century是建立在windows下的shell闯关游戏,主要是熟悉window下的shell吧,linux下的shell可以试试bandit(如果我没记错的话)。
century0 ——> century1
关卡提示:The goal of this level is to log into the game. Do the following in order to achieve this goal.
- Obtain the initial credentials via the #StartHere channel on our Slack (https://underthewire.herokuapp.com/).
- After obtaining the credentials, connect to the server via SSH. You will need a SSH client such as Putty. The host that you will be connecting to is century.underthewire.tech, on port 22.
- When prompted, use the credentials for the applicable game found in the #StartHere Slack channel.
- You have successfully connected to the game server when your path changes to “PS C:\Users\Century1\documents>”.
直接ssh登录即可。
ssh -p 22 century1@century.underthewire.tech
密码:century1
century1 ——> century2
关卡提示:The password for Century2 is the build version of the instance of PowerShell installed on this system.
NOTE:
- The format is as follows: **.*.*****.****
- Include all periods
根据提示,密码是PowerShell实例的构建版本,所以我们需要查看此版本即可。
使用命令$PSVersionTable 查看,可以看到BuildVersion版本号是10.0.14393.3053,所以下一关的密码就是10.0.14393.3053,正好与关卡提示的格式相同。
century2 ——> century3
关卡提示:The password for Century3 is the name of the built-in cmdlet that performs the wget like function within PowerShell PLUS the name of the file on the desktop.
NOTE:
- If the name of the cmdlet is “get-web” and the file on the desktop is named “1234”, the password would be “get-web1234”.
- The password will be lowercase no matter how it appears on the screen.
根据提示,需要查看别名后面的命令,所以使用命令:Get-Alias wget:
然后做桌面上获取文件的名称:
所以密码是:invoke-webrequest443
century3 ——> century4
关卡提示:The password for Century4 is the number of files on the desktop.
根据提示,计算桌面上的文件数即可,使用(Get-ChildItem -File …\Desktop | Measure-Object).Count或者“Get-ChildItem …\desktop\ | Measure-Object”,得到密码:123
century4 ——> century5
关卡提示:The password for Century5 is the name of the file within a directory on the desktop that has spaces in its name.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
命令:get-childitem …\desktop\ -Recurse
得到密码:61580
century5 ——> century6
关卡提示:The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.
NOTE:
- If the short name of the domain is “blob” and the file on the desktop is named “1234”, the password would be “blob1234”.
- The password will be lowercase no matter how it appears on the screen.
具体操作如下:
查看域也可使用Get-WmiObject Win32_ComputerSystem,结果一样。
所以密码为:underthewire3347
century6 ——> century7
关卡提示:The password for Century7 is the number of folders on the desktop.
感觉和第4题相似??第四题是files,这里是folders
那就第四题的命令给改改。
命令:get-childitem -Directory …\desktop | measure-object
密码:197
century7 ——> century8
关卡提示:The password for Century8 is in a readme file somewhere within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
搜索和过滤,以匹配任何以readme开头的文件,并利用"|"符号进行连接后面的命令读取内容。
密码为:7points
century8 ——> century9
关卡提示:The password for Century9 is the number of unique entries within the file on the desktop.
这关需要做一些文件的解析。
命令:(cat …\Desktop\Unique.txt | sort | Get-Unique).count
century9 ——> century10
关卡提示:The password for Century10 is the 161st word within the file on the desktop.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
查看desktop下有什么文件:
发现桌面上有一个Word_File.txt的文件,网上有用一下命令来获取第161个字符,
Get-Content ..\desktop\Word_File.txt | Select-Object -Index 161
然而我没有实验出来,好像是因为get-content是按换行符识别的,所以所有内容被识别成一个内容了,利用measure -line进行查看,可以看到只有一行(此处懒得截图了,可以自行查看)。所以采用比较绕一点的方式,将内容读出赋值给变量$content,然后对其进行空格切分(查看过文件内容,是以空格分隔),存在字典里,读取160字符(因为计算机是从0开始数,而题目是从1开始数)。
密码:pierid
century10 ——> century11
关卡提示:The password for Century11 is the 10th and 8th word of the Windows Update service description combined PLUS the name of the file on the desktop.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
- If the 10th and 8th word of the service description is “apple” and “juice” and the name of the file on the desktop is “88”, the password would be “applejuice88”.
获取桌面文件名:
由于Get-Service,现在不会返回服务的描述,所以我们可以使用WMI来获取。
Get-WmiObject win32_Service -Filter "DisplayName = 'Windows Update'" | Select-Object -Property Description | ft -Wrap
所以密码是:windowsupdates110
century11 ——> century12
关卡提示:The password for Century12 is the name of the hidden file within the contacts, desktop, documents, downloads, favorites, music, or videos folder in the user’s profile.
NOTE:
- Exclude “desktop.ini”.
- The password will be lowercase no matter how it appears on the screen.
需要文件过滤,命令会有点长。
Get-Childitem –Path Contacts,Desktop,Documents,Downloads,Favorites,Music,Videos -File -Attributes !D+H -Exclude desktop.ini -Recurse -ErrorAction SilentlyContinue
!D是用于排除目录,+H用于包含隐藏文件。
密码:secret_sauce
century12 ——> century13
The password for Century13 is the description of the computer designated as a Domain Controller within this domain PLUS the name of the file on the desktop.
NOTE:
- The password will be lowercase no matter how it appears on the screen.
- If the description “today_is” and the file on the desktop is named “_cool”, the password would be “today_is_cool”.
由于Get-ADDomainController不会返回AD属性描述,所以必须将计算机名称提供给Get-ADComputer,以确保我们指定要Description返回的属性。
所以密码:i_authenticate_things
century13 ——> century14
关卡提示:The password for Century14 is the number of words within the file on the desktop.
emmm,根据提示,需要进行统计,会用到measure-object,统计的是words,所以会用到-word参数,首先看看desktop下的文件是什么,然后再对改文件进行统计。。
得到密码:755
century14 ——> century15
关卡提示:The password for Century15 is the number of times the word “polo” appears within the file on the desktop.
NOTE:
- You should count the instances of the whole word only.
统计某个词在桌面文件出现的次数。
参照第九题的思路,出来的结果是158,我python跑出来也是158,不知道为什么登不上去century15啊,我确信没错啊。
哦,好像是没15,fine。
就这样吧,至此,century全章结束了!~~