HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·3y ago

Key Takeaways

Creates Webhooks in Slack and sends messages from Powershell

Original Description

00:00 - Intro 01:00 - Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates 05:20 - Running Feroxbuster and then cancelling it from navigating into a few directories 08:00 - Examining the StreamIO Website 10:20 - Finding watch.stream.io/search.php and 11:00 - Fuzzing the search field with ffuf by sending special characters to identify odd behaviors 16:10 - Writing what we think the query looks like on the backend, so we can understand why our comment did not work. 19:00 - Burpsuite Trick, setting the autoscroll on the repeater tab 19:30 - Testing for Union Injection now that we know the wildcard trick 22:15 - Using xp_dirtree to make the MSSQL database connect back to us and steal the hash 25:15 - Extracting information like version, username, database names, etc from the MSSQL Server 27:20 - Extracting the table name, id from the sysobjects table 28:45 - Using STRING_AGG and CONCAT to extract multiple SQL entries onto a single lane for mass exfil 31:30 - Extracting column names from the tables 35:20 - Using VIM and SED to make our output a bit prettier 36:45 - Cracking these MD5sum with Hashcat 39:55 - Using Hydra to perform a password spray with the credentials we cracked 45:10 - Using FFUF to fuzz the parameter name within admin to discover an LFI 51:40 - Tricking the server into executing code through the admin backdoor, using ConPtyShell to get a reverse shell on windows with a proper TTY 59:10 - Using SQLCMD on the server with the other database credentials we have to extract information from the Backup Database, cracking it and finding valid creds 1:06:00 - Running WinPEAS as Nikk37 discovering firefox, then running FirePWD to extract credentials 1:16:30 - Running CrackMapExec to spray passwords from Firefox to get JDGodd's password 1:28:20 - Running Bloodhound to discover JDGodd has WriteOwner on Core Staff which can read the LAPS Password 1:37:06 - Extracting the LAPS Password 1:46:10 - Showing you could have SQLMap
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related Reads

📰
Classroom vs Online Data Science Training in Hyderabad | Coding MastersClassroom vs Online Data…
Learn why data science is in high demand and how to get trained in Hyderabad, whether through classroom or online modes, to boost your career
Medium · Data Science
📰
SciDraw Alternative: Paper Banana for Scientific Figures
Discover Paper Banana as a SciDraw alternative for creating scientific figures, and learn how to use it for your data visualization needs
Medium · Data Science
📰
“Missão: Risco da Carteira”.
Learn to assess portfolio risk using data science techniques and tools
Medium · Data Science
📰
When Ten Analysts Agree and Two Are Right — What Numbers 13 Knew About Groupthink
Learn how to identify and avoid groupthink in analysis and decision-making, and why it's crucial for accurate threat assessments
Medium · AI

Chapters (25)

Intro
1:00 Start of nmap, discovering it is an Active Directory Server and hostnames in S
5:20 Running Feroxbuster and then cancelling it from navigating into a few director
8:00 Examining the StreamIO Website
10:20 Finding watch.stream.io/search.php and
11:00 Fuzzing the search field with ffuf by sending special characters to identify o
16:10 Writing what we think the query looks like on the backend, so we can understan
19:00 Burpsuite Trick, setting the autoscroll on the repeater tab
19:30 Testing for Union Injection now that we know the wildcard trick
22:15 Using xp_dirtree to make the MSSQL database connect back to us and steal the h
25:15 Extracting information like version, username, database names, etc from the MS
27:20 Extracting the table name, id from the sysobjects table
28:45 Using STRING_AGG and CONCAT to extract multiple SQL entries onto a single lane
31:30 Extracting column names from the tables
35:20 Using VIM and SED to make our output a bit prettier
36:45 Cracking these MD5sum with Hashcat
39:55 Using Hydra to perform a password spray with the credentials we cracked
45:10 Using FFUF to fuzz the parameter name within admin to discover an LFI
51:40 Tricking the server into executing code through the admin backdoor, using ConP
59:10 Using SQLCMD on the server with the other database credentials we have to extr
1:06:00 Running WinPEAS as Nikk37 discovering firefox, then running FirePWD to extract
1:16:30 Running CrackMapExec to spray passwords from Firefox to get JDGodd's password
1:28:20 Running Bloodhound to discover JDGodd has WriteOwner on Core Staff which can r
1:37:06 Extracting the LAPS Password
1:46:10 Showing you could have SQLMap
Up next
This could be the most perfect data frontend
Matt Williams
Watch →