Attack Vector: OAuth CSRF → SQLite RCE → DPAPI Secrets → Race Condition → SYSTEM
## 🗺️ The Attack Map
```
┌─────────────────────────────────────────────────────────────────┐
│ ELOQUIA ATTACK CHAIN │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. RECONNAISSANCE 2. OAUTH CSRF 3. RCE │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ │
│ │ Port Scan │──────────►│ Session │──────►│ SQLite │ │
│ │ Web Enum │ │ Fixation │ │ Extension│ │
│ └──────────────┘ └──────────────┘ └──────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ Found: 80, 5985 Got: Admin Access Blocked: FW │
│ eloquia.htb, qooqle.htb Credential Hardcoded Solution: ↓ │
│ │
│ 4. FILE-BASED SHELL 5. DPAPI DECRYPT 6. RACE │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────┐ │
│ │ DLL Upload │──────────►│ Edge Creds │──────►│ Service │ │
│ │ Pseudo-Shell │ │ Extraction │ │ Binary │ │
│ └──────────────┘ └──────────────┘ └──────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ User: web User: Olivia.KAT SYSTEM! 🎉 │
│ Commands Execute WinRM Access Both Flags │
│ │
└─────────────────────────────────────────────────────────────────┘
```
## 📚 Table of Contents
- [Act I: Discovery](#act-i-discovery)
- [Act II: The OAuth Heist](#act-ii-the-oauth-heist)
- [Act III: Breaking Through Walls](#act-iii-breaking-through-walls)
- [Act IV: Secrets in the Browser](#act-iv-secrets-in-the-browser)
- [Act V: The Race to SYSTEM](#act-v-the-race-to-system)
- [Epilogue: Lessons Learned](#epilogue-lessons-learned)
---
## 🎬 Act I: Discovery
### The Landscape
When I first scanned Eloquia, I expected the usual sprawl of services. Instead, I found a minimalist setup—a sign of either excellent hardening or a very specific attack surface.
```bash
# The scan that started it all
nmap -sC -sV -p- --min-rate=5000 10.10.11.99
# Results:
# 80/tcp open http Microsoft IIS 10.0
# 5985/tcp open winrm Microsoft HTTPAPI 2.0
```
**What This Tells Us:**
- 🔹 Windows Server 2016/2019 (IIS 10.0)
- 🔹 WinRM enabled = potential credential attacks
- 🔹 Limited surface = need to dig deep into web apps
