The password for Century6 is the short name of the domain in which this system resides in PLUS the name of the file on the desktop.
NOTE: – If the short name of the domain is “blob” and the file on the desktop is named “1234”, the password would be “blob1234”. – The password will be lowercase no matter how it appears on the screen.
A quick dir command shows us that the file on the desktop is named 3347
PS C:\users\century5\desktop> dir
Directory: C:\users\century5\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/30/2018 3:29 AM 54 3347Now let's find the short domain name.
If I try look for cmdlets containing the word “domain” I end up with the following result:
PS C:\users\century5\desktop> get-command -name *domain*
CommandType Name Version Source
----------- ---- ------- ------
Function Get-StorageFaultDomain 2.0.0.0 Storage
Cmdlet Add-ADDomainControllerPasswordReplicationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Add-ADDSReadOnlyDomainControllerAccount 1.0.0.0 ADDSDeployment
Cmdlet Get-ADDefaultDomainPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDomain 1.0.0.0 ActiveDirectory // This should be interesting
Cmdlet Get-ADDomainController 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDomainControllerPasswordReplicationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Get-ADDomainControllerPasswordReplicationPolicy... 1.0.0.0 ActiveDirectory
Cmdlet Get-WebAppDomain 1.0.0.0 WebAdministration
Cmdlet Install-ADDSDomain 1.0.0.0 ADDSDeployment
Cmdlet Install-ADDSDomainController 1.0.0.0 ADDSDeployment
Cmdlet Remove-ADDomainControllerPasswordReplicationPolicy 1.0.0.0 ActiveDirectory
Cmdlet Set-ADDefaultDomainPasswordPolicy 1.0.0.0 ActiveDirectory
Cmdlet Set-ADDomain 1.0.0.0 ActiveDirectory
Cmdlet Set-ADDomainMode 1.0.0.0 ActiveDirectory
Cmdlet Test-ADDSDomainControllerInstallation 1.0.0.0 ADDSDeployment
Cmdlet Test-ADDSDomainControllerUninstallation 1.0.0.0 ADDSDeployment
Cmdlet Test-ADDSDomainInstallation 1.0.0.0 ADDSDeployment
Cmdlet Test-ADDSReadOnlyDomainControllerAccountCreation 1.0.0.0 ADDSDeployment
Cmdlet Uninstall-ADDSDomainController 1.0.0.0 ADDSDeployment
Application domain.msc 0.0.0.0 C:\Windows\system32\domain.msc The Get-ADDomain cmdlet seems interesting, and prints the following informations:
PS C:\users\century5\desktop> get-addomain
AllowedDNSSuffixes : {}
ChildDomains : {}
ComputersContainer : CN=Computers,DC=underthewire,DC=tech
DeletedObjectsContainer : CN=Deleted Objects,DC=underthewire,DC=tech
DistinguishedName : DC=underthewire,DC=tech
DNSRoot : underthewire.tech
DomainControllersContainer : OU=Domain Controllers,DC=underthewire,DC=tech
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-758131494-606461608-3556270690
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=underthewire,DC=tech
Forest : underthewire.tech
InfrastructureMaster : utw.underthewire.tech
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {cn={ECB4A7C0-B4E1-41B1-9E89-161CFA679999},cn=policies,cn=system,DC=underthewire,DC=tech, CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=underthewire,DC=tech}
LostAndFoundContainer : CN=LostAndFound,DC=underthewire,DC=tech
ManagedBy :
Name : underthewire // This should be it!
NetBIOSName : underthewire
ObjectClass : domainDNS
ObjectGUID : bdccf3ad-b495-4d86-a94c-60f0d832e6f0
ParentDomain :
PDCEmulator : utw.underthewire.tech
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=underthewire,DC=tech
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {utw.underthewire.tech}
RIDMaster : utw.underthewire.tech
SubordinateReferences : {DC=ForestDnsZones,DC=underthewire,DC=tech, DC=DomainDnsZones,DC=underthewire,DC=tech, CN=Configuration,DC=underthewire,DC=tech}
SystemsContainer : CN=System,DC=underthewire,DC=tech
UsersContainer : CN=Users,DC=underthewire,DC=techThis instance is hosted on underthewire.tech of which I assume the short name would be underthewire making the password for century6 underthewire3347
underthewire3347