Password-Spray

Machine #73 on the Lain Kusanagi list. Flight earns its Hard rating not through any single clever trick, but through sheer chain length - each hop unlocks exactly one new thing, and you have to string six or seven of them together to reach SYSTEM. It’s a patience test as much as a technical one. Machine Info Name Flight Platform HackTheBox OS Windows Difficulty Hard IP 10.129.7.136 Domain flight.htb TL;DR Nmap shows a full AD port set. Gobuster vhost finds school.flight.htb, a PHP app with a ?view= parameter vulnerable to LFI. UNC path inclusion leaks svc_apache’s NTLMv2 hash via Responder - john cracks it to S@Ss!K@*t13. Password spray finds S.Moon reuses the same password. S.Moon has WRITE on the Shared share - use ntlm_theft to drop a desktop.ini coercion file, Responder captures C.Bum’s hash, john cracks it to Tikkycoll_431012284. C.Bum has WRITE on the Web share - upload a PHP webshell, get a reverse shell as svc_apache. Generate a msfvenom payload, catch it in msfconsole, upload RunasCs via meterpreter, run as C.Bum to get a second session. Port-forward port 8000 (internal IIS dev site) through the C.Bum session, discover C:\inetpub\development is writable, upload an ASPX webshell, get a shell as IIS AppPool\DefaultAppPool. That account has SeImpersonatePrivilege - msfconsole getsystem uses Named Pipe Impersonation (EfsPotato variant) to land NT AUTHORITY\SYSTEM. ...

Machine #48 on the Lain Kusanagi list. Active Directory, a forgotten config file, and the Azure AD Sync service doing what it really shouldn’t. Machine Info Field Details Name Monteverde Platform HackTheBox OS Windows Difficulty Medium IP 10.129.228.111 Domain MEGABANK.LOCAL TL;DR Null session via nxc gives a full user list. A password spray with username=password lands SABatchJobs:SABatchJobs. Listing SMB shares reveals users$ is readable - spider_plus finds mhope/azure.xml, a leftover Azure AD Connect config file with a cleartext password. Spray again, get mhope via WinRM. mhope is in the Azure Admins group and the ADSync service is running locally. A public PoC decrypts the ADSync credentials from the local MSSQL database, handing us domain administrator. ...

Cicada is a textbook Active Directory enumeration chain. Each step surfaces something that unlocks the next user - a default password in an HR notice, a credential in a PowerShell script description field, a privilege that lets you dump the SAM. Good practice for the AD portion of OSCP. Machine info Name Cicada Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous SMB access exposes an HR onboarding notice with a default password Password spraying with nxc identifies michael.wrightson as the matching user Listing users without RID brute reveals david.orelious has his password in his description field David can access the DEV share, which contains a PowerShell script with emily.oscars credentials Emily has SeBackupPrivilege via WinRM - used to dump SAM/SYSTEM and pass-the-hash as Administrator Recon RustScan 1 rustscan -a 10.129.231.149 ...