the password on the #StartHere slack channel.
Connect to century.underthewire.tech using a ssh client on port 22 and you're ready to get started.
Century1
Clue:The password for Century2 is the build version of the instance of PowerShell installed on this system.
NOTE:- The format is as follows: **.*.*****.****- Include all periods- Be sure to look for build version and NOT PowerShell version
Once you feel you have completed the Century1 challenge, start a new connection to the server, and log in with the username of Century2 and this password will be the answer from Century1. If successful, close out the Century1 connection and begin to solve the Century2 challenge. This concept is repeated over and over until you reach the end of the game.
I'll be honest, I got a little turned around here. More honesty: I did use someone else's guide for this one as I kept trying to use the build of the OS... for some reason my brain read OS build version not PowerShell build. Anyways, the following command will get you the information you need:
We call the PowerShell global variable $PSVersionTable. The answer and password to century2 is found within.
Century2
Clue:
The password for Century3 is the name of the built-in cmdlet that performs the wget like function within PowerShell PLUS the name of the file on the desktop.
NOTE:
- If the name of the cmdlet is "get-web" and the file on the desktop is named "1234", the password would be "get-web1234".
- The password will be lowercase no matter how it appears on the screen.
NOTE:
- If the name of the cmdlet is "get-web" and the file on the desktop is named "1234", the password would be "get-web1234".
- The password will be lowercase no matter how it appears on the screen.
Century2 is a classic overthewire puzzle, "the password for the next level is the command that does X."
PowerShell command have a modular structure called cmdlets this allows the user to create new cmdlets and add functionality to PowerShell. Commands in PowerShell are laid out in Verb-Noun structure ex: Get-WebObject, Set-RegistryKey, Invoke-Command etc.. Microsoft has also included a wonderfully helpful... help function called (wait for it...) Get-Help <command>. PowerShell also recognizes Linux command and aliases them to the PowerShell equivalent.
PowerShell command have a modular structure called cmdlets this allows the user to create new cmdlets and add functionality to PowerShell. Commands in PowerShell are laid out in Verb-Noun structure ex: Get-WebObject, Set-RegistryKey, Invoke-Command etc.. Microsoft has also included a wonderfully helpful... help function called (wait for it...) Get-Help <command>. PowerShell also recognizes Linux command and aliases them to the PowerShell equivalent.
So for this challenge: The password is the name of the cmdlet that performs a wget-like function within PowerShell.
For the first part we can perform the command: Get-Help wget
also doing an ls of the desktop folder will get us the answer we need.
Century3
Clue:
The password for Century4 is the number of files on the desktop
The password for Century4 is the number of files on the desktop
I like this one, its simple and introduces you to a functionality of PowerShell that can be useful. In Linux we could call wc -l to count the lines in a ls -l. So to get the PowerShell answer we can use Get-Help wc
unfortunately this doesn't quite give us the answer we're hoping for... To Google!!
I searched for "wc in PowerShell" and the first result was from StackExchange
the top answer included how to use both cmd equivalent and PowerShell, which is Measure-Object -line
Century4
Clue:
The password for Century5 is the name of the file within a directory on the desktop that has spaces in its name.
(Source:https://underthewire.tech/century/century4.htm)
This is one of those challenges that's so oddly simple... like perhaps this should be earlier in the wargame. Maybe when the creators first built this challenge.. there were multiple files on the desktop but when I did it there was only one.... and it had spaces...
The password for Century5 is the name of the file within a directory on the desktop that has spaces in its name.
(Source:https://underthewire.tech/century/century4.htm)
This is one of those challenges that's so oddly simple... like perhaps this should be earlier in the wargame. Maybe when the creators first built this challenge.. there were multiple files on the desktop but when I did it there was only one.... and it had spaces...
Century5
Clue:
The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.
(Source: https://underthewire.tech/century/century5.htm)
This clue is a interesting one, PowerShell autocompletes commands for you, allowing you to cycle through all the commands that begin with a given input.
Here I said okay, well what are some commands in PowerShell which would give me information on the AD Domain and/or its controllers. Get-AD *tab* *tab* ... there are bunch of AD commands, but eventually you will arrive at Get-ADDomain and Get-ADDomainController
The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.
(Source: https://underthewire.tech/century/century5.htm)
This clue is a interesting one, PowerShell autocompletes commands for you, allowing you to cycle through all the commands that begin with a given input.
Here I said okay, well what are some commands in PowerShell which would give me information on the AD Domain and/or its controllers. Get-AD *tab* *tab* ... there are bunch of AD commands, but eventually you will arrive at Get-ADDomain and Get-ADDomainController
Century6
Clue:
The password for Century7 is the number of folders on the desktop.
The password for Century7 is the number of folders on the desktop.
Again another problem that seems quite easy, and can be completed in the exact same way as previous challenges with adding a flag to the Measure-Object command
Century7
Clue:
The password for Century8 is in a readme file somewhere within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user's profile.
(Source: https://underthewire.tech/century/century7.htm)
Here underthewire introduces us to a new command, in windows command line, you can use dir to recursively search folders; but this is PowerShell... yes, we can use dir but how can we use PowerShell to do the same thing. What if we used Get-Help dir
Get-Help dir introduces us to the PowerShell equivalent, which is Get-ChildItem. Get-ChildItem can take a given path and a file name, and will perform a search. From here we simply add in what we're looking for and make sure and use the -Recurse flag. After that just cat the appropriate file
So to find our solution we need to perform the following:
The password for Century8 is in a readme file somewhere within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user's profile.
(Source: https://underthewire.tech/century/century7.htm)
Here underthewire introduces us to a new command, in windows command line, you can use dir to recursively search folders; but this is PowerShell... yes, we can use dir but how can we use PowerShell to do the same thing. What if we used Get-Help dir
Get-Help dir introduces us to the PowerShell equivalent, which is Get-ChildItem. Get-ChildItem can take a given path and a file name, and will perform a search. From here we simply add in what we're looking for and make sure and use the -Recurse flag. After that just cat the appropriate file
Century8
Clue:
The password for Century9 is the number of unique entries within the file on the desktop.
Another new command. In Linux, to get a list of unique items, you could use the uniq command. Lets ask Get-Help what uniq is in PowerShell.
Looks like the command Get-Unique is what we're looking for. Now we need to open the file, pipe the contents into uniq, and then count how many we have. To do this, we need to use the Linux command cat, but whats the PowerShell equivalent:
So to find our solution we need to perform the following:
Century9
Clue:
The password for Century10 is the 161st word within the file on the desktop.
(Source: https://underthewire.tech/century/century9.htm)
This is a fun one, lets pull this one apart to figure out what we actually need to do.
First we need to cat the file, then pipe that to a command that we can use to drop the contents of this file into a list, then pull out entry number 160 (remember counting starts at 0).
So lets start by looking at the file:
hmmm how many words are we talking here...
lets see what we could do with strings in powershell... Get-Help string
Lots of stuff... but can any of these help us... probably not, however Select-String says it can find text in strings and files, which is essentially what we're looking for.
After looking at Get-Help Select-String we see that we can give Select-String a Regex pattern to search through a file with.
Lets try to put some of this together...
Select-String uses regex to go through the .txt file searching for anything that matches our pattern, then saves it to a regex group. Now we need to open up our match groups and find value for 160 which can be accomplished with:
The password for Century11 is the 10th and 8th word of the Windows Update service description combined PLUS the name of the file on the desktop.The password for Century10 is the 161st word within the file on the desktop.
(Source: https://underthewire.tech/century/century9.htm)
This is a fun one, lets pull this one apart to figure out what we actually need to do.
First we need to cat the file, then pipe that to a command that we can use to drop the contents of this file into a list, then pull out entry number 160 (remember counting starts at 0).
So lets start by looking at the file:
hmmm how many words are we talking here...
lets see what we could do with strings in powershell... Get-Help string
Lots of stuff... but can any of these help us... probably not, however Select-String says it can find text in strings and files, which is essentially what we're looking for.
After looking at Get-Help Select-String we see that we can give Select-String a Regex pattern to search through a file with.
Lets try to put some of this together...
Century10
Clue:
NOTE:- The password will be lowercase no matter how it appears on the screen.- If the 10th and 8th word of the service description is "apple" and "juice" and the name of the file on the desktop is "88", the password would be "applejuice88".
(Source: https://underthewire.tech/century/century10.htm)
good place to start... Get-Help Service
Lots of articles for Service... but looks like theres a Get-Service so lets run that, if we run that we get a long line of services, in the DisplayName column find Windows Update
What to do next... after reviewing the Get-Help Get-Service file, I was unable to find the answer. So I took to google and found this article (
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7) from Microsoft. In the artcile they show how to use Get-CimInstance Win32_Service to retrieve the Name and Description, so lets plug the two together...
I honestly manually counted to the 10th and 8th word, however I suppose you could return just the description, then feed it into Select-String like we did in Century9. Dont forget to grab the name of the file on the desktop.
Thats all for now... Hope this was helpful, and if you'd like to see more of this stuff for me, or if you absolutely hate my writing style, please let me know in the comment section.
Thank you for the help and thorough explanations; as they were way more helpful to me then the Absolomb's Security Blog.
ReplyDelete