HackTheBox: Freelancer - Blind SQLi to Domain Admin
Freelancer is a medium-rated HackTheBox machine that chains a blind SQL injection vulnerability into full Active Directory compromise. Here's my full walkthrough.
Reconnaissance
Starting with a standard nmap scan:
nmap -sC -sV -oA freelancer 10.10.11.X
Open ports: 80 (HTTP), 445 (SMB), 5985 (WinRM)
The web application is a freelancer job platform. After browsing the app, I noticed the job listing endpoint was potentially injectable.
Finding the Blind SQLi
The parameter /jobs?id=1 returned different page sizes based on true/false conditions — classic boolean-based blind injection.
Testing with sqlmap:
sqlmap -u "http://freelancer.htb/jobs?id=1" --dbs --batch --level=3
This confirmed injection and revealed the database structure.
Extracting Credentials
After dumping the admin table I recovered a bcrypt hash. Cracking it with hashcat:
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
With admin access to the app, I found a file upload feature that accepted ASPX files — leading to a webshell and initial foothold.
Privilege Escalation to Domain Admin
Running WinPEAS revealed the machine was domain-joined. BloodHound analysis showed the service account had GenericWrite over a privileged group.
Using a targeted kerberoasting attack and cracking the resulting TGS ticket, I obtained credentials for a domain admin account.
net use \dc01\C$ /user:CORP\administrator
Key Takeaways
Always test numeric parameters for boolean-based blind injection
File upload filters can often be bypassed with double extensions
GenericWrite ACL abuse is a reliable AD escalation path
BloodHound is essential for visualizing attack paths in AD environments
Machine rated: Medium | Time: ~4 hours | Tools: nmap, sqlmap, hashcat, BloodHound