🗣️Introduction

For the next few HTB entries the post will simply be my notes from Obsidian converted to WordPress. This is due to recent time constraints with my personal life not providing enough time to write out full guides. I do see the usefulness in the post though as the tags and information allow me to quickly reference how I handled certain aspects in the past.

ğŸ”ŽğŸ¦¶Enumeration/Foothold

Copy

Port 80

Port 80 shows IIS running on the box.

Port 80 shows IIS running on the box.

Port 443 – Sub-domain found:

HTTPS certificate shows sub-domain.

HTTPS certificate shows sub-domain.

Introduction SQLMap Scan:

Copy

Tuned SQLMAP Scan:

Copy

Ran Hashes against John/Crackstation:

Copy

Admin Panel – Shows a parameter per page:

Admin panel showing parameter per page.

Admin panel showing parameter per page.

Copy

Debug Parameter found and has LFI / Database Credentials:

Copy
Verifying LFI working on the parameter.

Verifying LFI working on the parameter.

Index.php shows database credentials:

Further Discovery shows Master.php:

Copy

Master.php ‘Only accessible through Includes’:

Movie Management only accessible through includes.

Movie Management only accessible through includes.

Master shows a possible LFI on include. Exploit with Burp to confirm:

LFI on debug parameter via include.

LFI on debug parameter via include.

Creating a Stable Reverse Shell:

Copy

Setting up Chisel to Port Forward the Database as SQLMap showed two inaccessible databases:

Copy
Copy
Copy

Used Crackstation / John cracking to confirm:

Copy

WINRM – Getting User Flag:

Copy

🔝Escalation to Root

WinPEAS showing Firefox Credentials:

Copy

Firefox – Dumpzilla didn’t work:

Copy

BloodHound:

Copy
WriteOwner permission found on BloodHound.

WriteOwner permission found on BloodHound.

Used WriteOwner to elevate my session:

Copy

Used Core Staff permission to grab LAPS:

BloodHound showing LAPS escalation.

BloodHound showing LAPS escalation.

Copy
Copy

Root:

Copy

Rooted

Published On: October 10th, 2022 / Categories: HTB, Technology / Tags: , , , , , , , , , /

Leave A Comment