Nmap

Initial Nmap scan revealed SMB, Kerberos, HTTP and LDAP ports and a domain name.

00 - nmap

DNS

Using ‘dig’, I was able to obtain Domain controller’s name.

01 - DC

VHost Enumeration

The website was static. So I did directory brute-force which revealed nothing. Then did vhost enumeration which revealed ‘school’ domain.

02 - subdomain

Exploitation

SMB Authentication

I set up a responder to listen for SMB authentication requests and obtain the hash. Then inside the school.flight.htb website, used LFI vulnerability to access fake share with my attacker IP, which revealed target hash.

03 - fake share

04 - got the hash

Then simply cracked the hash with hashcat.

05 - cracked

User Enumeration and Password Spray

So this was a service account which did not have many permissions. Using crackmapexec I generated a userList.

06 - userList

The userList can also be generated with impacket-lookupsid

06 - userList2

Then using cracked service account password, I applied password spraying attack which revealed one of the users had same password.

07 - got the user

NTLM Theft

The user had write access to a share which is probably commonly accessed.

08 - s moon shares

Using ‘ntlm_theft’ tool I uploaded a phishing file inside the share, then started responder which allowed me to capture the hash of a user.

09 - ntlm theft

10 - put

11 - c bum hash

Then using hashcat again, I cracked the hash.

12 - cracked

SMB Shares

The c.bum user had write access to the Web share.

13 - c bum write web

So I generated a PHP Reverse shell and uploaded it to the target share, which allowed me to execute commands on target computer.

14 - rev shell

15 - rev php

16 - got it

Get an Interactive Shell

To get an interactive shell, I uploaded nc64.exe file and started netcat listener. Then running the command from the webshell, I got an interactive reverse shell.

17 - download netcat

18 - got the shell

Getting User

The shell was running as service account. So we had to run runas to get the c.bum user but we can not anwser the password prompt. So the solution was to use RunAsCs tool to get a reverse shell.

19 - put runascs

20 - runascs

21 - c bum

Lateral Movement

While analyzing the computer, found inetpub page which is a .NET website (external websites was PHP).

22 - inetpub

Using ‘icacls’ tool, I found c.bum user had write access here.

26 - full access

So I thought there was probably an internal website. So run ‘netstat’ command to check ports. Port 8000 was common for web applications.

23 - port 8000

Port Forwarding

So I had to do remote port forwarding to access internal website. I uploaded chisel to the target. Then started chisel server with reverse option.

25 - chisel2

Then connected to server with client.

24 - chisel1

Reverse Shell

Then uploaded and put ASPX reverse shell to here. Visiting the page from the site got me reverse shell.

27 - shell

28 - system account

So I could see that it was a system account. I knew it because the prefix was not domain name. To test it I ran responder and tried to access fake share which revealed computer account hash.

29 - fake share

30 - system account

From now on we have 2 choises.

  • Use SeImpersonatePrivilege to privilege escalation (JuicyPatato etc.)
  • Using rubeus, simply ask for tgt and using this tgt apply DCSync attack.

TGT Delegation and DCSync

So using Rubeus I obtained Domain Controller’s ticket.

31 - tgt delegation

Then, first used ‘ntpdate’ to sync date with target DC to be able to use kerberos. Later, base64 decoded the file and converted the ticket to ccache file. Then using the ccache file I simply applied DCSync attack with ‘secretdumps.py’.

32 - got it

Finally, used dumped hash to get a system shell and got root flag.

34 - got the admin

Pwned

The machine was fully compromised.

pwne

<
Previous Post
Jeeves - Hack The Box
>
Next Post
Access - Hack The Box