HackTheBox - StreamIO - Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS

00:00 - Intro 01:00 - Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates 05:20 - Running Feroxbuster and then cancelling it from navigating into a few directories 08:00 - Examining the StreamIO Website 10:20 - Finding and 11:00 - Fuzzing the search field with ffuf by sending special characters to identify odd behaviors 16:10 - Writing what we think the query looks like on the backend, so we can understand why our comment did not work. 19:00 - Burpsuite Trick, setting the autoscroll on the repeater tab 19:30 - Testing for Union Injection now that we know the wildcard trick 22:15 - Using xp_dirtree to make the MSSQL database connect back to us and steal the hash 25:15 - Extracting information like version, username, database names, etc from the MSSQL Server 27:20 - Extracting the table name, id from the sysobjects table 28:45 - Using STRING_AGG and CONCAT to extract multiple SQL entries onto a single lane