i am also stuck in this question. did you find any solution?
For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user’s flag is hidden in one of them.
i am still in user7, can you help me how to get through this?
can you show me did you do with user7
Thank you so much for the DC tip - that was driving me around the bend!
This is probably why most people are having a problem.
try to use “.exe” after your command
1 Like
First, you need to connect to the target using ssh
Second, you need to enter “CMD” in the terminal
Third, enter to find the path of waldo.txt
Fourth, use type to view the file to get the flag
1 Like
The solution is there, problem is that he ask us to join with ssh, we have to do it trought RDP, after we can use the WHERE command, but first enter in cmd as an administrator, then you have to search in recursive mode, so with the /R parameter, in this case we have to find it in C:\
where /R C:\ *.txt , it’s important to put a space between \ and *.txt
If you’re unable to locate the file ‘waldo.txt,’ consider the following steps:
- Confirm the accuracy of the file path and ensure you are navigating to the correct directory.
- Double-check permissions to ensure you have the necessary access to the target host and directory.
- Utilize search commands like ‘find’ or ‘grep’ to locate the file across the file system.
If the issue persists, consult documentation or seek assistance from colleagues who may have insights into the target host’s file structure.
To solve this one… when you RDP into the windows box be sure to start CMD as admin. Once done you should have proper access to find the file.
I wasn’t able to find waldo.txt using RDP, but found it easily once connected via SSH.
These boxes are jank AF!
1 Like
Thanks for the hint. I have missed DC ssh part and tried to find flag in remote host Event Logs. Also I have upgraded script to group Account Names and count how many times each user appears in logs.
Get-WinEvent -FilterHashTable @{LogName=‘Security’;ID=4625} | ForEach-Object {
$message = $.Message
$regex = [regex]::new(“Account Name:\s*(\S+)”)
$matches = $regex.Matches($message)
$matches | ForEach-Object { $.Groups[1].Value }
} | Group-Object | Select-Object Name, Count
Yes. This is the key. After I did what needed to be done to get to cmd. I was able to find the file.
in SSH, conhost.txt, find file use ```
Get-ChildItem -Path C:\Users\YourUsername\Documents -Filter *.txt -Recurse
where /R C:\ waldo.txt
f me, thank you so much for the flag man, have been at it for half a day and still couldn’t figure it out how to find it
The command to use is:
PS C:\Users\htb-student> Get-ChildItem -Path C:\Users -Recurse -Filter “waldo.txt”
OR
after accessing the machine using SSH, one needs to execute cmd.exe found in C:\Windows\System32\cmd.exe to have access to cmd instead of powershell that one has access to immediately after accessing the machine.
Then when there use the command:
htb-student@ICL-WIN11 C:> where /R C:\Users\ waldo.txt
1 Like
I have not been able to get this answer
once you ssh the first time you just have to ssh again with same u: and p: