UnderTheWire Cyborg is a more advanced PowerShell problem set than UnderTheWire Century. It requires a Windows terminal just like Century.

Cyborg 1

Password

cyborg1

Challenge

The password for cyborg2 is the state that the user Chris Rogers is from as stated within Active Directory.

NOTE: – The password will be lowercase no matter how it appears on the screen. – “State” refers to the location within the country and NOT the “state” of the account (enabled/ disabled).

Solution

PS C:\users\cyborg1\desktop> get-aduser -filter * | ?{$_.GivenName -eq 'Chris'}
 
 
DistinguishedName : CN=Rogers\, Chris\ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech
Enabled           : False
GivenName         : Chris
Name              : Rogers, Chris
ObjectClass       : user
ObjectGUID        : ee6450f8-cf70-4b1d-b902-a837839632bd
SamAccountName    : chris.rogers
SID               : S-1-5-21-758131494-606461608-3556270690-2177
Surname           : Rogers
UserPrincipalName : chris.rogers
 
 
 
PS C:\users\cyborg1\desktop> get-aduser chris.rogers -properties * | select-object -exp state
kansas

Cyborg 2

Password

kansas

Challenge

The password for cyborg3 is the host A record IP address for CYBORG718W100N PLUS the name of the file on the desktop.

Solution

PS C:\users\cyborg2\desktop> get-dnsserverzone
 
ZoneName                            ZoneType        IsAutoCreated   IsDsIntegrated  IsReverseLookupZone  IsSigned
--------                            --------        -------------   --------------  -------------------  --------
_msdcs.underthewire.tech            Primary         False           True            False                False
0.in-addr.arpa                      Primary         True            False           True                 False
127.in-addr.arpa                    Primary         True            False           True                 False
255.in-addr.arpa                    Primary         True            False           True                 False
TrustAnchors                        Primary         False           True            False                False
underthewire.tech                   Primary         False           True            False                False
 
 
PS C:\users\cyborg2\desktop> get-dnsserverresourcerecord -zonename underthewire.tech | ?{$_.hostname -eq 'CYBORG718W100N'} | select-object -exp recorddata
 
IPv4Address   PSComputerName
-----------   --------------
172.31.45.167
 
 
PS C:\users\cyborg2\desktop> ls
 
 
    Directory: C:\users\cyborg2\desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/26/2022   2:14 PM              0 _ipv4

Cyborg 3

Password

172.31.45.167_ipv4

Challenge

The password for cyborg4 is the number of users in the Cyborg group within Active Directory PLUS the name of the file on the desktop.

Solution

PS C:\users\cyborg3\desktop> ls
 
 
    Directory: C:\users\cyborg3\desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/26/2022   2:14 PM              0 _objects
 
 
PS C:\users\cyborg3\desktop> get-adgroupmember -identity cyborg | measure | select -exp count
88

Cyborg 4

Password

88_objects

Challenge

The password for cyborg5 is the PowerShell module name with a version number of 8.9.8.9 PLUS the name of the file on the desktop.

Solution

PS C:\users\cyborg4\desktop> get-module -ListAvailable | ?{$_.version -eq '8.9.8.9'}
 
 
    Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules
 
 
ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   8.9.8.9    bacon                               Get-bacon
 
 
PS C:\users\cyborg4\desktop> ls
 
 
    Directory: C:\users\cyborg4\desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018  10:45 AM              0 _eggs
 
 

Cyborg 5

Password

bacon_eggs

Challenge

The password for cyborg6 is the last name of the user who has logon hours set on their account PLUS the name of the file on the desktop.

Solution

PS C:\users\cyborg5\desktop> get-aduser -filter * -properties name,logonhours | ?{$_.logonhours -GE 0}                                                                                                                                                                                                                                                                  DistinguishedName : CN=Administrator,CN=Users,DC=underthewire,DC=tech
Enabled           : True
GivenName         :
logonhours        : {255, 255, 255, 255...}
Name              : Administrator
ObjectClass       : user
ObjectGUID        : 427058c2-1d57-4e49-a23d-204865b502ae
SamAccountName    : Administrator
SID               : S-1-5-21-758131494-606461608-3556270690-500
Surname           :
UserPrincipalName :
 
DistinguishedName : CN=Rowray\, Benny  \ ,OU=T-85,OU=X-Wing,DC=underthewire,DC=tech
Enabled           : False
GivenName         : Benny
logonhours        : {0, 0, 0, 0...}
Name              : Rowray, Benny
ObjectClass       : user
ObjectGUID        : c9aad4f3-3e4f-46b5-84db-2bb7105796dd
SamAccountName    : Benny.Rowray
SID               : S-1-5-21-758131494-606461608-3556270690-1647
Surname           : Rowray
UserPrincipalName : Benny.Rowray
 
 
 
PS C:\users\cyborg5\desktop> ls
 
 
    Directory: C:\users\cyborg5\desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018  10:45 AM              0 _timer
 
 

Cyborg 6

Password

rowray_timer

Challenge

The password for cyborg7 is the decoded text of the string within the file on the desktop.

NOTE: – The password is the last word of the string. For example, if it is “I like PowerShell”, the password would be “powershell”. – The password will be lowercase no matter how it appears on the screen. – There are no spaces in the answer.

Solution

PS C:\users\cyborg6\desktop> cat .\cypher.txt
YwB5AGIAZQByAGcAZQBkAGQAbwBuAA==
PS C:\users\cyborg6\desktop> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("YwB5AGIAZQByAGcAZQBkAGQAbwBuAA=="))
c y b e r g e d d o n
PS C:\users\cyborg6\desktop> [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String("YwB5AGIAZQByAGcAZQBkAGQAbwBuAA=="))
cybergeddon

Cyborg 7

Password

cybergeddon

Challenge

The password for cyborg8 is the executable name of a program that will start automatically when cyborg7 logs in.

Solution

PS C:\users\cyborg7\desktop> Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List
 
 
Name     : SKYNET
command  : C:\program files\SkyNet\skynet.exe
Location : HKU\S-1-5-21-758131494-606461608-3556270690-1140\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User     : underthewire\cyborg7

Cyborg 8

Password

skynet

Challenge

The password for cyborg9 is the Internet zone that the picture on the desktop was downloaded from.

Solution

PS C:\users\cyborg8\desktop> get-item .\1_qs5nwlcl7f_-SwNlQvOrAw.png -stream *
 
 
PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\users\cyborg8\desktop\1_qs5nwlcl7f_-SwNlQvOrAw.png::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\users\cyborg8\desktop
PSChildName   : 1_qs5nwlcl7f_-SwNlQvOrAw.png::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\users\cyborg8\desktop\1_qs5nwlcl7f_-SwNlQvOrAw.png
Stream        : :$DATA
Length        : 60113
 
PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\users\cyborg8\desktop\1_qs5nwlcl7f_-SwNlQvOrAw.png:Zone.Identi
                fier
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\users\cyborg8\desktop
PSChildName   : 1_qs5nwlcl7f_-SwNlQvOrAw.png:Zone.Identifier
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\users\cyborg8\desktop\1_qs5nwlcl7f_-SwNlQvOrAw.png
Stream        : Zone.Identifier
Length        : 26
 
 
 
PS C:\users\cyborg8\desktop> gc .\1_qs5nwlcl7f_-SwNlQvOrAw.png:Zone.Identifier
[ZoneTransfer]
ZoneId=4

Cyborg 9

Password

4

Challenge

PS C:\users\cyborg9\desktop> get-aduser -filter * -Properties * | ?{$_.officephone -eq '876-5309' -or $_.homephone -eq '876-5309'}
 
 
AccountExpirationDate                :
accountExpires                       : 9223372036854775807
AccountLockoutTime                   :
AccountNotDelegated                  : False
AllowReversiblePasswordEncryption    : False
AuthenticationPolicy                 : {}
AuthenticationPolicySilo             : {}
BadLogonCount                        : 0
badPasswordTime                      : 0
badPwdCount                          : 0
CannotChangePassword                 : False
CanonicalName                        : underthewire.tech/X-Wing/T-65/Garick, Onita
Certificates                         : {}
City                                 :
CN                                   : Garick, Onita
codePage                             : 0
Company                              :
CompoundIdentitySupported            : {}
Country                              :
countryCode                          : 0
Created                              : 8/30/2018 3:28:22 AM
createTimeStamp                      : 8/30/2018 3:28:22 AM
Deleted                              :
Department                           :
Description                          :
DisplayName                          : Garick, Onita
DistinguishedName                    : CN=Garick\, Onita  \ ,OU=T-65,OU=X-Wing,DC=underthewire,DC=tech
Division                             :
DoesNotRequirePreAuth                : False
dSCorePropagationData                : {1/1/1601 12:00:00 AM}
EmailAddress                         : Onita.Garick@underthewire.tech
EmployeeID                           :
EmployeeNumber                       :
Enabled                              : False
Fax                                  :
GivenName                            : Onita
HomeDirectory                        :
HomedirRequired                      : False
HomeDrive                            :
HomePage                             :
HomePhone                            :
Initials                             :
instanceType                         : 4
isDeleted                            :
KerberosEncryptionType               : {}
LastBadPasswordAttempt               :
LastKnownParent                      :
lastLogoff                           : 0
lastLogon                            : 0
LastLogonDate                        :
LockedOut                            : False
logonCount                           : 0
LogonWorkstations                    :
mail                                 : Onita.Garick@underthewire.tech
Manager                              :
MemberOf                             : {}
MNSLogonAccount                      : False
MobilePhone                          :
Modified                             : 8/30/2018 10:45:41 AM
modifyTimeStamp                      : 8/30/2018 10:45:41 AM
msDS-User-Account-Control-Computed   : 8388608
Name                                 : Garick, Onita
nTSecurityDescriptor                 : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                       : CN=Person,CN=Schema,CN=Configuration,DC=underthewire,DC=tech
ObjectClass                          : user
ObjectGUID                           : 5fc5bb5b-272a-4b70-877a-ed774029e247
objectSid                            : S-1-5-21-758131494-606461608-3556270690-2124
Office                               :
OfficePhone                          : 876-5309
Organization                         :
OtherName                            :
PasswordExpired                      : True
PasswordLastSet                      :
PasswordNeverExpires                 : False
PasswordNotRequired                  : False
POBox                                :
PostalCode                           :
PrimaryGroup                         : CN=Domain Users,CN=Users,DC=underthewire,DC=tech
primaryGroupID                       : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath                          :
ProtectedFromAccidentalDeletion      : False
pwdLastSet                           : 0
SamAccountName                       : Onita.Garick
sAMAccountType                       : 805306368
ScriptPath                           :
sDRightsEffective                    : 0
ServicePrincipalNames                : {}
SID                                  : S-1-5-21-758131494-606461608-3556270690-2124
SIDHistory                           : {}
SmartcardLogonRequired               : False
sn                                   : Garick
State                                :
StreetAddress                        :
Surname                              : Garick
telephoneNumber                      : 876-5309
Title                                :
TrustedForDelegation                 : False
TrustedToAuthForDelegation           : False
UseDESKeyOnly                        : False
userAccountControl                   : 514
userCertificate                      : {}
UserPrincipalName                    : Onita.Garick
uSNChanged                           : 19945
uSNCreated                           : 19357
whenChanged                          : 8/30/2018 10:45:41 AM
whenCreated                          : 8/30/2018 3:28:22 AM
 
 
 
PS C:\users\cyborg9\desktop> ls
 
 
    Directory: C:\users\cyborg9\desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018  10:45 AM              0 99
 
 

Cyborg 10

Password

onita99

Challenge

The password for cyborg11 is the description of the Applocker Executable deny policy for ill_be_back.exe PLUS the name of the file on the desktop.

Solution

PS C:\users\cyborg10\desktop> get-applockerpolicy -effective -xml
<AppLockerPolicy Version="1"><RuleCollection Type="Appx" EnforcementMode="NotConfigured" /><RuleCollection Type="Dll" EnforcementMode="NotConfigured" /><RuleCollection Type="Exe" EnforcementMode="NotConfigured"><FilePathRule Id="cf7f9744-e5de-4189-8499-236666a32796" Name="C:\Users\cyborg10\Documents\ill_be_back.exe" Description="terminated!" UserOrGroupSid="S-1-1-0" Action="Deny"><Conditions><FilePathCondition Path="C:\Users\cyborg10\Documents\ill_be_back.exe" /></Conditions></FilePathRule></RuleCollection><RuleCollection Type="Msi" EnforcementMode="NotConfigured" /><RuleCollection Type="Script" EnforcementMode="NotConfigured" /></AppLockerPolicy>
<AppLockerPolicy Version="1">
	<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
	<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
	<RuleCollection Type="Exe" EnforcementMode="NotConfigured">
		<FilePathRule Id="cf7f9744-e5de-4189-8499-236666a32796" Name="C:\Users\cyborg10\Documents\ill_be_back.exe" Description="terminated!" UserOrGroupSid="S-1-1-0" Action="Deny">
			<Conditions>
				<FilePathCondition Path="C:\Users\cyborg10\Documents\ill_be_back.exe" />
			</Conditions>
		</FilePathRule>
	</RuleCollection>
	<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
	<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
PS C:\users\cyborg10\desktop> ls
 
 
    Directory: C:\users\cyborg10\desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018  10:45 AM              0 99
 
 

Cyborg 11

Password

terminated!99

Challenge

The password for cyborg12 is located in the IIS log. The password is not Mozilla or Opera.

Solution

PS C:\users\cyborg11\desktop> gc C:\inetpub\logs\logfiles\w3svc1\u_ex160413.log | select-string password
 
2016-04-13 04:14:12 W3SVC1 Century 172.31.45.65 GET / - 80 - 172.31.45.65 HTTP/1.1 LordHelmet/5.0+(CombTheDesert)+Password+is:spaceballs - - century.underthewire.tech 200 0 0 925 118 0
 
 

Cyborg 12

Password

spaceballs

Challenge

The password for cyborg13 is the first four characters of the base64 encoded full path to the file that started the i_heart_robots service PLUS the name of the file on the desktop.

Solution

PS C:\users\cyborg12\desktop> get-wmiobject win32_service | ?{$_.name -eq 'i_heart_robots'} | select *
 
 
PSComputerName          : UTW
Name                    : i_heart_robots
Status                  : OK
ExitCode                : 1077
DesktopInteract         : False
ErrorControl            : Normal
PathName                : c:\windows\system32\cmd.exe
ServiceType             : Own Process
StartMode               : Disabled
__GENUS                 : 2
__CLASS                 : Win32_Service
__SUPERCLASS            : Win32_BaseService
__DYNASTY               : CIM_ManagedSystemElement
__RELPATH               : Win32_Service.Name="i_heart_robots"
__PROPERTY_COUNT        : 26
__DERIVATION            : {Win32_BaseService, CIM_Service, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER                : UTW
__NAMESPACE             : root\cimv2
__PATH                  : \\UTW\root\cimv2:Win32_Service.Name="i_heart_robots"
AcceptPause             : False
AcceptStop              : False
Caption                 : i_heart_robots
CheckPoint              : 0
CreationClassName       : Win32_Service
DelayedAutoStart        : False
Description             : I be lovin some metal bots!
DisplayName             : i_heart_robots
InstallDate             :
ProcessId               : 0
ServiceSpecificExitCode : 0
Started                 : False
StartName               : LocalSystem
State                   : Stopped
SystemCreationClassName : Win32_ComputerSystem
SystemName              : UTW
TagId                   : 0
WaitHint                : 0
Scope                   : System.Management.ManagementScope
Path                    : \\UTW\root\cimv2:Win32_Service.Name="i_heart_robots"
Options                 : System.Management.ObjectGetOptions
ClassPath               : \\UTW\root\cimv2:Win32_Service
Properties              : {AcceptPause, AcceptStop, Caption, CheckPoint...}
SystemProperties        : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers              : {dynamic, Locale, provider, UUID}
Site                    :
Container               :
 
 
 
PS C:\users\cyborg12\desktop> [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("c:\windows\system32\cmd.exe"))
YwA6AFwAdwBpAG4AZABvAHcAcwBcAHMAeQBzAHQAZQBtADMAMgBcAGMAbQBkAC4AZQB4AGUA
 
PS C:\users\cyborg12\desktop> ls
 
 
    Directory: C:\users\cyborg12\desktop
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/30/2018  10:45 AM              0 _heart
 
 

Cyborg 13

Password

ywa6_heart

Challenge

https://underthewire.tech/cyborg-13 The password cyborg14 is the number of days the refresh interval is set to for DNS aging for the underthewire.tech zone PLUS the name of the file on the desktop.

Solution