🗣️Introduction
For the next few HTB entries the post will simply be my notes from Obsidian converted to WordPress. This is due to recent time constraints with my personal life not providing enough time to write out full guides. I do see the usefulness in the post though as the tags and information allow me to quickly reference how I handled certain aspects in the past.
🔎🦶Enumeration/Foothold

Port 80 shows IIS running on the box.
Port 443 – Sub-domain found:

HTTPS certificate shows sub-domain.
Introduction SQLMap Scan:
Ran Hashes against John/Crackstation:
Admin Panel – Shows a parameter per page:

Admin panel showing parameter per page.
Debug Parameter found and has LFI / Database Credentials:

Verifying LFI working on the parameter.
Index.php shows database credentials:
Further Discovery shows Master.php:
Master.php ‘Only accessible through Includes’:

Movie Management only accessible through includes.
Master shows a possible LFI on include. Exploit with Burp to confirm:

LFI on debug parameter via include.
Creating a Stable Reverse Shell:
Copy
Setting up Chisel to Port Forward the Database as SQLMap
showed two inaccessible databases:
Copy
Copy
Copy
Used Crackstation / John cracking to confirm:
Copy
WINRM – Getting User Flag:
Copy
🔝Escalation to Root
WinPEAS showing Firefox Credentials:
Copy
Firefox – Dumpzilla didn’t work:
Copy
Copy

WriteOwner permission found on BloodHound.
Used WriteOwner to elevate my session:
Copy
Used Core Staff permission to grab LAPS:

BloodHound showing LAPS escalation.
Copy
Copy
Rooted