Escrito por estudiantes que aprobaron Inmediatamente disponible después del pago Leer en línea o como PDF ¿Documento equivocado? Cámbialo gratis 4,6 TrustPilot
logo-home
Examen

Active Directory Enumeration & Attacks. Hack The Box Module 143

Puntuación
-
Vendido
-
Páginas
133
Grado
A+
Subido en
30-05-2026
Escrito en
2025/2026

Active Directory Enumeration & Attacks: Link to challenge: (log in required) Class: Tier II | Medium | Offensive Before we begin: throughout the module we will be requested to login to target Linux machines, and target windows machines. The credentials will be provided for us by the module. For Linux, we will use ssh with the command: ssh username@target-IP and then we will be requested to enter the password. For windows – we will use xfreerdp with the command: xfreerdp /v:Target IP /u:username /p:password /dynamic-resolution Throughout the module, those steps will be referred as ‘login to the Linux/Windows target machine’. *all Windows powershell commands assume cd of ‘C:tools’ unless specified otherwise * Initial Enumeration External Recon and Enumeration Principles: Question: While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{******} ) Answer: HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ} Method: we will search on google the string: ‘intext:"HTB{" inurl:’ – we are told the string is in format of ‘HTB{**}’, by necessarily the substring ‘intext:"HTB{‘ will appear. So we search that string within the url ‘’ (its google patterned search). Lets search: After several results we see this: Where the flag is visible to us in the preview of the website. We can take that already, but in this module guide we will go into the website anyway, enter the link and scroll down. Somewhere within the page – we see this: . *note – be careful of misdirection, at first I searched for ‘HTB{*****}’ - and this result was here. But that was not the answer. * Initial Enumeration of the Domain: Question: From your scans, what is the "commonName" of host 172.16.5.5 ? Answer: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL Method: lets rehearse what is Common name – common name is an attribute of Active directory object that represents the object, it parts of the attribute ‘DN’- distinguished name which purpose is to make the object distinguishable from other objects. First, we login the target Linux machine. Now, to find the common name on ‘172.16.5.5’ – we will perform aggressive NMAP: nmap -A 172.16.5.5 the ‘-A’ flag performs deeper investigation of open ports, one of which at certain cases is service enumeration. Now lets observe on the scan results: We can find the common name on the LDAP (lightweight directory access protocol). We can find further evidences here: and here: All of those services are communication with the host’s object’s active directory, and for that they need its common name. Question: What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name) Answer: 172.16.5.130 Method: we will run the following sequence of commands: First command: touch alive_ the ‘touch’ command creates a file of ‘alive_’. The next command would be ‘fping’ network scanning tool, for that we need the network address and subnet mask, we will obtain that with route -n There are several interfaces running, but for our purpose the correct interface is ‘ens224’: We can observe that the network address is ‘17216.4.0’ and the netmask is ‘225:225:224:0’. Now that we have that, we can run the ‘fping’: fping -asgq 172.16.4.0/23 alive_ The ‘fping’ tool scans the network with the following flags: And outputs the results to ‘alive_’. We have 3 targets active. Time to scan them for activity in port 1433 – SQL port, we will need -sV (service information) enabled to obtain data about the SQL server details and version. We will use the command: nmap -p 1433 -sV -iL alive_ | | grep -B 4 "Microsoft SQL Server 2019" the commands performs nmap scan on SQL port 1433 with enhanced service inspection for details and version enabled (-sV), takes its input hosts from alive_, and filter the results for the 4 lines relevant to the string “Microsoft SQL Server 2019”:

Mostrar más Leer menos
Institución
Hack The Box
Grado
Hack The Box

Vista previa del contenido

downloaded from




Scholarfriends


Active Directory Enumeration & Attacks. Hack The Box
Module 143




https://scholarfriends.com




Downloaded by: | https://scholarfriends.com/singlePaper/644184/active-directory-enumeration-attacks-
hack-the-box-module-143
Distribution of this document is illegal.

,Active Directory Enumeration & Attacks:
Link to challenge: https://academy.hackthebox.com/module/143/
(log in required)
Class: Tier II | Medium | Offensive


Before we begin: throughout the module we will be requested to login to
target Linux machines, and target windows machines.
The credentials will be provided for us by the module.
For Linux, we will use ssh with the command:
ssh <username>@<target-IP>
and then we will be requested to enter the password.
For windows – we will use xfreerdp with the command:
xfreerdp /v:<Target IP> /u:<username> /p:<password>
/dynamic-resolution


Throughout the module, those steps will be referred as ‘login to the
Linux/Windows target machine’.
*all Windows powershell commands assume cd of ‘C:\tools’ unless specified
otherwise *



Initial Enumeration
External Recon and Enumeration Principles:
Question: While looking at inlanefreights public records; A flag can be seen.
Find the flag and submit it. ( format == HTB{******} )
Answer: HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ}
Method: we will search on google the string:
‘intext:"HTB{" inurl:inlanefreight.com’ – we are told the string is in format of
‘HTB{**}’, by necessarily the substring ‘intext:"HTB{‘ will appear.


Downloaded from Scholarfriends.com

,So we search that string within the url ‘inlanefreight.com’ (its google patterned
search).
Lets search:




After several results we see this:




Where the flag is visible to us in the preview of the website.
We can take that already, but in this module guide we will go into the website
anyway, enter the link and scroll down.
Somewhere within the page – we see this:




.
*note – be careful of misdirection, at first I searched for ‘HTB{*****}’ - and
this result was here. But that was not the answer. *
Downloaded from Scholarfriends.com

, Initial Enumeration of the Domain:
Question: From your scans, what is the "commonName" of host 172.16.5.5 ?
Answer: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Method: lets rehearse what is Common name – common name is an attribute
of Active directory object that represents the object, it parts of the attribute
‘DN’- distinguished name which purpose is to make the object distinguishable
from other objects.
First, we login the target Linux machine.
Now, to find the common name on ‘172.16.5.5’ – we will perform aggressive
NMAP:
nmap -A 172.16.5.5
the ‘-A’ flag performs deeper investigation of open ports, one of which at
certain cases is service enumeration.
Now lets observe on the scan results:




We can find the common name on the LDAP (lightweight directory access
protocol). We can find further evidences here:




and here:

Downloaded from Scholarfriends.com

Escuela, estudio y materia

Institución
Hack The Box
Grado
Hack The Box

Información del documento

Subido en
30 de mayo de 2026
Número de páginas
133
Escrito en
2025/2026
Tipo
Examen
Contiene
Preguntas y respuestas

Temas

$33.79
Accede al documento completo:

¿Documento equivocado? Cámbialo gratis Dentro de los 14 días posteriores a la compra y antes de descargarlo, puedes elegir otro documento. Puedes gastar el importe de nuevo.
Escrito por estudiantes que aprobaron
Inmediatamente disponible después del pago
Leer en línea o como PDF

Conoce al vendedor

Seller avatar
Los indicadores de reputación están sujetos a la cantidad de artículos vendidos por una tarifa y las reseñas que ha recibido por esos documentos. Hay tres niveles: Bronce, Plata y Oro. Cuanto mayor reputación, más podrás confiar en la calidad del trabajo del vendedor.
Scholarfriends University Of Arizona
Seguir Necesitas iniciar sesión para seguir a otros usuarios o asignaturas
Vendido
731
Miembro desde
8 año
Número de seguidores
647
Documentos
24
Última venta
5 año hace
Welcome for all notes and test banks.

Welcome for all notes, exam guides, and test banks among others. Feel free to contact me for custom and dedicated service.

3.8

19 reseñas

5
9
4
4
3
2
2
2
1
2

Por qué los estudiantes eligen Stuvia

Creado por compañeros estudiantes, verificado por reseñas

Calidad en la que puedes confiar: escrito por estudiantes que aprobaron y evaluado por otros que han usado estos resúmenes.

¿No estás satisfecho? Elige otro documento

¡No te preocupes! Puedes elegir directamente otro documento que se ajuste mejor a lo que buscas.

Paga como quieras, empieza a estudiar al instante

Sin suscripción, sin compromisos. Paga como estés acostumbrado con tarjeta de crédito y descarga tu documento PDF inmediatamente.

Student with book image

“Comprado, descargado y aprobado. Así de fácil puede ser.”

Alisha Student

Preguntas frecuentes