can’t find this file

Using the skills acquired in this and previous sections, access the target host and search for the file named ‘waldo.txt’. Submit the flag found within the file.

I’m stuck in the same place, I can’t find the answer to the question after really trying a lot of things

Skills Assessment

Did someone manage to solve the last question of user10? I can see the log and the information inside, but I can’t get the name for whatever

For this one, there is two way to do it fast.
You can use the CMD command where.

C:\Users\student\Desktop>where /R C:\Users\student\ bio.txt

C:\Users\student\Downloads\bio.txt

Basically, if you use the exact syntax of the command bellow you should be able to find it quick.
The fact is you don’t on witch user the waldo.txt file is stored, so you can change the starting path by something else. By starting at Users or directly at the root of the C drive, then change the file name by the one your a looking for.

// To start from the Users folder and iterate the sub folder
C:\Users\student\Desktop>where /R C:\Users\ bio.txt

// To start from the Root of the C Drive and iterate the sub folder
C:\Users\student\Desktop>where /R C:\Users\ bio.txt

Or the one I prefer because i am used to it, the CMD command dir.
I use that command anytime i am looking for a directory or a file.

For example, i am looking for something contain among us in the name and having the extension txt.

C:\Users\user\Desktop>dir c:\*among*us*.txt /s /a

/s option is for iterating sub folder,
/a option is for listing all file with special attribute (system, hidden),
the * is to specify that could be anything instead of the star * , for example, if i don’t know the extension of the file im looking, i can just replace .txt by .*.

C:\Users\student\Desktop>dir C:\*file*.* /s /a

And if you are not able to find it anyway juste show us what you have in C:\Users

For this you just need to see how Get-WinEvent command works.

Without giving u the answer directly.
You need to use the Get-WinEvent command, specify the log name and the id for the log you are trying to find. In your case that will be security and 4625, which one refer to failed logon event on a machine.
Also, that command will show you only the event itself. Like basic information only. To display the full information of each event you will need to show the message contained in the event object. You can find how to do it easily on google. You will need to use a pipe followed by the command select then add the arguments you need. You will find that on google.

Also, dont forget to be on the DC, not the target machine.

Cheers both of you!

still can’t find the file maybe I connect to the wrong machine I connected to target machine via rdp

You using RDP ? You should use SSH, but i don’t think that will be an issue.

If you got an RDP session just open a command prompt and CD to C:\Users, then tell me what Users you got there.

Otherwise i suggest you to SSH in it maybe their a policy or something prevent you to see the file structure.

 SSH to with user "htb-student" and password "HTB_@cademy_stdnt!" 

Mode LastWriteTime Length Name

d----- 11/25/2022 1:28 PM administrator
d----- 9/28/2022 8:32 AM htb-student
d----- 10/5/2022 12:01 PM MTanaka
d-r— 6/14/2022 8:23 PM Public

I tried to re-download the VPN and reset the target host still got this problem

You seems to be on the right machine. Did you try

And also, lil tip, when you take control of an host, always check users folder, move in any user folder, check their document and their desktop. Most the time you find crucial information, for that exercises is better to train command in CMD.

yep I tried to check manually every folder for it

I am redoing it Right Away, if you are down for it, send me your step in D.M.

sent

And also, always double check your prompt to know in witch terminal you are in when you are experiencing issue with command.

PS C:\Users\htb-student>

Basically the PS stand for Powershell. To open cmd terminal, just type cmd, to go back on your powershell terminal, just type exit or start a new one by typing powershell.

I just answered the question.

When connecting to the target computer using rdp or ssh you have to sign-in as:

Username: mtanaka
Password: HTB_@cademy_stdnt!

Thank you for de DC tip!
the last question should have told about connecting again to de DC, as the only one mentioning and requiring it is the “user7” question

Yep, but if you do the lab one shot, without disconnecting and following the steps at this point you should be in the DC. So I kind of understand why they didn’t mention it, but yeah, quite confusing.

question: To grab this final flag, what user account has many Event ID (4625) logon failures generated in rapid succession for it which is indicative of a password brute forcing attack (flag is the name of the user account)?

step1: ssh user10
step2: powershell
step3: ssh user10@172.16.5.155
step4: powershell
step5:

Get-WinEvent -MaxEvents 10 -FilterHashTable @{LogName=‘Security’;ID=‘4625’} | fl

step6: justalocaladmin

I have got stuck here, no idea where to go next '

“RmxhZ3MgYXJlbid0IGhhcmQgdG8gZmluZCBub3csIHJpZ2h0Pw==
Flags aren’t hard to find now, right?”

■■■ just found the waldo flag. Make sure to start cmd.exe as an administrator, otherwise it won’t have access to all directories…

So just in case anyone is dumb like me, this will help. When I was ssh into the machine from the Box they give you i could not get it to work. So I vpn in with my own machine, same problem. Then I realized that when I ssh in through my terminal it was giving me a powershell terminal NOT the cmd prompt.

After you ssh in type cmd in the terminal and it give you a cmd prompt, after that everything said above works!

Hope this helps .

help me,
I’m stuck at user7
you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host
How do I authenticate with host?