Return to forum

may123a · November 5, 2022 at 7:18 PM

Good luck ever

_eminem_ · November 5, 2022 at 7:18 PM

53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl

may123a · November 5, 2022 at 7:20 PM

interestinghttp://URL/cgi-bin/printenv.pl[code]COMSPEC="C:\Windows\system32\cmd.exe"CONTEXT_DOCUMENT_ROOT="/xampp/cgi-bin/"CONTEXT_PREFIX="/cgi-bin/"DOCUMENT_ROOT="C:/xampp/htdocs/flight.htb"GATEWAY_INTERFACE="CGI/1.1"HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"HTTP_ACCEPT_ENCODING="gzip, deflate"HTTP_ACCEPT_LANGUAGE="es-419,es;q=0.9"HTTP_CONNECTION="close"HTTP_HOST="10.129.11.5"HTTP_UPGRADE_INSECURE_REQUESTS="1"HTTP_USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36"MIBDIRS="/xampp/php/extras/mibs"MYSQL_HOME="\xampp\mysql\bin"OPENSSL_CONF="/xampp/apache/bin/openssl.cnf"PATH="C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\svc_apache\AppData\Local\Microsoft\WindowsApps"PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC"PHPRC="\xampp\php"PHP_PEAR_SYSCONF_DIR="\xampp\php"QUERY_STRING REMOTE_ADDR="10.10.14.23"REMOTE_PORT="46412"REQUEST_METHOD="GET"REQUEST_SCHEME="http"REQUEST_URI="/cgi-bin/printenv.pl"SCRIPT_FILENAME="C:/xampp/cgi-bin/printenv.pl"SCRIPT_NAME="/cgi-bin/printenv.pl"SERVER_ADDR="10.129.11.5"SERVER_ADMIN="postmaster@localhost"SERVER_NAME="10.129.11.5"SERVER_PORT="80"SERVER_PROTOCOL="HTTP/1.1"SERVER_SIGNATURE="

Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1 Server at 10.129.11.5 Port 80

"SERVER_SOFTWARE="Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1"SYSTEMROOT="C:\Windows"TMP="\xampp\tmp"WINDIR="C:\Windows"[/code]

u53r · November 5, 2022 at 7:28 PM

Found http://school.flight.htb/

pingu27 · November 5, 2022 at 7:28 PM

http://school.flight.htb/index.php?view=http://ip/index.html

may123a · November 5, 2022 at 7:38 PM

(November 5, 2022, 07:28 PM)pingu27 Wrote: http://school.flight.htb/index.php?view=http://ip/index.html

SSRF 😉

FlyFly · November 5, 2022 at 7:43 PM

2022/11/05 19:42:20 > Using KDC(s):
2022/11/05 19:42:20 > g0.flight.htb:88

2022/11/05 19:42:50 > [+] VALID USERNAME: [email protected]
2022/11/05 19:43:38 > [+] VALID USERNAME: [email protected]
2022/11/05 19:43:41 > [+] VALID USERNAME: [email protected]

may123a · November 5, 2022 at 7:47 PM

(November 5, 2022, 07:43 PM)FlyFly Wrote: 2022/11/05 19:42:20 > Using KDC(s):
2022/11/05 19:42:20 > g0.flight.htb:88

2022/11/05 19:42:50 > [+] VALID USERNAME: [email protected]
2022/11/05 19:43:38 > [+] VALID USERNAME: [email protected]
2022/11/05 19:43:41 > [+] VALID USERNAME: [email protected]

which dictionary did you use?

FlyFly · November 5, 2022 at 7:53 PM

(November 5, 2022, 07:47 PM)may123a Wrote:
(November 5, 2022, 07:43 PM)FlyFly Wrote: 2022/11/05 19:42:20 > Using KDC(s):
2022/11/05 19:42:20 > g0.flight.htb:88

2022/11/05 19:42:50 > [+] VALID USERNAME: [email protected]
2022/11/05 19:43:38 > [+] VALID USERNAME: [email protected]
2022/11/05 19:43:41 > [+] VALID USERNAME: [email protected]

which dictionary did you use?

A-Z.Surnames.txt from attackdebris kerberos_enum_userlists github

may123a · November 5, 2022 at 7:54 PM

(November 5, 2022, 07:53 PM)FlyFly Wrote:
(November 5, 2022, 07:47 PM)may123a Wrote:
(November 5, 2022, 07:43 PM)FlyFly Wrote: 2022/11/05 19:42:20 > Using KDC(s):
2022/11/05 19:42:20 > g0.flight.htb:88

2022/11/05 19:42:50 > [+] VALID USERNAME: [email protected]
2022/11/05 19:43:38 > [+] VALID USERNAME: [email protected]
2022/11/05 19:43:41 > [+] VALID USERNAME: [email protected]

which dictionary did you use?

A-Z.Surnames.txt from attackdebris kerberos_enum_userlists github

Thanks :heart: