Hack The Box Stream IO Manually Enumerating MSSQL Databases, Attacking Active Directory, and LAPS

00:00 Intro 01:00 Start of nmap, discovering it is an Active Directory Server and hostnames in SSL Certificates 05:20 Running Feroxbuster and then cancelling it from navigating into a few directories 08:00 Examining the StreamIO Website 10:20 Finding and 11:00 Fuzzing the search field with ffuf by sending special characters to identify odd behaviors 16:10 Writing what we think the query looks like on the backend, so we can understand why our comment did not work. 19:00 Burpsuite Trick, setting the autoscroll on the repeater tab 19:30 Testing for Union Injection now that we know the wildcard trick 22:15 Using xpdirtree to make the MSSQL database connect back to us and steal the hash 25:15 Extracting information like version, username, database names, etc from the MSSQL Server 27:20 Extracting the table name, id from the sysobjects table 28:45 Using STRINGAGG and CONCAT to extract multiple SQL entries onto a single lane