An unauthenticated MSSQL UNION injection on watch.streamio.htb dumped all user password hashes; cracking them gave admin login, and the admin panel's debug parameter passed user input directly to PHP include(), enabling source disclosure via php://filter and Remote File Inclusion through master.php's eval(file_get_contents()) to land a reverse shell.
StreamIO is a medium-difficulty Windows Active Directory machine. The attack chain opens with an unauthenticated SQL injection on a movie search page that dumps the full users table via MSSQL UNION injection; cracking the MD5 hashes gives admin credentials, and the admin panel exposes a debug URL parameter that passes user input directly into PHP’s include() call — enabling PHP filter source-code disclosure and, through master.php’s eval(file_get_contents($_POST['include'])) sink, full Remote File Inclusion RCE. From there, hardcoded database credentials disclosed by the LFI lead to a backup database with another user’s hash, Firefox’s key4.db decrypted with firepwd.py exposes a third user’s domain password, and BloodHound reveals that user holds WriteOwner over a group whose members can read LAPS secrets — yielding the Administrator password via ldapsearch.
Machine Matrix
Heavy enumeration and high real-life scores reflect the multi-layer chain — vhost discovery, MSSQL UNION injection, PHP filter source disclosure, backup database credential recovery, Firefox profile decryption, and BloodHound-driven AD ACL abuse — all techniques that appear regularly in real Windows AD environments.
Port 443 serves two vhosts: streamio.htb (the main site) and watch.streamio.htb (a movie-watching portal). The presence of ports 88, 389, and 636 immediately identifies this as a domain controller. Add the vhosts to /etc/hosts:
Browsing watch.streamio.htb reveals a movie search feature at /search.php. Testing the q parameter with a single quote returns a database error, confirming SQL injection. Column-count enumeration shows six columns, and a UNION query leaks the entire users table:
1
2
3
curl -sk"https://watch.streamio.htb/search.php"\-d"q=10' UNION SELECT 1,CONCAT(username,CHAR(58),password),3,4,5,6 FROM users-- -"\
| grep-oP'class="p-2">\K[^<]+' | grep-v"^$" | sed's/ //g'
Several hashes crack; yoshihide:66boysandgirls.. grants access to streamio.htb/login.php. After logging in, the admin panel at https://streamio.htb/admin/ exposes a debug URL parameter. Using PHP’s php://filter wrapper reads source files without executing them:
The decoded source reveals hardcoded credentials db_admin:B1@hx31234567890 and confirms the debug parameter passes its value to PHP’s include(). Reading master.php with the same technique exposes the RFI sink: eval(file_get_contents($_POST['include'])).
Foothold
With RFI confirmed, serve a PHP webshell and trigger it via master.php:
Import the resulting ZIP into BloodHound. The graph shows JDgodd holds WriteOwner over the CORE STAFF group, and CORE STAFF members can read LAPS ms-MCS-AdmPwd on the domain controller. Download PowerView to the target via the nikk37 session and exploit the privilege misassignment chain: