In this post, I would like to share a walkthrough of the StreamIO Machine from Hack the Box
This room will be considered a medium machine on Hack The Box
What will you gain from the StreamIO machine?
For the user flag, you will need to explore more on the website, and we can obtain the reverse shell by using PHP debug function which will be incept using Burpsuite. After that, we need to enumerate deeper like the database to get a bunch of credentials.
As for the root flag, you need to play around using Powerview to give the user permission as Core Staff and get a new password using the laps.py exploit
Information Gathering on StreamIO Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
There is a lot of port open for this machine.
Let’s access the website interface.
We are getting an IIS interface on the browser
However, we found an error page such as “Not Found”. Let’s check the certificate if there is anything that we can investigate
I notice that there are two domains that we can analyze.
When we access it using HTTP format, it still provides the IIS interface.
Finally, we managed to find a valid website interface.
Oh damn! We are directed to a login page but we don’t have any credentials to use for further action.
Therefore, let’s incept the packet by using the BurpSuite
We can save the packet as login.req
Enumerate using sqlmap tool
The result from sqlmap shows the version of the database and operating system that it’s using
The website interface shows an admin panel which is not much that we can be looking at.
PHP filtering on the website.
Let’s execute some PHP filtering on the website by reading the index.php file.
From the base64 code, we can see what is written in the PHP source code.
From the base64 code, we can see what is written in the PHP source code. Nothing that we found on the PHP source code.
Therefore, let’s enumerate deeper using sqlmap tool.
From the sqlmap result, we could see a few databases by looking at the screenshot above.
We have a PHPSESSID session that we can use in the later stage.
As a result, we can use some advantages of some exploits that are found on the internet.
We have successfully got the information from the exploit.
We can insert our reverse shell over here
At last, we got a reverse connection back to us.
We need to enumerate more on other databases which leads us to some credentials
Finally, we managed to access the machine by using one of the credentials that we obtained earlier.
We can read the user flag by typing the “type user.txt” command.
Escalate to Root Privileges Access on StreamIO
Let’s enumerate deeper inside the machine.
We managed to find some juicy information such as some encrypted passwords. After a while, we managed to obtain a bunch of credentials that we can use for a later stage.
We can obtain the PowerView.ps1 from here
As usual, we are required to import a module for the PowerView to work just like happens on another machine such as an Acute
For those who managed to root Acute Machine, we can use a similar command on this machine too.
An additional requirement is that we need to download the laps.py over here on our machine
As a result, we can obtain a new password by running the command above.
We can access the machine with the credentials “Administrator” and the password that we obtained earlier.
Sadly, the root flag is nowhere to be found on the Administrator’s Desktop.
Therefore, let’s see which user is still inside the machine that we didn’t manage to see earlier.
At last, we found the root flag inside Martin’s Desktop
We can read the root flag by typing the “type root.txt” command
No responses yet