HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS

Name: HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS
Uploaded: 2022-09-17T15:00:34Z
Channel: IppSec
Description: 00:00 - Intro 01:00 - Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates 05:20 - Running Feroxbuster and then...

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·3y ago

00:00 - Intro 01:00 - Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates 05:20 - Running Feroxbuster and then cancelling it from navigating into a few directories 08:00 - Examining the StreamIO Website 10:20 - Finding watch.stream.io/search.php and 11:00 - Fuzzing the search field with ffuf by sending special characters to identify odd behaviors 16:10 - Writing what we think the query looks like on the backend, so we can understand why our comment did not work. 19:00 - Burpsuite Trick, setting the autoscroll on the repeater tab 19:30 - Testing for U…

Watch on YouTube ↗ (saves to browser)

Chapters (25)

Intro

1:00 Start of nmap, discovering it is an Active Directory Server and hostnames in S

5:20 Running Feroxbuster and then cancelling it from navigating into a few director

8:00 Examining the StreamIO Website

10:20 Finding watch.stream.io/search.php and

11:00 Fuzzing the search field with ffuf by sending special characters to identify o

16:10 Writing what we think the query looks like on the backend, so we can understan

19:00 Burpsuite Trick, setting the autoscroll on the repeater tab

19:30 Testing for Union Injection now that we know the wildcard trick

22:15 Using xp_dirtree to make the MSSQL database connect back to us and steal the h

25:15 Extracting information like version, username, database names, etc from the MS

27:20 Extracting the table name, id from the sysobjects table

28:45 Using STRING_AGG and CONCAT to extract multiple SQL entries onto a single lane

31:30 Extracting column names from the tables

35:20 Using VIM and SED to make our output a bit prettier

36:45 Cracking these MD5sum with Hashcat

39:55 Using Hydra to perform a password spray with the credentials we cracked

45:10 Using FFUF to fuzz the parameter name within admin to discover an LFI

51:40 Tricking the server into executing code through the admin backdoor, using ConP

59:10 Using SQLCMD on the server with the other database credentials we have to extr

1:06:00 Running WinPEAS as Nikk37 discovering firefox, then running FirePWD to extract

1:16:30 Running CrackMapExec to spray passwords from Firefox to get JDGodd's password

1:28:20 Running Bloodhound to discover JDGodd has WriteOwner on Core Staff which can r

1:37:06 Extracting the LAPS Password

1:46:10 Showing you could have SQLMap

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →