▶️StreamIO
https://app.hackthebox.com/machines/474
First we start by going through all the ports open without being to verbose:
then we do a verbose scan for the open ports:
Based on the IIS Version on 80, the host is likely running Windows 10+ or Server 2016+.
The combination of services (DNS 53, Kerberos 88, LDAP 389 and others, SMB 445, RPC 135, Netbios 139, and others) suggests this is a domain controller.
On port 443 we can see 2 DNS to put in our /etc/hosts: streamIO.htb
and watch.streamIO.htb
After a fuzz on 80 and 443, we only found the watch. DNS, we can go and enumerate SMB (445) now
So now we can add DC.streamIO.htb
to the hosts folder
anonymous login did not work on the SMB shares, so let's start looking at the websites:
port 80 is just a IIS page, on the other hand the streamIO.htb on port 443 (HTTPS) is interesting:
on the about page:
Maybe some possible users?
we see some subdomains that end with php, maybe it's the way to go for feroxbuster?
we get some pretty interesting domains
that's quite interesting
so let's go on our login page that has a little register button under it:
Let's register -> Felix/Felix
even after register, I can't connect?
let's pivot to their other plateform watch.
Note that every domain in HTTP redirects to IIS and HTTPS to the interesting domain ⁉️
i subscribed with a test@test.com and got this response:
Let's try to see some subdomains for this one:
the only subdomain that seemed interesting was the blocked.php:
Aye, we have got to be extra precocious
after a second look, the search.php was interesting:
all the watch buttons are popping this up:
Let's see if we can get some stuff out of this:
so it's clearly using wildcards or some sort like *the*
So the query could look something like:
so if in the input i do something like the';-- -
yeah just as i thought it returns every movie that ENDS with the because now the query looke like %the
playing with the input, we can easily find the query to print all:
now let's use the column tricks I learned in the sql documentation:
😛pageSQL Injectiondamn first try 😂
Ok so after waiting for 1h i was not really blocked, after looking for a session id or whatever could block me i was just redirected to the blocked.php page so the input is probably case sensitive ->
this does not redirect me:
after troubleshooting, some typo does not return anything that is very wierd:
abcd' union select 1,2,3,4,5,6;-- -
is used to inject a new query into a legitimate SQL query and extract data from the database. The union
keyword is used to join the results of the original query and the injected query, and the select
statement is used to specify the values to be returned. The ;
character is used to terminate the query, and the --
and -
characters are used to start and complete a comment.
I’ll try to get the DB version. This cheat sheet shows how with different database types. It’s fair to guess that this is either MSSQL (since it’s Windows) or MySQL (very common with PHP). Both of those use @@version
, and it works:
lets try stacked queries to get a Net-NTLMv2 hash
after setting up responder ->
and input:
we get some form of response:
Unfortunately hash cat won't crack because it's a machine account so unlikely to be crackable ->
union select 1,name,3,4,5,6
is the second query that is being injected. Theselect
keyword is used to specify the columns to be returned. In this case, selecting the values1
,name
,3
,4
,5
, and6
. Thename
column is being selected from themaster..sysdatabases
table.from master..sysdatabases
specifies the table from which the data is being selected. Themaster
database contains system information about instance, and theases
table contains information about all on the.
The purpose of this query is to extract the names of all databases on the server. The union
keyword is used to combine the results of the original query with the results injected query. By selecting the name
column from the sysdatabases
table, the attacker can extract databases on the server. The values 1
, 3
, 4
, 5
, and 6
are used to ensure that the number of columns in the two queries match, which is required for the union
keyword to work properly.
we can see in this doc that all the DB's are system DB's, our DB is STREAMIO
so to continue our sqli i look at the syntax on the website:
we continue our way in:
we got the interesting tables, so now we'll try getting both at once:
We could try to do the same for the password and go from there but let's directly concat the 2 in one query:
So you put the passwords in a txt file and start cracking them with haschat
--user
is an option that specifies that the attack mode is set to "user-mode", which is used for cracking hashes of user passwords.-m 0
is an option that specifies the hash type to be cracked. In this case, the hash type is set to 0, which is the default hash type for hashcat.--show
is an option that specifies that the cracked passwords should be displayed.
you can do it with all of them at one:
Now if you want to do a high scale separation:
then to test out all the hashes:
Unfortunately Everything fails
But we still got valid creds so it's not too hard to guess where we need to go after that:
We could try all manual, but let's automatize:
Let's format it for a bruteforce:
Which will output:
We are able to connect and after further enumeration, access the admin page:
I am able to delete some stuff from the database:
Last updated