Flight

1. Overview

Flight is a Hard-rated Windows Active Directory machine on HackTheBox. The attack chain is multi-stage and realistic, touching on web application vulnerabilities, credential theft via SMB coercion, lateral movement through password reuse, web shell deployment across two different technologies (PHP and ASPX), internal port forwarding, Kerberos ticket manipulation, and finally a DCSync attack to retrieve the domain Administrator hash.

The box runs a Windows Server 2019 domain controller (flight.htb / G0) hosting an Apache/PHP web stack externally and an IIS development server internally on port 8000. Rooting it requires chaining together more than a dozen techniques across five separate user contexts.

Techniques used:

2. Reconnaissance

2.1 Port Scan — Nmap

An nmap service-version scan against the target reveals a classic Windows domain controller fingerprint — DNS, Kerberos, LDAP, SMB, and RPC all present — plus an unexpected Apache/PHP web server on port 80.

2.2 Subdomain Enumeration — ffuf

The main site at flight.htb is a static aviation company page with nothing interesting. Virtual-host fuzzing with ffuf using -fs 7069 to filter the default response size quickly surfaces a second subdomain.

the subdomain school.flight.htb looked like this

3. Initial Foothold — svc_apache

3.1 LFI Discovery on school.flight.htb

The Aviation School subdomain uses a PHP include pattern: there was this URL, which looks vulnerable to LFI- http://school.flight.htb/index.php?view=blog.html This is a classic Local File Inclusion (LFI) vector. A naïve traversal attempt to read windows/win.ini is detected and blocked by a security monitor, returning a "Suspicious Activity Blocked! Incident will be reported" page. Direct filesystem LFI will not work here.

3.2 UNC Path Injection → NTLM Hash Capture

Even though filesystem traversal is blocked, the include mechanism may still accept UNC (Universal Naming Convention) paths — Windows-style network paths of the form //HOST/SHARE. Providing an attacker-controlled UNC path causes the Windows server to initiate an outbound SMB connection back to us, leaking the NTLMv2 challenge-response hash of the service account running Apache.

Step 1 — Start Responder to listen for incoming SMB auth:

Step 2 — Trigger the UNC callback through the LFI parameter:

Step 3 — Responder captures the NTLMv2 hash:

3.3 Hash Cracking — svc_apache

Save the full NTLMv2 hash blob to a file and crack it with hashcat using mode 5600 (NetNTLMv2) against the RockYou wordlist:

Credentials: flight\svc_apache : S@Ss!K@*t13

3.4 Validating Access — SMB & LDAP

The cracked credentials are verified across protocols with NetExec (nxc). SMB and LDAP authenticate successfully, but WinRM does not — no direct shell yet.

We have SMB and LDAP — enough to enumerate the domain deeply.

4. Lateral Movement — S.Moon → C.Bum

4.1 Domain User Enumeration via RID Brute Force

Using svc_apache credentials, RID-brute SMB to enumerate all domain accounts without requiring direct LDAP queries:

4.2 Password Spray — Credential Reuse

The svc_apache password is sprayed across all discovered users. Password reuse is found for S.Moon:

Credentials: flight\S.Moon : S@Ss!K@*t13

4.3 Checking S.Moon's SMB Shares

Enumerating shares as S.Moon reveals READ+WRITE access to the Shared share — which svc_apache could only read. This is the pivot point for the next escalation.

4.4 SCF/INI File Drop to Steal C.Bum's Hash

A user is periodically browsing the Shared folder (simulated by the box). By placing a malicious Shell Command File (SCF) there, we can force their machine to reach out to our Responder, leaking their NTLMv2 hash. The SCF tells Windows Explorer to load an icon from a UNC path — triggering SMB authentication.

Uploading .scf directly is blocked with NT_STATUS_ACCESS_DENIED. Renaming it to .ini bypasses the restriction entirely.

trigger.scf contents:

From this response, I got to know that, it is not allowed to put this file in the folder

from NTLM_STEALER we'll see all the extensions we can try, and .ini worked, so we'll just rename trigger.scf to trigger.ini

before putting the file in the share we'll have to start responder Responder captures C.Bum's hash shortly after the file is placed:

we'll put the netNTLMv2 hash in a file and crack it using hashcat

Credentials: flight\C.Bum : Tikkycoll_431012284

Grab the user flag from C.Bum's desktop while we're here:

5. Remote Code Execution — svc_apache Context

5.1 Write PHP Webshell via SMB

C.Bum is a member of the WebDevs group. Enumerating shares as C.Bum shows READ+WRITE on the Web share which maps directly to the Apache web root for school.flight.htb.

A minimal PHP webshell is uploaded:

and upload it on the smb share web in folder school.flight.htb

Visiting http://school.flight.htb/shell.php?cmd=whoami confirms RCE as flight\svc_apache.

5.2 Establish Reverse Shell as svc_apache

A PowerShell TCP reverse shell (shell.ps1) is hosted via Python's HTTP server and pulled down through the webshell:

host it using a python http server

start a netcat listener

then fetch and run it using

on our netcat listener, we see

5.3 Discover Internal Port 8000

Running netstat inside the shell surfaces port 8000 listening on all interfaces, assigned to PID 4 (System). This port is not exposed externally.

A quick PowerShell web request to localhost confirms it serves HTML — an internal IIS development copy of the main aviation site:

This is most probably an internal version of the flight website seen on port 80 from outside This internal site will be the vector for privilege escalation.

6. Escalation to C.Bum — IIS Development Site

6.1 Spawn a Shell as C.Bum with RunasCs

svc_apache has limited privileges. Since C.Bum is in WebDevs and should have write access to the IIS development directory, we use RunasCs.exe (transferred via the Python HTTP server) to run commands as C.Bum without an interactive logon session.

Now we have to get another reverse shell but as C.BUM to enumerate and escalate properly, so first start another nc listener

now in the svc_apache reverse shell

in our netcat we'll see

6.2 Write Access to C:\inetpub\development

As C.Bum, the IIS development directory is writable — confirmed by successfully creating a test file:

so what i think the attack vector now will be is that we

6.3 Port Forward with Chisel

The IIS dev site on port 8000 only listens on 127.0.0.1. Chisel creates a reverse TCP tunnel to expose it on the Kali machine:

then do port forward, it to our kali machine so we can execute the web shell. First start a chisel on our kali machine

transfer the windows chisel binary using python http server

and start the port forwarding

6.4 Deploy ASPX Webshell → IIS AppPool RCE

PHP does not execute under IIS — an ASPX (C# ASP.NET) webshell is required. It's written to the development webroot via C.Bum's shell:

then using the C.Bum shell we will put it in C:\inetpub\development\shell.aspx

Accessing http://127.0.0.1:9001/shell.aspx?cmd=whoami /all confirms RCE as IIS APPPOOL\DefaultAppPool:

which says

SeImpersonatePrivilege being enabled is the key indicator — this account can impersonate other tokens, which is the foundation for Kerberos delegation abuse.

7. Domain Compromise — Administrator

7.1 Kerberos TGT Delegation with Rubeus

The IIS AppPool account is effectively a machine account (IIS APPPOOL\DefaultAppPool maps to the machine's computer account in Kerberos). Machine accounts can request service tickets on behalf of other accounts through delegation.

Rubeus tgtdeleg abuses this to request a fake TGT for the machine account by initialising a Kerberos GSS-API session delegating to cifs/g0.flight.htb. The result is a base64-encoded Kerberos ticket in .kirbi format.

First, get a stable reverse shell as IIS AppPool via the ASPX webshell: host a reverse shell as rev.ps1 on our attacker machine

start a netcat listener on port 6666, and on our webshell we'll execute

and on our nc listener we'll see that the shell is recieved

Then run Rubeus:

7.2 Convert Ticket and Sync Clock

The base64 ticket is decoded and converted from .kirbi (Windows format) to .ccache (Linux/impacket format). Because Kerberos requires client and server clocks to be within 5 minutes and the target is ~7 hours ahead, ntpdate is used to synchronise:

7.3 DCSync Attack — Dump Administrator Hash

With a valid Kerberos ccache and clock synchronised, impacket-secretsdump performs a DCSync attack using the DRSUAPI replication protocol — requesting the domain controller to replicate credentials as if we were another DC. This extracts the Administrator's NTLM hash directly from Active Directory's NTDS.DIT without touching disk.

7.4 Pass-the-Hash — Evil-WinRM

The NT hash is passed directly to Evil-WinRM — no need to crack it. This grants an interactive PowerShell session as domain Administrator:

8. Credentials Summary

9. Attack Path Summary