The Cyborg challenges are the next set of UnderTheWire challenges following Century. These were a little more advanced but nothing too crazy. Below are my solutions.

Cyborg 2

The password for cyborg2 is the state that the user Chris Rogers is from as stated within Active Directory.

First try was to do a filter on the full name.

PS C:\Users\cyborg1\Documents> Get-ADUser -Filter 'Name -like "Chris Rogers"' -Properties state

That did not work however so let’s filter on just last name with some asterisks.

PS C:\Users\cyborg1\Documents> Get-ADUser -Filter 'Name -like "*Rogers*"' -Properties state

DistinguishedName : CN=Rogers\,
Enabled           : False
GivenName         : Rogers
Name              : Rogers, Chris
ObjectClass       : user
ObjectGUID        : 3251b635-dac5-47c1-b8b9-bb7ee058cde7
SamAccountName    :
SID               : S-1-5-21-1013972110-1198539618-3084840507-2117
State             : kansas
Surname           : Chris
UserPrincipalName : [email protected]

Bingo! We see that our first command failed due to the way the Name formatting is setup. Our password for cyborg2 is kansas

Cyborg 3

The password for cyborg3 is the host A record IP address for CYBORG713W104N PLUS the name of the file on the desktop.

Nothing crazy here.

 PS C:\Users\cyborg2\Documents> Resolve-DnsName -Name CYBORG713W104N -Type A | ft -auto

Name                             Type TTL  Section IPAddress
----                             ---- ---  ------- ---------

PS C:\Users\cyborg2\Documents> Get-ChildItem ..\Desktop

    Directory: C:\Users\cyborg2\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/7/2017  11:07 AM              0 _ipv4

Our password is

Cyborg 4

The password for cyborg4 is the number of users in the Cyborg group within Active Directory PLUS the name of the file on the desktop.

Here we just pipe in the group member cmdlet into measure (short for Measure-Object) to get our count.

PS C:\Users\cyborg3> get-adgroupmember cyborg | measure

Count    : 88
Average  :
Sum      :
Maximum  :
Minimum  :
Property :

PS C:\Users\cyborg3> Get-ChildItem .\Desktop

    Directory: C:\Users\cyborg3\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/7/2017  11:10 AM              0 _objects

Password is 88_objects

Cyborg 5

The password for cyborg5 is the PowerShell module name with a version number of PLUS the name of the file on the desktop.

For this one we need to use the –ListAvailable option otherwise we will only get currently loaded modules. We can filter using Where-Object searching for our specific version.

PS C:\Users\cyborg4\Documents> Get-Module –ListAvailable | Where-Object {$_.Version -eq ""}

    Directory: C:\Windows\system32\WindowsPowerShell\v1.0\Modules

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest    Grits                               Get-grits

PS C:\Users\cyborg4\Documents> Get-ChildItem ..\Desktop

    Directory: C:\Users\cyborg4\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/7/2017  11:23 AM              0 _eggs

Password is grits_eggs

Cyborg 6

The password for cyborg6 is the last name of the user who has logon hours set on their account PLUS the name of the file on the desktop.

Here we get logonhours as a property value and filter on it for anything that is not null by using an asterisk.

PS C:\Users\cyborg5\Documents> get-aduser -Properties logonhours -Filter {logonhours -like '*'}

DistinguishedName : CN=Rowray\, Benny  \
Enabled           : False
GivenName         : Benny
logonhours        : {255, 255, 255, 255...}
Name              : Rowray, Benny
ObjectClass       : user
ObjectGUID        : 23501b6d-a0ec-4048-bd51-82f84c7945d3
SamAccountName    : Benny.Rowray
SID               : S-1-5-21-1013972110-1198539618-3084840507-1978
Surname           : Rowray
UserPrincipalName : Benny.Rowray

PS C:\Users\cyborg5\Documents> Get-ChildItem ..\Desktop

    Directory: C:\Users\cyborg5\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/7/2017  11:13 AM              0 _timer

Password is rowray_timer

Cyborg 7

The password for cyborg7 is the decoded text of the string within the file on the desktop.

PS C:\Users\cyborg6\Desktop> Get-ChildItem

    Directory: C:\Users\cyborg6\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/16/2016  12:01 PM             78 cypher.txt

PS C:\Users\cyborg6\Desktop> Get-Content .\cypher.txt

This looks exactly like base64 encoding. Let’s decode it.

PS C:\Users\cyborg6\Desktop> $base64 = Get-Content .\cypher.txt
PS C:\Users\cyborg6\Desktop> [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64))
The password is cybergeddon

Alright so this one is a little tricky. First we will set a variable named $base64 with the contents of our file. Next we will have to use .NET classes and methods to get the rest of the job done since there is not cmdlet currently that will do the leg work for us.

First the [System.Text.Encoding]class is called, followed by two colons. The double-colon accesses methods on a class, which for the first part is the UTF8.GetString method. Inside of this method we are calling the System.Convert class along with it’s FromBase64String method to decode our variable properly.

So you may be wondering why you can’t just call the System.Convert class and the method FromBase64String to get our answer.

Well let’s break this down for further understanding and do just that.

PS C:\Users\cyborg6\Desktop> $a = [System.Convert]::FromBase64String($base64)
PS C:\Users\cyborg6\Desktop> $a

If we just call our the FromBase64String method we see the output is still not human readable. So what is it?

PS C:\Users\cyborg6\Desktop> $a.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Byte[]                                   System.Array

We can see that we have a byte array. So to decode this further we have to call the UTF8.GetString method to do just that.

PS C:\Users\cyborg6\Desktop> [System.Text.Encoding]::UTF8.GetString($a)
The password is cybergeddon

Hopefully this makes a little more sense now, rather than just copying and pasting a long command in.

Cyborg 8

The password for cyborg8 is the executable name of a program that will start automatically when cyborg7 logs in.

Get-ChildItem won’t do the job here. We’ll have to use Get-ItemProperty instead.

PS C:\Users\cyborg7\Documents> Get-ItemProperty "hkcu:\Software\Microsoft\Windows\CurrentVersion\Run"

SKYNET       : C:\Program Files\Cyberdyne Systems\Skynet.exe
PSPath       : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\M
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\Software\M
PSChildName  : Run
PSDrive      : HKCU
PSProvider   : Microsoft.PowerShell.Core\Registry

Password is skynet.

Cyborg 9

The password for cyborg9 is the Internet zone that the picture on the desktop was downloaded from.

To accomplish this we will need to look at the file streams. We can use Get-Item to query the Zone.Identifier stream which specifies the zone it was downloaded from. Then to actually see the value we pipe into Get-Content to get our zone number, which is 4, the Restricted Sites Zone.

PS C:\Users\cyborg8\Desktop> Get-Item .\picture1.jpg -Stream Zone.Identifier | Get-Content

Password is 4

Cyborg 10

The password for cyborg10 is the first name of the user with the phone number of 867-5309 listed in Active Directory PLUS the name of the file on the desktop.

This one is similar to one we did earlier. We just need to filter on the telephoneNumber attribute in Active Directory.

PS C:\Users\cyborg9\Documents> Get-ADUser -Properties telephoneNumber -Filter {t
elephoneNumber -like '867-5309'}

DistinguishedName : CN=Conner\,
Enabled           : False
GivenName         : John
Name              : Conner, John
ObjectClass       : user
ObjectGUID        : 61af13ae-3258-4661-b5a3-dee78ac6f659
SamAccountName    : john.conner
SID               : S-1-5-21-1013972110-1198539618-3084840507-2119
Surname           : Conner
telephoneNumber   : 867-5309
UserPrincipalName : [email protected]

PS C:\Users\cyborg9\Documents> Get-ChildItem ..\Desktop

    Directory: C:\Users\cyborg9\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/7/2017   4:39 PM              0 72

Password is john72

Cyborg 11

The password for cyborg11 is the description of the Applocker Executable deny policy for ill_be_back.exe PLUS the name of the file on the desktop.

This one is pretty interesting. Since Get-AppLockerPolicy only outputs the actual rules into XML format, we will need to do some XML filtering to get what we want. You could take the easy way out and skim the XML but there are better ways.

PS C:\Users\cyborg10\Documents> $xml = [xml](Get-AppLockerPolicy -Effective -Xml)
PS C:\Users\cyborg10\Documents> $xml


First we will create a variable and cast it as an XML object so we can manipulate it properly.

Now we can essentially move down the XML structure as such.

PS C:\Users\cyborg10\Documents> $xml.AppLockerPolicy

Version RuleCollection
------- --------------
1       {RuleCollection, RuleCollection, RuleCollection, RuleCollection...}

To expand on the rules, we can use select the childnodes property with the ExpandProperty option to fully list out all the child items under RuleCollection. To get exactly what we want we can filter using where on Name for our exe.

PS C:\Users\cyborg10\Documents> $xml.AppLockerPolicy.RuleCollection | select -ExpandProperty childnodes | 
where {$ -eq 'ill_be_back.exe'}

Id             : 5d6eb575-3e78-4cc1-a6ac-38260a101d8d
Name           : ill_be_back.exe
Description    : terminated!
UserOrGroupSid : S-1-1-0
Action         : Deny
Conditions     : Conditions

PS C:\Users\cyborg10\Documents> Get-ChildItem ..\Desktop

    Directory: C:\Users\cyborg10\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/7/2017   4:34 PM              0 99

Voila! The password is terminated!99

Cyborg 12

The password for cyborg12 is located in the IIS log. The password is not Mozilla or Opera.

Since we know what we aren’t looking for, we can filter to exclude everything we don’t want using notLike operators.

PS C:\inetpub\logs\LogFiles\W3SVC1> Get-Content .\u_ex160413.log | where {($_ -notLike "*Mozilla*") -and ($_ -notLike "*Opera*")}
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2016-04-13 04:14:01
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-
Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2016-04-13 04:14:12 W3SVC1 Century GET / - 80 - HTTP/1.1 
LordHelmet/5.0+(CombTheDesert)+Password+is:spaceballs - - 200 0 0 925 118 0
PS C:\inetpub\logs\LogFiles\W3SVC1>

Password is spaceballs

Cyborg 13

The password for cyborg13 is the first four characters of the base64 encoded fullpath to the file that started the i_heart_robots service PLUS the name of the file on the desktop.

First we will need to grab our path, again we’ll have to use WMI, Get-Service is pretty limited.

PS C:\Users\cyborg12\Documents> Get-WmiObject win32_service | where {$_.Name -eq
 "i_heart_robots"} | select Pathname


Now let’s put our path into a variable and basically do the reverse of what we did earlier when we base64 decoded when we called .NET classes and methods.

PS C:\Users\cyborg12\Documents> $path = 'C:\windows\system32\abc.exe'

PS C:\Users\cyborg12\Documents> [Convert]::ToBase64String([System.Text.Encoding]

PS C:\Users\cyborg12\Documents> Get-ChildItem ..\Desktop

    Directory: C:\Users\cyborg12\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/7/2017   4:58 PM              0 _heart

Password is qzpc_heart

Cyborg 14

The password cyborg14 is the number of days the refresh interval is set to for DNS aging for the zone PLUS the name of the file on the desktop.

Pretty easy here, a cmdlet that pulls exactly what we want.

PS C:\Users\cyborg13\Documents> Get-DNSServerZoneAging

ZoneName             :
AgingEnabled         : False
AvailForScavengeTime :
RefreshInterval      : 16.00:00:00
NoRefreshInterval    : 16.00:00:00
ScavengeServers      :

PS C:\Users\cyborg13\Documents> Get-ChildItem ..\Desktop

    Directory: C:\Users\cyborg13\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/12/2017   7:59 PM              0 _days

Password is 16_days

Cyborg 15

The password for cyborg15 is the caption for the DCOM application setting for application ID {59B8AFA0-229E-46D9-B980-DDA2C817EC7E} PLUS the name of the file on the desktop.

Once again we’ll have to turn to querying WMI, this time querying for win32_DCOMApplicationSetting and filtering for our specified AppID and finally selecting Caption.

PS C:\Users\cyborg14> Get-WmiObject win32_DCOMApplicationSetting | where {$_.App
ID -eq "{59B8AFA0-229E-46D9-B980-DDA2C817EC7E}"} | select Caption


PS C:\Users\cyborg14> Get-ChildItem .\Desktop

    Directory: C:\Users\cyborg14\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        6/12/2017   8:03 PM              0 _objects

Password is propshts_objects

That’s it! Another set of challenges down!