Attack Vector: OAuth CSRF → SQLite RCE → DPAPI Secrets → Race Condition → SYSTEM
## 🗺️ The Attack Map
```
┌─────────────────────────────────────────────────────────────────┐
│ ELOQUIA ATTACK CHAIN │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. RECONNAISSANCE 2. OAUTH CSRF 3. RCE │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ │
│ │ Port Scan │──────────►│ Session │──────►│ SQLite │ │
│ │ Web Enum │ │ Fixation │ │ Extension│ │
│ └──────────────┘ └──────────────┘ └──────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ Found: 80, 5985 Got: Admin Access Blocked: FW │
│ eloquia.htb, qooqle.htb Credential Hardcoded Solution: ↓ │
│ │
│ 4. FILE-BASED SHELL 5. DPAPI DECRYPT 6. RACE │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ │
│ │ DLL Upload │──────────►│ Edge Creds │──────►│ Service │ │
│ │ Pseudo-Shell │ │ Extraction │ │ Binary │ │
│ └──────────────┘ └──────────────┘ └──────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ User: web User: Olivia.KAT SYSTEM! 🎉 │
│ Commands Execute WinRM Access Both Flags │
│ │
└─────────────────────────────────────────────────────────────────┘
```
## 📚 Table of Contents
- [Act I: Discovery](#act-i-discovery)
- [Act II: The OAuth Heist](#act-ii-the-oauth-heist)
- [Act III: Breaking Through Walls](#act-iii-breaking-through-walls)
- [Act IV: Secrets in the Browser](#act-iv-secrets-in-the-browser)
- [Act V: The Race to SYSTEM](#act-v-the-race-to-system)
- [Epilogue: Lessons Learned](#epilogue-lessons-learned)
---
## 🎬 Act I: Discovery
### The Landscape
When I first scanned Eloquia, I expected the usual sprawl of services. Instead, I found a minimalist setup—a sign of either excellent hardening or a very specific attack surface.
```bash
# The scan that started it all
nmap -sC -sV -p- --min-rate=5000 10.10.11.99
# Results:
# 80/tcp open http Microsoft IIS 10.0
# 5985/tcp open winrm Microsoft HTTPAPI 2.0
```
**What This Tells Us:**
- 🔹 Windows Server 2016/2019 (IIS 10.0)
- 🔹 WinRM enabled = potential credential attacks
- 🔹 Limited surface = need to dig deep into web apps
❝
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Priority help & faster support
Upgrade once - unlock everything instantly.
💬 Need help while solving?
I’ve got your back - reach out anytime:
Email: [email protected]
Keep hacking, keep learning, keep winning. 🎯
