Web
Nmap discovered a Web server that runs over TLS on the target port 443
The running service appears to be Microsoft IIS httpd 10.0 as it is for the web server on the target port 80
SSL Certificate
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ openssl s_client -connect $IP:443 | openssl x509 -text
Can't use SSL_get_servername
depth=0 C = EU, CN = streamIO
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = EU, CN = streamIO
verify error:num=10:certificate has expired
notAfter=Mar 24 07:03:28 2022 GMT
verify return:1
depth=0 C = EU, CN = streamIO
notAfter=Mar 24 07:03:28 2022 GMT
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6d:d0:d1:67:14:79:e6:76:df:33:12:73:04:75:95:5d:c1:fc:de:44
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = EU, CN = streamIO
Validity
Not Before: Feb 22 07:03:28 2022 GMT
Not After : Mar 24 07:03:28 2022 GMT
Subject: C = EU, CN = streamIO
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:04:8e:f2:7a:16:0d:4f:80:31:8b:a1:48:ca:
c1:da:60:3e:57:b5:b6:83:03:1d:4c:7c:58:2b:46:
ae:b2:70:47:75:f4:38:c8:68:00:b3:b4:9d:c9:82:
97:7f:c7:c0:e7:4d:b1:e0:bb:d8:c2:09:9d:eb:b4:
2d:41:d6:2d:b1:34:af:eb:74:a5:9c:45:b7:ce:32:
72:bb:f7:51:5b:47:30:31:f0:42:ab:28:8b:80:04:
9c:af:16:ff:e8:73:a1:a6:73:80:ce:4d:03:74:15:
84:da:fa:1b:b1:24:80:87:e7:03:1d:54:ae:49:b1:
01:2e:a2:74:18:42:f8:85:c8:20:1e:14:2a:e8:72:
d1:9a:6a:db:d3:01:a3:2f:55:88:c2:34:3c:70:25:
9c:17:3c:f0:e5:77:b7:80:47:be:68:72:b6:e3:9a:
99:2a:b6:6d:1e:e5:de:94:57:bb:db:f9:db:17:c5:
45:8a:e9:24:68:13:20:a2:1e:95:7e:93:3a:ea:73:
33:cb:e2:9e:2d:f8:4f:16:4c:41:b7:aa:2c:19:41:
f0:4a:7a:1c:26:49:dc:ee:df:b2:49:15:53:00:20:
0c:3e:36:db:3c:61:25:e2:1b:cd:11:c6:69:7a:97:
a9:ea:30:fa:aa:08:b8:93:b6:cb:f3:63:6e:d8:07:
92:21
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
5F:D0:02:D6:0A:0B:D5:7D:18:22:8D:1D:88:D0:A6:34:B9:18:D8:76
X509v3 Authority Key Identifier:
5F:D0:02:D6:0A:0B:D5:7D:18:22:8D:1D:88:D0:A6:34:B9:18:D8:76
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:streamIO.htb, DNS:watch.streamIO.htb
X509v3 Certificate Policies:
Policy: 1.2.3.4
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
82:00:5b:c3:93:f5:d7:b3:02:f8:70:fe:a7:1f:c3:04:91:d1:
14:ef:2b:cc:38:83:e9:fb:a9:29:82:e8:c9:b1:bf:cf:8f:ae:
af:df:bc:38:7f:7b:ac:e7:77:5c:a2:2c:60:ba:71:5f:44:ef:
ea:02:3b:58:3c:d5:a3:79:b5:ed:b4:b1:c4:47:e7:de:b7:9d:
cc:bb:f5:3c:6d:54:0e:e5:00:fa:12:b4:98:52:bc:d6:fe:5d:
cf:35:41:47:21:ec:29:36:0d:3d:82:69:18:e2:05:ed:a1:9c:
c6:37:b9:2f:8e:e2:87:9b:e9:46:d0:cb:a7:57:37:09:cc:9d:
d6:70:b1:d0:51:cc:04:58:07:52:19:e0:32:29:37:c6:37:2f:
3c:d9:84:d4:88:00:b7:a7:b1:d3:eb:53:f0:08:8f:a5:3b:f3:
94:e7:65:65:82:72:2d:44:71:fe:c9:ec:41:4c:b4:41:f8:e6:
b6:52:10:7b:1a:79:ed:40:e4:75:4b:98:38:f7:b0:ac:df:20:
1c:89:24:f6:25:a2:a1:70:29:c1:63:57:16:a9:44:80:9b:9e:
90:2b:79:b3:e7:90:4d:3d:c3:94:1c:b8:6b:14:b8:c8:69:64:
55:c7:c4:68:f1:03:82:59:cc:64:4d:f5:5c:29:c4:7e:0d:22:
53:38:91:fc
-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgIUbdDRZxR55nbfMxJzBHWVXcH83kQwDQYJKoZIhvcNAQEL
BQAwIDELMAkGA1UEBhMCRVUxETAPBgNVBAMMCHN0cmVhbUlPMB4XDTIyMDIyMjA3
MDMyOFoXDTIyMDMyNDA3MDMyOFowIDELMAkGA1UEBhMCRVUxETAPBgNVBAMMCHN0
cmVhbUlPMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2QSO8noWDU+A
MYuhSMrB2mA+V7W2gwMdTHxYK0ausnBHdfQ4yGgAs7SdyYKXf8fA502x4LvYwgmd
67QtQdYtsTSv63SlnEW3zjJyu/dRW0cwMfBCqyiLgAScrxb/6HOhpnOAzk0DdBWE
2vobsSSAh+cDHVSuSbEBLqJ0GEL4hcggHhQq6HLRmmrb0wGjL1WIwjQ8cCWcFzzw
5Xe3gEe+aHK245qZKrZtHuXelFe72/nbF8VFiukkaBMgoh6VfpM66nMzy+KeLfhP
FkxBt6osGUHwSnocJknc7t+ySRVTACAMPjbbPGEl4hvNEcZpepep6jD6qgi4k7bL
82Nu2AeSIQIDAQABo4GTMIGQMB0GA1UdDgQWBBRf0ALWCgvVfRgijR2I0KY0uRjY
djAfBgNVHSMEGDAWgBRf0ALWCgvVfRgijR2I0KY0uRjYdjAPBgNVHRMBAf8EBTAD
AQH/MCsGA1UdEQQkMCKCDHN0cmVhbUlPLmh0YoISd2F0Y2guc3RyZWFtSU8uaHRi
MBAGA1UdIAQJMAcwBQYDKgMEMA0GCSqGSIb3DQEBCwUAA4IBAQCCAFvDk/XXswL4
cP6nH8MEkdEU7yvMOIPp+6kpgujJsb/Pj66v37w4f3us53dcoixgunFfRO/qAjtY
PNWjebXttLHER+fet53Mu/U8bVQO5QD6ErSYUrzW/l3PNUFHIewpNg09gmkY4gXt
oZzGN7kvjuKHm+lG0MunVzcJzJ3WcLHQUcwEWAdSGeAyKTfGNy882YTUiAC3p7HT
61PwCI+lO/OU52VlgnItRHH+yexBTLRB+Oa2UhB7GnntQOR1S5g497Cs3yAciST2
JaKhcCnBY1cWqUSAm56QK3mz55BNPcOUHLhrFLjIaWRVx8Ro8QOCWcxkTfVcKcR+
DSJTOJH8
-----END CERTIFICATE-----As discovered in the earlier stage, the X509v3 Subject Alternative Name attribute of the SSL certificate points to the following hosts;
watch.streamio.htb- While the
watch.streamio.htbhost certainly isn’t the FQDN of the target system, they could be a virtual host or sub-domain
- While the
streamio.htbThestreamio.htbhost is rather interesting because it is also the target organization’s Active Directory domain- It’s very important to note that
streamio.htbin the current context serves as both an Active Directory domain and a website host
The /etc/hosts file on Kali has been updated for local DNS resolution
streamio.htb host
Webroot of streamio.htb host
It appears to be a media streaming platform
A few files have been already crawled by Burp Suite
about.php
The about.php file contains 3 potential users;
BarryOliverSamantha
contact.php
The contact form seems to be functional.
However, the possibility of XSS is highly unlikely
Footer
On the footer, there is the oliver user who was brought up earlier in the about.php file above
login.php
The login page contains a link to the registration page
I have tried some basic credentials and none of them worked
I will check the Register hyperlink
register.php
Creating a testing account at the registration page; register.php
I will be using this dummy credential to attempt to authenticate to the login page
Authentication Fail
Interestingly the Login hyperlink above points to somewhere else that isn’t the login.php file
Additionally, it doesn’t even exist
Back to the login.php file, authentication with the newly creating testing account fails
There appears to be no way around it
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://streamio.htb/FUZZ -ic -e .php,.txt -D
________________________________________________
:: Method : GET
:: URL : https://streamio.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 145ms]
images [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 90ms]
Images [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 85ms]
admin [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 91ms]
css [Status: 301, Size: 148, Words: 9, Lines: 2, Duration: 91ms]
js [Status: 301, Size: 147, Words: 9, Lines: 2, Duration: 92ms]
fonts [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 91ms]
IMAGES [Status: 301, Size: 151, Words: 9, Lines: 2, Duration: 85ms]
Fonts [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 93ms]
Admin [Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 86ms]
CSS [Status: 301, Size: 148, Words: 9, Lines: 2, Duration: 87ms]
JS [Status: 301, Size: 147, Words: 9, Lines: 2, Duration: 169ms]
[Status: 200, Size: 13497, Words: 5027, Lines: 395, Duration: 91ms]
:: Progress: [220547/220547] :: Job [1/1] :: 364 req/sec :: Duration: [0:09:17] :: Errors: 0 ::Fuzzing the streamio.htb host reveals an unknown endpoint at /admin
/admin
I am redirected to the /admin/ directory, but it seems to have returned 403 as it shows “FORBIDDEN”
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -u https://streamio.htb/admin/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : https://streamio.htb/admin/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.php [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 91ms]
. [Status: 403, Size: 18, Words: 1, Lines: 1, Duration: 98ms]
master.php [Status: 200, Size: 58, Words: 5, Lines: 2, Duration: 153ms]
:: Progress: [35325/35325] :: Job [1/1] :: 449 req/sec :: Duration: [0:01:36] :: Errors: 1 ::While the index.php file returned 403, the master.php file is accessible
/admin/master.php
The master.php file shows “Movie management”
It also mentions that the page is only accessible through “includes”
This may be suggesting a potential LFI vulnerability, which is yet to be found
watch.streamio.htb host
Webroot of watch.streamio.htb host
While relevant, this place seems to be a bit different compared to the streamio.htb host earlier above
Wappalyzer identified technologies involved
It’s written in PHP 7.2.26
FAQs
The FAQs section contains a notable piece of information regarding the available platforms
It specifically points out that the website is available for both mobile and desktop
The current session being “desktop”, there should be a way to access the “mobile” version of the website
Subscription
While the Subscription feature seems to be function, there is not much to enumerate, much like the Contact Form of the streamio.htb host earlier
Comment
Another interesting thing is that the index.php file contains a section of commented-out codes that appears to be used for authentication in the past
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://watch.streamio.htb/FUZZ -ic -e .txt,.php
________________________________________________
:: Method : GET
:: URL : https://watch.streamio.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 89ms]
[Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 92ms]
search.php [Status: 200, Size: 253887, Words: 12366, Lines: 7194, Duration: 189ms]
static [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 87ms]
Search.php [Status: 200, Size: 253887, Words: 12366, Lines: 7194, Duration: 105ms]
Index.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 100ms]
INDEX.php [Status: 200, Size: 2829, Words: 202, Lines: 79, Duration: 90ms]
blocked.php [Status: 200, Size: 677, Words: 28, Lines: 20, Duration: 89ms]
SEARCH.php [Status: 200, Size: 253887, Words: 12366, Lines: 7194, Duration: 97ms]
Static [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 91ms]
:: Progress: [661641/661641] :: Job [1/1] :: 401 req/sec :: Duration: [0:27:09] :: Errors: 0 ::ffuf returned a few files; index.php, search.php, blocked.php
While the index.php file is likely the landing page that showed up on webroot, the rest needs to be checked
search.php
The page screams for SQLi
It seems to be the catalogue of the stored media where end users can search as the name suggests
Searching sends out a POST request the search.php file with data in the q parameter
SQLi
After a few trials and errors, I have found and confirmed the SQLi vulnerability
Exploiting the vulnerability represents a step closer to compromising the target domain
blocked.php
While the blocked.php file seems to be a static page, this is a poorly implemented form of WAF to mitigate the said SQLi vulnerability above.
I have confirmed that this page is invoked from the search.php file above when end users provides a query with a word that is listed in the blacklist (i.e. SQLi)
The following words have been confirmed to be blacklisted words
allornull0xorder
It claims to be blocking a session for a certain period of time, but it is yet to be confirmed as I am able to continue to access the endpoint