StreamIO - Hackthebox

Channel:

NoxLumens

Subscribers:

1,280

Published on March 14, 2024 10:00:33 PM ● Video Link: https://www.youtube.com/watch?v=xuxdT9YWlHU

Duration: 1:36:09

202 views

8

I'm using this box as practice for offensive securities pen-200 exam. I'm following TJ Null's recommended list. I expect to pass the OSCP. We'll see what happens.

StreamIO is a medium machine that covers subdomain enumeration leading to an SQL injection in order to retrieve stored user credentials, which are cracked to gain access to an administration panel. The administration panel is vulnerable to LFI, which allows us to retrieve the source code for the administration pages and leads to identifying a remote file inclusion vulnerability, the abuse of which gains us access to the system. After the initial shell we leverage the SQLCMD command line utility to enumerate databases and obtain further credentials used in lateral movement. As the secondary user we use WinPEAS to enumerate the system and find saved browser databases, which are decoded to expose new credentials. Using the new credentials within BloodHound we discover that the user has the ability to add themselves to a specific group in which they can read LDAP secrets. Without direct access to the account we use PowerShell to abuse this feature and add ourselves to the Core Staff group, then access LDAP to disclose the administrator LAPS password.

Skills Required
- Enumeration
- Custom MSQQL injection knowledge
- Remote file includes
- Basic Active Directory knowledge
- Bloodhound knowledge
- LDAP knowledge
- Understanding of LAPS

------------------

Skills Learned
- LFI using PHP wrappers
- Source Code Review
- Detecting and exploiting remote file inclusion
- Browser saved credentials retrieval and cracking
- Automatic LDAP enumeration for lateral movement
- LDAP abuse for privilege escalation
- LAPS password exposure

------------------
Tools
- manual enumeration
- sqlcmd
- netexec
- evil-winrm
- powershell
- powerhshell empire
- powerview.ps1
- bloodhound
- bloodhound-python
- neo4j
------------------
Certifications:
Practical Network Penetration Tester (PNPT) : TCM Security - https://certifications.tcm-sec.com/pnpt/
Practical Junior Penetration Tester (PJPT): TCM Security - https://certifications.tcm-sec.com/pjpt/
Practical Junior Web Tester (PJWT): TCM Security - https://certifications.tcm-sec.com/pjwt/
Certified Ethical Hacker (CEH): EC-Council
--------------------
Socials:
Tryhackme: https://tryhackme.com/p/NoxLumens
Hackthebox: https://app.hackthebox.com/profile/179139
Twitch: https://twitch.tv/noxlumens