HTB: Flight
Machine #73 on the Lain Kusanagi list. Flight earns its Hard rating not through any single clever trick, but through sheer chain length - each hop unlocks exactly one new thing, and you have to string six or seven of them together to reach SYSTEM. It’s a patience test as much as a technical one. Machine Info Name Flight Platform HackTheBox OS Windows Difficulty Hard IP 10.129.7.136 Domain flight.htb TL;DR Nmap shows a full AD port set. Gobuster vhost finds school.flight.htb, a PHP app with a ?view= parameter vulnerable to LFI. UNC path inclusion leaks svc_apache’s NTLMv2 hash via Responder - john cracks it to S@Ss!K@*t13. Password spray finds S.Moon reuses the same password. S.Moon has WRITE on the Shared share - use ntlm_theft to drop a desktop.ini coercion file, Responder captures C.Bum’s hash, john cracks it to Tikkycoll_431012284. C.Bum has WRITE on the Web share - upload a PHP webshell, get a reverse shell as svc_apache. Generate a msfvenom payload, catch it in msfconsole, upload RunasCs via meterpreter, run as C.Bum to get a second session. Port-forward port 8000 (internal IIS dev site) through the C.Bum session, discover C:\inetpub\development is writable, upload an ASPX webshell, get a shell as IIS AppPool\DefaultAppPool. That account has SeImpersonatePrivilege - msfconsole getsystem uses Named Pipe Impersonation (EfsPotato variant) to land NT AUTHORITY\SYSTEM. ...
