# Under the wire: Trebek — Walkthrough

Recommended VPS Providers:

* Low commitment VPS with many locations: <https://www.vultr.com/?ref=7348591>&#x20;
* Cheap VPS for long term use: <https://my.racknerd.com/aff.php?aff=4342>
* Special network / bandwidth connectivity: <https://bandwagonhost.com/aff.php?aff=67638>
* Alternative: <https://www.arkecx.com/aff.php?aff=188>

Trebek, by Under the wire can be found at underthewire.tech

#### !!! WARNING: Spoilers !!! <a href="#warningspoilers" id="warningspoilers"></a>

#### Trebek 1 -> 2 <a href="#trebek12" id="trebek12"></a>

```
Get-WinEvent -Path .\Security.evtx -Verbose | Where-Object {$_.Id -eq 4699} | Select -ExpandProperty message
```

Read the value from the or use findstr Command

#### Trebek 2-> 3 <a href="#trebek23" id="trebek23"></a>

```
sc.exe qc C-3PO
```

#### Trebek 3-> 4 <a href="#trebek34" id="trebek34"></a>

```
Get-WinEvent -path .\Security.evtx | where {$_.id -eq 4624 -and $_.message -match “Account Name:\s+Yoda”} | select -expandproperty message
```

#### Trebek 4-> 5 <a href="#trebek45" id="trebek45"></a>

```
dir C:\windows\prefetch\MSACCESS*
```

#### Trebek 5-> 6 <a href="#trebek56" id="trebek56"></a>

```
get-childitem -path “HKLM:\Software\Microsoft\Windows\CurrentVersion\”
```

Read the Run key value

#### Trebek 6-> 7 <a href="#trebek67" id="trebek67"></a>

```
cd C:\Program Files (x86)\Adobe

Get-ChildItem *.dll -Recurse | group Extension -NoElement
```

#### Trebek 7 -> 8 <a href="#trebek78" id="trebek78"></a>

```
Get-ChildItem -Path “HKLM:\Software\Microsoft\Windows NT\Curr entVersion\Image File Execution Options”
```

#### Trebek 8 -> 9 <a href="#trebek89" id="trebek89"></a>

```
get-content -encoding Byte -totalcount 8 -path .\Clone_Trooper_ data.pdf
```

#### Trebek 9 -> 10 <a href="#trebek910" id="trebek910"></a>

```
get-WmiObject -class Win32_Share
```

#### Trebek 10 -> 11 <a href="#trebek1011" id="trebek1011"></a>

```
get-winevent -path .\Security.evtx | Where {$_.id -eq 4722} | Select -ExpandProperty message
```

#### Trebek 11 -> 12 <a href="#trebek1112" id="trebek1112"></a>

```
get-winevent -path .\Security.evtx | Where {$_.id -eq 4720} | Select -ExpandProperty message
```

#### Trebek 12 -> 13 <a href="#trebek1213" id="trebek1213"></a>

```
get-winevent -path .\Security.evtx | Where {$_.id -eq 4720} | Select -ExpandProperty message
```

#### Trebek 13 -> 14 <a href="#trebek1314" id="trebek1314"></a>

```
get-aduser -Filter * -Properties City | Select -Property Nam e,City | Select -ExpandProperty City
```

#### Trebek 14 -> 15 <a href="#trebek1415" id="trebek1415"></a>

```
get-aduser -Filter * -Properties City | Select -Property Nam e,City | Select -ExpandProperty City

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(“blahblah”))
```

#### Conclusion <a href="#conclusion" id="conclusion"></a>

Special thanks to Fernando Tomlinson @Wired\_Pulse for creation of this game.