Century

https://underthewire.tech/

UnderTheWire is a website that hosts PowerShell based CTFs or as they call it “wargames”.

Century is the first wargame and relies on users ability to use PowerShell operators and and navigate through the environment.

---

Century 0

The goal of this level is to log into the game. Do the following in order to achieve this goal.

1. Obtain the initial credentials via the #StartHere channel on our Slack (link). Once you are in the channel, scroll to the top to see the credentials.

2. After obtaining the credentials, connect to the server via SSH. You will need an SSH client such as Putty. The host that you will be connecting to is century.underthewire.tech, on port 22.

3. When prompted, use the credentials for the applicable game found in the #StartHere Slack channel.

4. You have successfully connected to the game server when your path changes to “PS C:\Users\Century1\desktop>”.

We can achieve this using ssh connection as follows:

ssh century1@century.underthewire.tech -p 22

The password for level 1 is: century1

Century 1

The password for Century2 is the build version of the instance of PowerShell installed on this system.

We can obtain the build version using $psVersionTable:

C:\users\century1\desktop> $PSVersionTable                                                                                                           Name                           Value
----                           -----
PSVersion                      5.1.14393.5127
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.5127
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1         

[$psVersionTable is an automatic variable (whose type is System. Collections.) that reveals some information about the PowerShell that runs the current session.]

The password for level 2 is 10.0.14393.5127

Century 2

The password for Century3 is the name of the built-in cmdlet that performs the wget like function within PowerShell PLUS the name of the file on the desktop.

We could conduct a simple google search for the answer. But since the goal is to use the PowerShell we could use the Get-Alias cmdlet:

PS C:\users\century1\desktop> Get-Alias wget   

CommandType     Name                                               Version
-----------     ----                                               -------
Alias           wget -> Invoke-WebRequest 

[The Get-Alias cmdlet gets the aliases in the current session. This includes built-in aliases, aliases that you have set or imported, and aliases that you have added to your PowerShell profile. By default, Get-Alias takes an alias and returns the command name.]

2. We can use the Get-ChildItem cmdlet to get the name of the file:

PS C:\users\century2\desktop> Get-ChildItem 

  
    Directory: C:\users\century2\desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018   3:29 AM            693 443    

[The Get-ChildItem cmdlet gets the items in one or more specified locations. If the item is a container, it gets the items inside the container, known as child items. You can use the Recurse parameter to get items in all child containers and use the Depth parameter to limit the number of levels to recurse.]

The password for level 3 is Invoke-WebRequest443

Century 3

The password for Century4 is the number of files on the desktop.

We can obtain the number of files by piping the Measure-Object cmlet with the Get-ChildItem cmdlet:

PS C:\users\century3\desktop> (Get-ChildItem -File | Measure-Object).Count

123

[The Measure-Object cmdlet performs calculations on the property values of objects. You can use Measure-Object to count objects or count objects with a specified Property. You can also use Measure-Object to calculate the Minimum, Maximum, Sum, Standard Deviation and Average of numeric values.]

The password for level 4 is 123

Century 4

The password for Century5 is the name of the file within a directory on the desktop that has spaces in its name.

We can filter the Get-ChildItem cmdlet to get only the directories with spaces in their name as follows:

PS C:\users\century4\desktop> Get-ChildItem -Directory -Filter "* *"

  
    Directory: C:\users\century4\desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        6/23/2022  10:30 PM                Can You Open Me

We can move into the directory and again use Get-ChildItem:

PS C:\users\century4\desktop> cd "Can You Open Me"
PS C:\users\century4\desktop\Can You Open Me> Get-ChildItem

  
    Directory: C:\users\century4\desktop\Can You Open Me 

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/23/2022  10:24 PM             24 49125 

The password for level 5 is 495125

Century 5

The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.

We can get the required domain name using Get-WmiObject cmdlet:

PS C:\users\century5\desktop> Get-WmiObject Win32_ComputerSystem

Domain              : underthewire.tech
Manufacturer        : OpenStack Foundation
Model               : OpenStack Nova
Name                : UTW
PrimaryOwnerName    : UTW_Team
TotalPhysicalMemory : 12582359040  

[The Get-WmiObject cmdlet gets instances of WMI classes or information about the available WMI classes. To specify a remote computer, use the ComputerName parameter. If the List parameter is specified, the cmdlet gets information about the WMI classes that are available in a specified namespace.]

For the filename we will use the Get-ChildItem cmdlet:

PS C:\users\century5\desktop> Get-ChildItem

  
    Directory: C:\users\century5\desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018   3:29 AM             54 3347

The password for level 6 is underthewire3347

Century 6

The password for Century7 is the number of folders on the desktop.

We can add the -Directory filter to the Get-ChildItem in order to get only directories as the result.

Then we can pipe the result with the Measure-Object cmdlet.

We then wrap the entire result with the Count operator

PS C:\users\century6\desktop> (Get-ChildItem -Directory | Measure-Object).Count

197

The password for level 7 is 197

Century 7

The password for Century8 is in a readme file somewhere within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.

We can search recursively for the file and set a filter to get any file which has readme in its starting part.

PS C:\users\century7\desktop> Get-ChildItem ..\ -Recurse -File -Filter readme* | get-content

7points

The password for level 8 is 7points

Century 8

The password for Century9 is the number of unique entries within the file on the desktop.

We can use the Get-Content cmdlet to display the file content and the pipe it in the following manner to get desired result:

PS C:\users\century8\desktop> (Get-Content .\Unique.txt | Sort-Object | Get-Unique | Measure-Object).Count

696

[The Get-Content cmdlet gets the content of the item at the location specified by the path, such as the text in a file or the content of a function. For files, the content is read one line at a time and returns a collection of objects, each of which represents a line of content.]

The password for level 9 is 696

Century 9

The password for Century10 is the 161st word within the file on the desktop.

We can use the Get-Content cmdlet to get the result:

PS C:\users\century8\desktop> (Get-Content Word_File.txt)[161]

pierid

The password for level 10 is pierid

Century 10

The password for Century11 is the 10th and 8th word of the Windows Update service description combined PLUS the name of the file on the desktop.

We can pipe the Get-WmiObject and Select-Object as follows:

PS C:\users\century10\desktop> Get-WmiObject win32_Service -Filter “DisplayName = ‘Windows Update’” | Select-Object Description | ft -Wrap

Description
-----------
Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this computer will not be able to use Windows Update or its automatic updating feature, and programs will not be able to use the Windows Update Agent (WUA) API.    

[The Select-Object cmdlet selects specified properties of an object or set of objects. It can also select unique objects, a specified number of objects, or objects in a specified position in an array. To select objects from a collection, use the First, Last, Unique, Skip, and Index parameters.]

PS C:\users\century5\desktop> Get-ChildItem

  
    Directory: C:\users\century10\desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018   3:34 AM             43 110

The password for level 11 is windowsupdates110

Century 11

The password for Century12 is the name of the hidden file within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.

PS C:\Users\century11> Get-ChildItem | Get-ChildItem -Recurse -File -Hidden | Where-Object {$_.Name -ne 'desktop.ini'}


    Directory: C:\Users\century11\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a-h--         6/8/2017   4:59 PM              0 secret_sauce

The password for level 12 is secret_sauce

Century 12

The password for Century13 is the description of the computer designated as a Domain Controller within this domain PLUS the name of the file on the desktop.

PS C:\users\century12\desktop> Get-ADComputer UTW -Properties Description


Description       : i_authenticate
DistinguishedName : CN=UTW,OU=Domain Controllers,DC=underthewire,DC=tech
DNSHostName       : utw.underthewire.tech
Enabled           : True
Name              : UTW
ObjectClass       : computer
ObjectGUID        : 5ca56844-bb73-4234-ac85-eed2d0d01a2e
SamAccountName    : UTW$
SID               : S-1-5-21-758131494-606461608-3556270690-1000
UserPrincipalName :

[The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.]

PS C:\users\century12\desktop> Get-ChildItem

    
    Directory: C:\users\century12\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018   3:34 AM             30 _things

The password for level 13 is i_authenticate_things

Century 13

The password for Century14 is the number of words within the file on the desktop.

PS C:\users\century13\desktop> (Get-ChildItem | get-content | Measure-Object -Word).Words
755

The password for level 14 is 755

Century 14

The password for Century15 is the number of times the word “polo” appears within the file on the desktop.

We can obtain the required string using the Select-String cmdlet and then we can pipe it with Measure-Object

PS C:\Users\century14\Desktop> (Get-Content stuff.txt | Select-String -Pattern "polo" | Measure-Object).Count

10

The password for level 15 is 10