🗣️Introduction
For the next few HTB entries the post will simply be my notes from Obsidian converted to WordPress. This is due to recent time constraints with my personal life not providing enough time to write out full guides. I do see the usefulness in the post though as the tags and information allow me to quickly reference how I handled certain aspects in the past.
🔎🦶Enumeration/Foothold
Copy
Port 80
Port 80 shows IIS running on the box.
Port 443 – Sub-domain found:
HTTPS certificate shows sub-domain.
Introduction SQLMap Scan:
Copy
Tuned SQLMAP Scan:
Copy
Ran Hashes against John/Crackstation:
Copy
Admin Panel – Shows a parameter per page:
Admin panel showing parameter per page.
Copy
Debug Parameter found and has LFI / Database Credentials:
Copy
Verified with carlospolop – Windows LFI list and HackTricks – LFI PHP Wrappers:
Verifying LFI working on the parameter.
Index.php shows database credentials:
Further Discovery shows Master.php:
Copy
Master.php ‘Only accessible through Includes’:
Movie Management only accessible through includes.
Master shows a possible LFI on include. Exploit with Burp to confirm:
LFI on debug parameter via include.
Creating a Stable Reverse Shell:
Copy
Setting up Chisel to Port Forward the Database as SQLMap showed two inaccessible databases:
Copy
Copy
Copy
Used Crackstation / John cracking to confirm:
Copy
WINRM – Getting User Flag:
Copy
🔝Escalation to Root
WinPEAS showing Firefox Credentials:
Copy
Firefox – Dumpzilla didn’t work:
Copy
BloodHound:
Copy
WriteOwner permission found on BloodHound.
Used WriteOwner to elevate my session:
Copy
Used Core Staff permission to grab LAPS:
BloodHound showing LAPS escalation.
Copy
Copy
Root:
Copy
