```Module: Command Injections

1. Try adding any of the injection operators after the ip in IP field. What did the
error message say (in English)? -> Please match the requested format.
2. Review the HTML source code of the page to find where the front-end input
validation is happening. On which line number is it? -> 17
3. Try using the remaining three injection operators (new-line, &, |), and see how
each works and how the output differs. Which of them only shows the output of the
injected command? -> |
4. Try all other injection operators to see if any of them is not blacklisted.
Which of (new-line, &, |) is not blacklisted by the web application? -> new-line
5. Use what you learned in this section to execute the command 'ls -la'. What is
the size of the 'index.php' file? -> 1613
6. Use what you learned in this section to find name of the user in the '/home'
folder. What user did you find? -> 1nj3c70r
7. Use what you learned in this section find the content of flag.txt in the home
folder of the user you previously found -> HTB{b451c_f1l73r5_w0n7_570p_m3}
8. Find the output of the following command using one of the techniques you learned
in this section: find /usr/share/ | grep root | grep mysql | tail -n 1 ->
/usr/share/mysql/debian_create_root_user.sql
9. What is the content of '/flag.txt'? -> HTB{c0mm4nd3r_1nj3c70r}
Module: Web Attacks
1. Try to use what you learned in this section to access the 'reset.php' page and
delete all files. Once all files are deleted, you should get the flag. ->
HTB{4lw4y5_c0v3r_4ll_v3rb5}
2. To get the flag, try to bypass the command injection filter through HTTP Verb
Tampering, while using the following filename: file; cp /flag.txt ./ ->
HTB{b3_v3rb_c0n51573n7}
3. Repeat what you learned in this section to get a list of documents of the first
20 user uid's in /documents.php, one of which should have a '.txt' file with the
flag. -> HTB{4ll_f1l35_4r3_m1n3}
4. Try to download the contracts of the first 20 employee, one of which should
contain the flag, which you can read with 'cat'. You can either calculate the
'contract' parameter value, or calculate the '.pdf' file name directly. ->
HTB{h45h1n6_1d5_w0n7_570p_m3}
5. Try to read the details of the user with 'uid=5'. What is their 'uuid' value? ->
eb4fe264c10eb7a528b047aa983a4829
6. Try to change the admin's email to 'flag@idor.htb', and you should get the flag
on the 'edit profile' page. -> HTB{1_4m_4n_1d0r_m4573r}
7. Try to read the content of the 'connection.php' file, and submit the value of
the 'api_key' as the answer. -> UTM1NjM0MmRzJ2dmcTIzND0wMXJnZXdmc2RmCg
8. Use either method from this section to read the flag at '/flag.php'. (You may
use the CDATA method at '/index.php', or the error-based method at '/error'). ->
HTB{3rr0r5_c4n_l34k_d474}
9. Using Blind Data Exfiltration on the '/blind' page to read the content of
'/327a6c4304ad5938eaf0efb6cc3e53dc.php' and get the flag. ->
HTB{1_d0n7_n33d_0u7pu7_70_3xf1l7r473_d474}
10. Try to escalate your privileges and exploit different vulnerabilities to read
the flag at '/flag.php'. -> HTB{m4573r_w3b_4774ck3r}

Module: Attacking Common Applications

1. Use what you've learned from this section to generate a report with EyeWitness.
What is the name of the .db file EyeWitness creates in the inlanefreight_eyewitness
folder? (Format: filename.db) -> ew.db
2. What does the header on the title page say when opening the aquatone_report.html
page with a web browser? (Format: 3 words, case sensitive) -> Pages by Similarity
3. Enumerate the host and find a flag.txt flag in an accessible directory. ->
0ptions_ind3xeS_ftw!
4. Perform manual enumeration to discover another installed plugin. Submit the
plugin name as the answer (3 words). -> WP sitemap page
5. Find the version number of this plugin. (i.e., 4.5.2) -> 1.6.4
6. Perform user enumeration against http://blog.inlanefreight.local. Aside from
admin, what is the other user present? -> doug
7. Perform a login bruteforcing attack against the discovered user. Submit the
user's password as the answer. -> jessica1
8. Using the methods shown in this section, find another system user whose login
shell is set to /bin/bash. -> webadmin
9. Following the steps in this section, obtain code execution on the host and
submit the contents of the flag.txt file in the webroot. -> l00k_ma_unAuth_rc3!
10. Fingerprint the Joomla version in use on http://app.inlanefreight.local
(Format: x.x.x) -> 3.10.0
11. Find the password for the admin user on http://app.inlanefreight.local ->
turnkey
12. Leverage the directory traversal vulnerability to find a flag in the web root
of the http://dev.inlanefreight.local/ Joomla application ->
j00mla_c0re_d1rtrav3rsal!
13. Identify the Drupal version number in use on http://drupal-
qa.inlanefreight.local -> 7.30
14. Work through all of the examples in this section and gain RCE multiple ways via
the various Drupal instances on the target host. When you are done, submit the
contents of the flag.txt file in the /var/www/drupal.inlanefreight.local directory.
-> DrUp@l_drUp@l_3veryWh3Re!
15. What version of Tomcat is running on the application located at
http://web01.inlanefreight.local:8180? -> 10.0.10
16. What role does the admin user have in the configuration example? -> admin-gui
17. Perform a login bruteforcing attack against Tomcat manager at
http://web01.inlanefreight.local:8180. What is the valid username? -> tomcat
18. What is the password -> root
19. Obtain remote code execution on the http://web01.inlanefreight.local:8180
Tomcat instance. Find and submit the contents of tomcat_flag.txt -> t0mcat_rc3_ftw!
20. Log in to the Jenkins instance at http://jenkins.inlanefreight.local:8000.
Browse around and submit the version number when you are ready to move on. ->
2.303.1
21. Attack the Jenkins target and gain remote code execution. Submit the contents
of the flag.txt file in the /var/lib/jenkins3 directory -> f33ling_gr00000vy!
22. Enumerate the Splunk instance as an unauthenticated user. Submit the version
number to move on (format 1.2.3). -> 8.2.2
23. Attack the Splunk target and gain remote code execution. Submit the contents of
the flag.txt file in the c:\loot directory. -> l00k_ma_no_AutH!
24. What version of PRTG is running on the target? -> 18.1.37.13946
25. Attack the PRTG target and gain remote code execution. Submit the contents of
the flag.txt file on the administrator Desktop. -> WhOs3_m0nit0ring_wH0?
26. Find your way into the osTicket instance and submit the password sent from the
Customer Support Agent to the customer Charles Smithson. -> Inlane_welcome!
27. Enumerate the GitLab instance at http://gitlab.inlanefreight.local. What is the
version number? -> 13.10.2
28. Find the PostgreSQL database password in the example project. -> postgres
29. Find another valid user on the target GitLab instance. -> DEMO
30. Gain remote code execution on the GitLab instance. Submit the flag in the
directory you land in. -> s3cure_y0ur_Rep0s!
31. After running the URL Encoded 'whoami' payload, what user is tomcat running as?
-> feldspar\omen
32. Enumerate the host, exploit the Shellshock vulnerability, and submit the
contents of the flag.txt file located on the server -> Sh3ll_Sh0cK_123
33. Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the
credentials hidden within its source code. Submit the answer using the format
username:password. -> svc_oracle:#oracle_s3rV1c3!2010
34. What is the IP address of the eth0 interface under the ServerStatus -> Ipconfig
tab in the fatty-client application? -> 172.28.0.3
35. What ColdFusion protocol runs on port 5500? -> server monitor
36. What user is ColdFusion running as? -> arctic\tolis
37. What is the full .aspx filename that Gobuster identified? -> transfer.aspx
38. After bypassing the login, what is the website "Powered by"? -> w3.css
39. We placed the source code of the application we just covered at /opt/asset-
manager/app.py inside this exercise's target, but we changed the crucial
parameter's name. SSH into the target, view the source code and enter the parameter
name that needs to be manipulated to log in to the Asset Manager web application. -
> active
40. What credentials were found for the local database instance while debugging the
octopus_checker binary? -> SA:N0tS3cr3t!
41. Enumerate the target host and identify the running application. What
application is running? -> weblogic
42. Enumerate the application for vulnerabilities. Gain remote code execution and
submit the contents of the flag.txt file on the administrator desktop. ->
w3b_l0gic_RCE!
43. What vulnerable application is running? -> tomcat
44. What port is this application running on? -> 8080
45. What version of the application is in use? -> 9.0.0.M1
46. Exploit the application to obtain a shell and submit the contents of the
flag.txt file on the Administrator desktop. -> f55763d31a8f63ec935abd07aee5d3d0
47. What is the URL of the WordPress instance? -> http://blog.inlanefreight.local
48. What is the name of the public GitLab project? -> virtualhost
49. What is the FQDN of the third vhost? -> monitoring.inlanefreight.local
50. What application is running on this third vhost? (One word) -> nagios
51. What is the admin password to access this application? -> oilaKglm7M09@CPL&^lC
52. Obtain reverse shell access on the target and submit the contents of the
flag.txt file. -> afe377683dce373ec2bf7eaf1e0107eb
53. What is the hardcoded password for the database connection in the
MultimasterAPI.dll file? -> D3veL0pM3nT!

Module: Linux Privilege Escalation

1. Enumerate the Linux environment and look for interesting files that might
contain sensitive data. Submit the flag as the answer -> HTB{1nt3rn4l_5cr1p7_l34k}
2. What is the latest Python version that is installed on the target? -> 3.11
3. Find the WordPress database password. -> W0rdpr3ss_sekur1ty!
4. Review the PATH of the htb-student user. What non-default directory is part of
the user's PATH? -> /tmp
5. Use different approaches to escape the restricted shell and read the flag.txt
file. Submit the contents as the answer. -> HTB{35c4p3_7h3_r3stricted_5h311}
6. Find a file with the setuid bit set that was not shown in the section command
output (full path to the binary). -> /bin/sed
7. Find a file with the setgid bit set that was not shown in the section command
output (full path to the binary). -> /usr/bin/facter
8. What command can the htb-student user run as root? -> /usr/bin/openssl
9. Use the privileged group rights of the secaudit user to locate a flag. ->
ch3ck_th0se_gr0uP_m3mb3erSh1Ps!
10. Escalate the privileges using capabilities and read the flag.txt file in the
"/root" directory. Submit its contents as the answer. -> HTB{c4paBili7i3s_pR1v35c}
11. Connect to the target system and escalate privileges using the Screen exploit.
Submit the contents of the flag.txt file in the /root/screen_exploit directory. ->
91927dad55ffd22825660da88f2f92e0
12. Connect to the target system and escalate privileges by abusing the
misconfigured cron job. Submit the contents of the flag.txt file in the
/root/cron_abuse directory. -> 14347a2c977eb84508d3d50691a7ac4b
13. Escalate the privileges and submit the contents of flag.txt as the answer. ->
HTB{C0nT41n3rs_uhhh}
14. Escalate the privileges on the target and obtain the flag.txt in the root
directory. Submit the contents as the answer. -> HTB{D0ck3r_Pr1vE5c}
15. Escalate the privileges and submit the contents of flag.txt as the answer. ->
HTB{l0G_r0t7t73N_00ps}
16. Review the NFS server's export list and find a directory holding a flag. ->
fc8c065b9384beaa162afe436a694acf
17. Escalate privileges using a different Kernel exploit. Submit the contents of
the flag.txt file in the /root/kernel_exploit directory. ->
46237b8aa523bc7e0365de09c0c0164f
18. Escalate privileges using LD_PRELOAD technique. Submit the contents of the
flag.txt file in the /root/ld_preload directory. ->
6a9c151a599135618b8f09adc78ab5f1
19. Follow the examples in this section to escalate privileges, recreate all
examples (don't just run the payroll binary). Practice using ldd and readelf.
Submit the version of glibc (i.e. 2.30) in use to move on to the next section. ->
2.27
20. Follow along with the examples in this section to escalate privileges. Try to
practice hijacking python libraries through the various methods discussed. Submit
the contents of flag.txt under the root user as the answer. ->
HTB{3xpl0i7iNG_Py7h0n_lI8R4ry_HIjiNX}
21. Escalate the privileges and submit the contents of flag.txt as the answer. ->
HTB{SuD0_e5c4l47i0n_1id}
22. Escalate the privileges and submit the contents of flag.txt as the answer. ->
HTB{p0Lk1tt3n}
23. Escalate the privileges and submit the contents of flag.txt as the answer. ->
HTB{D1rTy_DiR7Y}
24. Submit the contents of flag1.txt -> LLPE{d0n_ov3rl00k_h1dden_f1les!}
25. Submit the contents of flag2.txt -> LLPE{ch3ck_th0se_cmd_l1nes!}
26. Submit the contents of flag3.txt -> LLPE{h3y_l00k_a_fl@g!}
27. Submit the contents of flag4.txt -> LLPE{im_th3_m@nag3r_n0w}
28. Submit the contents of flag5.txt -> LLPE{0ne_sudo3r_t0_ru13_th3m_@ll!}

Module: Windows Privilege Escalation

1. What is the IP address of the other NIC attached to the target host? ->
172.16.20.45
2. What executable other than cmd.exe is blocked by AppLocker? ->
powershell_ise.exe
3. What non-default privilege does the htb-student user have? ->
SeTakeOwnershipPrivilege
4. Who is a member of the Backup Operators group? -> sarah
5. What service is listening on port 8080 (service name not the executable)? ->
Tomcat8
6. What user is logged in to the target host? -> sccm_svc
7. What type of session does this user have? -> console
8. What service is listening on 0.0.0.0:21? (two words) -> filezilla server
9. Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01
named pipe? -> NT SERVICE\MSSQL$SQLEXPRESS01
10. Escalate privileges using one of the methods shown in this section. Submit the
contents of the flag file located at c:\Users\Administrator\Desktop\SeImpersonate\
flag.txt -> F3ar_th3_p0tato!
11. Leverage SeDebugPrivilege rights and obtain the NTLM password hash for the
sccm_svc account. -> 64f12cddaa88057e06a81b54e73b949b
12. Leverage SeTakeOwnershipPrivilege rights over the file located at "C:\TakeOwn\
flag.txt" and submit the contents. -> 1m_th3_f1l3_0wn3r_n0W!
13. Leverage SeBackupPrivilege rights and obtain the flag located at c:\Users\
Administrator\Desktop\SeBackupPrivilege\flag.txt -> Car3ful_w1th_gr0up_m3mberSh1p!
14. Using the methods demonstrated in this section find the password for the user
mary. -> W1ntergreen_gum_2021!
15. Leverage membership in the DnsAdmins group to escalate privileges. Submit the
contents of the flag located at c:\Users\Administrator\Desktop\DnsAdmins\flag.txt -
> Dll_abus3_ftw!
16. Follow the steps in this section to escalate privileges to SYSTEM, and submit
the contents of the flag.txt file on administrator's Desktop. Necessary tools for
both methods can be found in the C:\Tools directory, or you can practice compiling
and uploading them on your own. -> Pr1nt_0p3rat0rs_ftw!
17. Escalate privileges using the methods shown in this section and submit the
contents of the flag located at c:\Users\Administrator\Desktop\ServerOperators\
flag.txt -> S3rver_0perators_@ll_p0werfull!
18. Follow the steps in this section to obtain a reverse shell connection with
normal user privileges and another which bypasses UAC. Submit the contents of
flag.txt on the sarah user's Desktop when finished. -> I_bypass3d_Uac!
19. Escalate privileges on the target host using the techniques demonstrated in
this section. Submit the contents of the flag in the WeakPerms folder on the
Administrator Desktop. -> Aud1t_th0se_s3rv1ce_p3rms!
20. Try out the 3 examples in this section to escalate privileges to NT AUTHORITY\
SYSTEM on the target host. Submit the contents of the flag on the Administrator
Desktop. -> D0nt_fall_b3h1nd_0n_Patch1ng!
21. Work through the steps above to escalate privileges on the target system using
the Druva inSync flaw. Submit the contents of the flag in the VulServices folder on
the Administrator Desktop. -> Aud1t_th0se_th1rd_paRty_s3rvices!
22. Search the file system for a file containing a password. Submit the password as
your answer. -> Pr0xyadm1nPassw0rd!
23. Connect as the bob user and practice decrypting the credentials in the pass.xml
file. Submit the contents of the flag.txt on the desktop once you are done. ->
3ncryt10n_w0nt_4llw@ys_s@v3_y0u
24. Using the techniques shown in this section, find the cleartext password for the
bob_adm user on the target system. -> 1qazXSW@3edc!
25. Using the techniques covered in this section, retrieve the sa password for the
SQL01.inlanefreight.local user account. -> S3cret_db_p@ssw0rd!
26. Which user has credentials stored for RDP access to the WEB01 host? -> amanda
27. Find and submit the password for the root user to access
https://vc01.inlanefreight.local/ui/login -> ILVCadm1n1qazZAQ!
28. Enumerate the host and find the password for ftp.ilfreight.local -> Ftpuser!
29. Submit the user flag from C:\Users\pmorgan\Downloads -> CitR1X_Us3R_Esc@p3
30. Submit the Administrator's flag from C:\Users\Administrator\Desktop -> C1tr!
x_3sC@p3_@dm!n
31. Using the techniques in this section obtain the cleartext credentials for the
SCCM_SVC user. -> Password1
32. Access the target machine using Peter's credentials and check which
applications are installed. What's the application installed used to manage and
connect to remote systems? -> mRemoteNG
33. Find the configuration file for the application you identify and attempt to
obtain the credentials for the user Grace. What is the password for the local
account, Grace? -> Princess01!
34. Log in as Grace and find the cookies for the slacktestapp.com website. Use the
cookie to log in into slacktestapp.com from a browser within the RDP session and
submit the flag. -> HTB{Stealing_Cookies_To_AccessWebSites}
35. Log in as Jeff via RDP and find the password for the restic backups. Submit the
password as the answer. -> Superbackup!
36. Restore the directory containing the files needed to obtain the password hashes
for local users. Submit the Administrator hash as the answer. ->
bac9dc5b7b4bec1d83e0e9c04b477f26
37. Using the techniques in this section, find the cleartext password for an
account on the target host. -> !QAZXSW@3edc
38. Obtain a shell on the target host, enumerate the system and escalate
privileges. Submit the contents of the flag.txt file on the Administrator Desktop.
-> L3gacy_st1ill_pr3valent!
39. Enumerate the target host and escalate privileges to SYSTEM. Submit the
contents of the flag on the Administrator Desktop. -> Cm0n_l3ts_upgRade_t0_win10!
40. Which two KBs are installed on the target system? (Answer format:
3210000&3210060) -> 3199986&3200970
41. Find the password for the ldapadmin account somewhere on the system. ->
car3ful_st0rinG_cr3d$
42. Escalate privileges and submit the contents of the flag.txt file on the
Administrator Desktop. -> Ev3ry_sysadm1ns_n1ghtMare!
43. After escalating privileges, locate a file named confidential.txt. Submit the
contents of this file. -> 5e5a7dafa79d923de3340e146318c31a
44. Find left behind cleartext credentials for the iamtheadministrator domain admin
account. -> Inl@n3fr3ight_sup3rAdm1n!
45. Escalate privileges to SYSTEM and submit the contents of the flag.txt file on
the Administrator Desktop -> el3vatEd_1nstall$_v3ry_r1sky
46. There is 1 disabled local admin user on this system with a weak password that
may be used to access other systems in the network and is worth reporting to the
client. After escalating privileges retrieve the NTLM hash for this user and crack
it offline. Submit the cleartext password for this account. -> password1

Module: Documenting and Reporting

1. Inlanefreight has contracted Elizabeth's firm to complete a type of assessment
that is mostly automated where no exploitation is attempted. What kind of
assessment is she going to be contracted for? -> Vulnerability Assessment
2. Nicolas is performing an external & internal penetration test for Inlanefreight.
The client has only provided the company's name and a network connection onsite at
their office and no additional detail. From what perspective is he performing the
penetration test? -> Black Box
3. What component of a report should be written in a simple to understand and non-
technical manner? -> Executive Summary
4. It is a good practice to name and recommend specific vendors in the component of
the report mentioned in the last question. True or False? -> FALSE
5. "An attacker can own your whole entire network cause your DC is way out of date.
You should really fix that!". Is this a Good or Bad remediation recommendation?
(Answer Format: Good or Bad) -> bad
6. Connect to the testing VM using Xfreerdp and practice testing, documentation,
and reporting against the target lab. Once the target spawns, browse to the
WriteHat instance on port 443 and authenticate with the provided admin credentials.
Play around with the tool and practice adding findings to the database to get a
feel for the reporting tools available to us. Remember that all data will be lost
once the target resets, so save any practice findings locally! Next, complete the
in-progress penetration test. Once you achieve Domain Admin level access, submit
the contents of the flag.txt file on the Administrator Desktop on the DC01 host. ->
d0c_pwN_r3p0rt_reP3at!
7. After achieving Domain Admin, submit the NTLM hash of the KRBTGT account. ->
16e26ba33e455a8c338142af8d89ffbc
8. Dump the NTDS file and perform offline password cracking. Submit the password of
the svc_reporting user as your answer. -> Reporter1!
9. What powerful local group does this user belong to? -> backup operators
Module: Attacking Enterprise Networks
1. Perform a banner grab of the services listening on the target host and find a
non-standard service banner. Submit the name as your answer (format:
word_word_word) -> 1337_HTB_DNS
2. Perform a DNS Zone Transfer against the target and find a flag. Submit the flag
value as your answer (flag format: HTB{ }). -> HTB{DNs_ZOn3_Tr@nsf3r}
3. What is the FQDN of the associated subdomain? -> flag.inlanefreight.local
4. Perform vhost discovery. What additional vhost exists? (one word) -> monitoring
6. Enumerate the accessible services and find a flag. Submit the flag value as your
answer (flag format: HTB{ }). -> HTB{0eb0ab788df18c3115ac43b1c06ae6c4}
7. Use the IDOR vulnerability to find a flag. Submit the flag value as your answer
(flag format: HTB{}). -> HTB{8f40ecf17f681612246fa5728c159e46}
8. Exploit the HTTP verb tampering vulnerability to find a flag. Submit the flag
value as your answer (flag format: HTB{}). -> HTB{57c7f6d939eeda90aa1488b15617b9fa}
9. Exploit the WordPress instance and find a flag in the web root. Submit the flag
value as your answer (flag format: HTB{}). -> HTB{e7134abea7438e937b87608eab0d979c}
10. Enumerate the "status" database and retrieve the password for the "Flag" user.
Submit the value as your answer. -> 1fbea4df249ac4f4881a5da387eb297cf
11. Steal an admin's session cookie and gain access to the support ticketing queue.
Submit the flag value for the "John" user as your answer. -> HTB{1nS3cuR3_c00k135}
12. Use the SSRF to Local File Read vulnerability to find a flag. Submit the flag
value as your answer (flag format: HTB{}). -> HTB{49f0bad299687c62334182178bfd75d8}
13. Register an account and log in to the Gitlab instance. Submit the flag value
(flag format : HTB{}). -> HTB{32596e8376077c3ef8d5cf52f15279ba}
14. Use the XXE vulnerability to find a flag. Submit the flag value as your answer
(flag format: HTB{}). -> HTB{dbca4dc5d99cdb3311404ea74921553c}
15. Use the command injection vulnerability to find a flag in the web root. Submit
the flag value as your answer (flag format: HTB{}) ->
HTB{bdd8a93aff53fd63a0a14de4eba4cbc1}
16. Submit the contents of the flag.txt file in the /home/srvadm directory. ->
b447c27a00e3a348881b0030177000cd
17. Escalate privileges on the target host and submit the contents of the flag.txt
file in the /root directory. -> a34985b5976072c3c148abc751671302
18. Mount an NFS share and find a flag.txt file. Submit the contents as your
answer. -> bf22a1d0acfca4af517e1417a80e92d1
19. Retrieve the contents of the SAM database on the DEV01 host. Submit the NT hash
of the administrator user as your answer. -> 0e20798f695ab0d04bc138b22344cea8
20. Escalate privileges on the DEV01 host. Submit the contents of the flag.txt file
on the Administrator Desktop. -> K33p_0n_sp00fing!
21. Find a backup script that contains the password for the backupadm user. Submit
this user's password as your answer. -> !qazXSW@
22. Perform a Kerberoasting attack and retrieve TGS tickets for all accounts set as
SPNs. Crack the TGS of the backupjob user and submit the cleartext password as your
answer. -> lucky7
23. Escalate privileges on the MS01 host and submit the contents of the flag.txt
file on the Administrator Desktop. -> 33a9d46de4015e7b3b0ad592a9394720
24. Obtain the NTLMv2 password hash for the mpalledorous user and crack it to
reveal the cleartext value. Submit the user's password as your answer. -> 1squints2
25. Set a fake SPN on the ttimmons user. Kerberoast this user and crack the TGS
ticket offline to reveal their cleartext password. Submit this password as your
answer. -> Repeat09
26. After obtaining Domain Admin rights, authenticate to the domain controller and
submit the contents of the flag.txt file on the Administrator Desktop. ->
7c09eb1fff981654a3bb3b4a4e0d176a
27. Compromise the INLANEFREIGHT.LOCAL domain and dump the NTDS database. Submit
the NT hash of the Administrator account as your answer. ->
fd1f7e5564060258ea787ddbb6e6afa2
28. Gain access to the MGMT01 host and submit the contents of the flag.txt file in
a user's home directory. -> 3c4996521690cc76446894da2bf7dd8f
29. Escalate privileges to root on the MGMT01 host. Submit the contents of the
flag.txt file in the /root directory. -> 206c03861986c0e264438cb6e8e90a19