Vincent Yiu
linkedin
github
@vysecurity
Search…
Red Team
About Vincent Yiu
Red Team Tips
Videos
Red Team
Attack Infrastructure
Backdooring PE Files
Cloud Security
Command and Control
General Exploitation
Hardware and Gadgets
Post Exploitation
Reconaissance
Misc
Under the wire: Trebek — Walkthrough
Powered By
GitBook
Under the wire: Trebek — Walkthrough
Trebek, by Under the wire can be found at underthewire.tech
!!! WARNING: Spoilers !!!
Trebek 1 -> 2
1
Get-WinEvent -Path .\Security.evtx -Verbose | Where-Object {$_.Id -eq 4699} | Select -ExpandProperty message
Copied!
Read the value from the or use findstr Command
Trebek 2-> 3
1
sc.exe qc C-3PO
Copied!
Trebek 3-> 4
1
Get-WinEvent -path .\Security.evtx | where {$_.id -eq 4624 -and $_.message -match “Account Name:\s+Yoda”} | select -expandproperty message
Copied!
Trebek 4-> 5
1
dir C:\windows\prefetch\MSACCESS*
Copied!
Trebek 5-> 6
1
get-childitem -path “HKLM:\Software\Microsoft\Windows\CurrentVersion\”
Copied!
Read the Run key value
Trebek 6-> 7
1
cd C:\Program Files (x86)\Adobe
2
3
Get-ChildItem *.dll -Recurse | group Extension -NoElement
Copied!
Trebek 7 -> 8
1
Get-ChildItem -Path “HKLM:\Software\Microsoft\Windows NT\Curr entVersion\Image File Execution Options”
Copied!
Trebek 8 -> 9
1
get-content -encoding Byte -totalcount 8 -path .\Clone_Trooper_ data.pdf
Copied!
Trebek 9 -> 10
1
get-WmiObject -class Win32_Share
Copied!
Trebek 10 -> 11
1
get-winevent -path .\Security.evtx | Where {$_.id -eq 4722} | Select -ExpandProperty message
Copied!
Trebek 11 -> 12
1
get-winevent -path .\Security.evtx | Where {$_.id -eq 4720} | Select -ExpandProperty message
Copied!
Trebek 12 -> 13
1
get-winevent -path .\Security.evtx | Where {$_.id -eq 4720} | Select -ExpandProperty message
Copied!
Trebek 13 -> 14
1
get-aduser -Filter * -Properties City | Select -Property Nam e,City | Select -ExpandProperty City
Copied!
Trebek 14 -> 15
1
get-aduser -Filter * -Properties City | Select -Property Nam e,City | Select -ExpandProperty City
2
3
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(“blahblah”))
Copied!
Conclusion
Special thanks to Fernando Tomlinson @Wired_Pulse for creation of this game.
Red Team - Previous
Misc
Last modified
3yr ago
Copy link