Written by students who passed Immediately available after payment Read online or as PDF Wrong document? Swap it for free 4.6 TrustPilot
logo-home
Exam (elaborations)

Active Directory Enumeration & Attacks. Hack The Box Module 143

Rating
-
Sold
-
Pages
133
Grade
A+
Uploaded on
30-05-2026
Written in
2025/2026

Active Directory Enumeration & Attacks: Link to challenge: (log in required) Class: Tier II | Medium | Offensive Before we begin: throughout the module we will be requested to login to target Linux machines, and target windows machines. The credentials will be provided for us by the module. For Linux, we will use ssh with the command: ssh username@target-IP and then we will be requested to enter the password. For windows – we will use xfreerdp with the command: xfreerdp /v:Target IP /u:username /p:password /dynamic-resolution Throughout the module, those steps will be referred as ‘login to the Linux/Windows target machine’. *all Windows powershell commands assume cd of ‘C:tools’ unless specified otherwise * Initial Enumeration External Recon and Enumeration Principles: Question: While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{******} ) Answer: HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ} Method: we will search on google the string: ‘intext:"HTB{" inurl:’ – we are told the string is in format of ‘HTB{**}’, by necessarily the substring ‘intext:"HTB{‘ will appear. So we search that string within the url ‘’ (its google patterned search). Lets search: After several results we see this: Where the flag is visible to us in the preview of the website. We can take that already, but in this module guide we will go into the website anyway, enter the link and scroll down. Somewhere within the page – we see this: . *note – be careful of misdirection, at first I searched for ‘HTB{*****}’ - and this result was here. But that was not the answer. * Initial Enumeration of the Domain: Question: From your scans, what is the "commonName" of host 172.16.5.5 ? Answer: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL Method: lets rehearse what is Common name – common name is an attribute of Active directory object that represents the object, it parts of the attribute ‘DN’- distinguished name which purpose is to make the object distinguishable from other objects. First, we login the target Linux machine. Now, to find the common name on ‘172.16.5.5’ – we will perform aggressive NMAP: nmap -A 172.16.5.5 the ‘-A’ flag performs deeper investigation of open ports, one of which at certain cases is service enumeration. Now lets observe on the scan results: We can find the common name on the LDAP (lightweight directory access protocol). We can find further evidences here: and here: All of those services are communication with the host’s object’s active directory, and for that they need its common name. Question: What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name) Answer: 172.16.5.130 Method: we will run the following sequence of commands: First command: touch alive_ the ‘touch’ command creates a file of ‘alive_’. The next command would be ‘fping’ network scanning tool, for that we need the network address and subnet mask, we will obtain that with route -n There are several interfaces running, but for our purpose the correct interface is ‘ens224’: We can observe that the network address is ‘17216.4.0’ and the netmask is ‘225:225:224:0’. Now that we have that, we can run the ‘fping’: fping -asgq 172.16.4.0/23 alive_ The ‘fping’ tool scans the network with the following flags: And outputs the results to ‘alive_’. We have 3 targets active. Time to scan them for activity in port 1433 – SQL port, we will need -sV (service information) enabled to obtain data about the SQL server details and version. We will use the command: nmap -p 1433 -sV -iL alive_ | | grep -B 4 "Microsoft SQL Server 2019" the commands performs nmap scan on SQL port 1433 with enhanced service inspection for details and version enabled (-sV), takes its input hosts from alive_, and filter the results for the 4 lines relevant to the string “Microsoft SQL Server 2019”:

Show more Read less
Institution
Hack The Box
Course
Hack The Box

Content preview

downloaded from




Scholarfriends


Active Directory Enumeration & Attacks. Hack The Box
Module 143




https://scholarfriends.com




Downloaded by: | https://scholarfriends.com/singlePaper/644184/active-directory-enumeration-attacks-
hack-the-box-module-143
Distribution of this document is illegal.

,Active Directory Enumeration & Attacks:
Link to challenge: https://academy.hackthebox.com/module/143/
(log in required)
Class: Tier II | Medium | Offensive


Before we begin: throughout the module we will be requested to login to
target Linux machines, and target windows machines.
The credentials will be provided for us by the module.
For Linux, we will use ssh with the command:
ssh <username>@<target-IP>
and then we will be requested to enter the password.
For windows – we will use xfreerdp with the command:
xfreerdp /v:<Target IP> /u:<username> /p:<password>
/dynamic-resolution


Throughout the module, those steps will be referred as ‘login to the
Linux/Windows target machine’.
*all Windows powershell commands assume cd of ‘C:\tools’ unless specified
otherwise *



Initial Enumeration
External Recon and Enumeration Principles:
Question: While looking at inlanefreights public records; A flag can be seen.
Find the flag and submit it. ( format == HTB{******} )
Answer: HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ}
Method: we will search on google the string:
‘intext:"HTB{" inurl:inlanefreight.com’ – we are told the string is in format of
‘HTB{**}’, by necessarily the substring ‘intext:"HTB{‘ will appear.


Downloaded from Scholarfriends.com

,So we search that string within the url ‘inlanefreight.com’ (its google patterned
search).
Lets search:




After several results we see this:




Where the flag is visible to us in the preview of the website.
We can take that already, but in this module guide we will go into the website
anyway, enter the link and scroll down.
Somewhere within the page – we see this:




.
*note – be careful of misdirection, at first I searched for ‘HTB{*****}’ - and
this result was here. But that was not the answer. *
Downloaded from Scholarfriends.com

, Initial Enumeration of the Domain:
Question: From your scans, what is the "commonName" of host 172.16.5.5 ?
Answer: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Method: lets rehearse what is Common name – common name is an attribute
of Active directory object that represents the object, it parts of the attribute
‘DN’- distinguished name which purpose is to make the object distinguishable
from other objects.
First, we login the target Linux machine.
Now, to find the common name on ‘172.16.5.5’ – we will perform aggressive
NMAP:
nmap -A 172.16.5.5
the ‘-A’ flag performs deeper investigation of open ports, one of which at
certain cases is service enumeration.
Now lets observe on the scan results:




We can find the common name on the LDAP (lightweight directory access
protocol). We can find further evidences here:




and here:

Downloaded from Scholarfriends.com

Written for

Institution
Hack The Box
Course
Hack The Box

Document information

Uploaded on
May 30, 2026
Number of pages
133
Written in
2025/2026
Type
Exam (elaborations)
Contains
Questions & answers

Subjects

$33.79
Get access to the full document:

Wrong document? Swap it for free Within 14 days of purchase and before downloading, you can choose a different document. You can simply spend the amount again.
Written by students who passed
Immediately available after payment
Read online or as PDF

Get to know the seller

Seller avatar
Reputation scores are based on the amount of documents a seller has sold for a fee and the reviews they have received for those documents. There are three levels: Bronze, Silver and Gold. The better the reputation, the more your can rely on the quality of the sellers work.
Scholarfriends University Of Arizona
View profile
Follow You need to be logged in order to follow users or courses
Sold
731
Member since
8 year
Number of followers
647
Documents
24
Last sold
5 year ago
Welcome for all notes and test banks.

Welcome for all notes, exam guides, and test banks among others. Feel free to contact me for custom and dedicated service.

3.8

19 reviews

5
9
4
4
3
2
2
2
1
2

Why students choose Stuvia

Created by fellow students, verified by reviews

Quality you can trust: written by students who passed their tests and reviewed by others who've used these notes.

Didn't get what you expected? Choose another document

No worries! You can instantly pick a different document that better fits what you're looking for.

Pay as you like, start learning right away

No subscription, no commitments. Pay the way you're used to via credit card and download your PDF document instantly.

Student with book image

“Bought, downloaded, and aced it. It really can be that simple.”

Alisha Student

Working on your references?

Create accurate citations in APA, MLA and Harvard with our free citation generator.

Working on your references?

Frequently asked questions