Flight HTB

10.129.31.185

initial nmap scan

sudo nmap -p- --min-rate 10000 10.129.31.185 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open

53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49501,49666,49675,49676,49700

Most likely a domain controller given the presence of DNS, LDAP, KERBEROS etc

Lets run a more in-depth scan of the target

sudo nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49501,49666,49675,49676,49700 -oA port_scan 10.129.31.185

results

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-14 05:21:18Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49501/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49700/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m54s
| smb2-time: 
|   date: 2024-01-14T05:22:18
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

what can we see

we have a window's server, most likely a domain controller
we have a domain name of flight.htb we can add this to our hosts file
we have a http web server Apache 2.4.52 (win64)
we have a time difference with kerberos

Lets see if there is anonymous access to any of the services

DNS

Lets see if we can perform a zone transfer

dig axfr @10.129.31.185 flight.htb

transfer failed

RPC

Lets see if we can access RPC via an anonymous bond

rpcclient -N -U anonymous 10.129.31.185

No luck

LDAP

Lets see if we can find any information via a anonymous bond

ldapsearch -x -H ldap://10.129.31.185 -s base -b '' "(objectClass=*)" "*" +

results

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * + 
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=flight,DC=htb
ldapServiceName: flight.htb:g0$@FLIGHT.HTB
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=flight,DC=htb
serverName: CN=G0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
 ion,DC=flight,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=flight,DC=htb
namingContexts: DC=flight,DC=htb
namingContexts: CN=Configuration,DC=flight,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=flight,DC=htb
namingContexts: DC=DomainDnsZones,DC=flight,DC=htb
namingContexts: DC=ForestDnsZones,DC=flight,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 127201
dsServiceName: CN=NTDS Settings,CN=G0,CN=Servers,CN=Default-First-Site-Name,CN
 =Sites,CN=Configuration,DC=flight,DC=htb
dnsHostName: g0.flight.htb
defaultNamingContext: DC=flight,DC=htb
currentTime: 20240114053641.0Z
configurationNamingContext: CN=Configuration,DC=flight,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

other then the domain name we dont really find any new information

SMB

crackmapexec smb 10.129.31.185 -u anonymous -p ''

No luck

Lets check out the web server

we are greeted with a static page, pretty much no functionality

Lets see if we can find any sudomains

 wfuzz -c -f sub-fighter -Z -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --sc 200,202,204,301,302,307,403 "http://FUZZ.flight.htb"

we do find one subdomain

school

Lets check out this subdomain

we do find what looks to be like a PHP function, that loads the pages on the server

could be a possible LFI situation here,

Which it is indeed

PreviousReel HTB NextVisual HTB

Last updated 2 years ago