For the next few HTB entries the post will simply be my notes from Obsidian converted to WordPress. This is due to recent time constraints with my personal life not providing enough time to write out full guides. I do see the usefulness in the post though as the tags and information allow me to quickly reference how I handled certain aspects in the past.
Port 80 shows IIS running on the box.
Port 443 – Sub-domain found:
HTTPS certificate shows sub-domain.
Introduction SQLMap Scan:
Ran Hashes against John/Crackstation:
Admin Panel – Shows a parameter per page:
Admin panel showing parameter per page.
Debug Parameter found and has LFI / Database Credentials:
Verifying LFI working on the parameter.
Index.php shows database credentials:
Further Discovery shows Master.php:
Master.php ‘Only accessible through Includes’:
Movie Management only accessible through includes.
Master shows a possible LFI on include. Exploit with Burp to confirm:
LFI on debug parameter via include.
Creating a Stable Reverse Shell:
Setting up Chisel to Port Forward the Database as
SQLMap showed two inaccessible databases:
Used Crackstation / John cracking to confirm:
WINRM – Getting User Flag:
🔝Escalation to Root
WinPEAS showing Firefox Credentials:
Firefox – Dumpzilla didn’t work:
WriteOwner permission found on BloodHound.
Used WriteOwner to elevate my session:
Used Core Staff permission to grab LAPS:
BloodHound showing LAPS escalation.