Eloquia

Technical Walkthrough

Eloquia Walkthrough

This file records the final reproducible path only after live validation. Keep speculative notes in research.md and rejected paths in dead-ends.md.

Phase 0: Setup

• Workspace initialized locally.
• Public research stored as advisory intelligence.
• Live validation matched public anchors: IIS 10.0, WinRM 5985, eloquia.htb, qooqle.htb, Django CSRF, OAuth flow, SQL Explorer, SQLite load_extension.

Phase 1: OAuth CSRF Admin Takeover

Created controlled Eloquia and Qooqle accounts. Eloquia's Qooqle OAuth flow used no meaningful state/PKCE protection. A reported article containing a meta-refresh plus image beacon caused the admin bot to request the Pwnbox /bait endpoint. The listener minted a fresh Qooqle authorization code and redirected the admin browser to Eloquia's callback, linking the admin Eloquia session to the attacker Qooqle account.

After the callback, logging into Eloquia through Qooqle returned HTTP 200 for /accounts/admin/.

Phase 2: SQLite RCE

Admin panel exposed SQL Explorer at /dev/sql-explorer/play/. select sqlite_version() confirmed SQLite, and load_extension() was enabled. Anonymous SMB loading failed because Windows blocked guest access, matching the expected dead end.

The intended path was admin Article banner upload: the admin form accepted DLL files and exposed the saved path under static/assets/images/blog/. Loading the uploaded DLL with:

select load_extension('static/assets/images/blog/wp2.dll');

executed code as ELOQUIA\web, confirmed by writing a proof file under the web-served static path.

Phase 3: DPAPI To WinRM

Used RCE to copy Edge Login Data and Local State from the web profile. PowerShell was blocked by policy, so a native DPAPI DLL called CryptUnprotectData as web and wrote the decrypted Chromium AES key to the static path. Offline decryption of Login Data recovered a valid credential for Eloquia\Olivia.KAT, which was validated with WinRM.

User flag was copied from the live target into loot/user.txt.

Phase 4: Failure2Ban SYSTEM

WinRM enumeration showed:

HKLM\SYSTEM\CurrentControlSet\Services\Failure2Ban
ImagePath = C:\Program Files\Qooqle IPS Software\Failure2Ban - Prototype\Failure2Ban\bin\Debug\Failure2Ban.exe

icacls confirmed ELOQUIA\Olivia.KAT had write permission on the SYSTEM service executable. A minimal payload copied the Administrator root flag to C:\Temp\root.txt. After staging the payload, a PowerShell overwrite loop won the service restart race. The payload executed as SYSTEM and root was copied into loot/root.txt.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Platform: HackTheBox
• Machine: Eloquia
• Difficulty: Insane
• OS: Windows
• Creator: Spectra199
• Target IP: <TARGET>
• Pwnbox: <TARGET>
• Pwnbox user: profex0r
• Started: 2026-05-07 23:39:43 AEST

Operating Rules

• Public research is advisory only. Evidence requires live validation.
• Keep raw flags, reusable <password redacted>, tickets, cookies, private keys, and dumps in loot/ only.
• Use Pwnbox for live testing and save command output to files.
• For state-mutating actions, snapshot current state and write rollback notes before execution.
• For Insane mode, stop at phase boundaries and update attack-map.md, dead-ends.md, custom-exploit-notes.md, and session-resume.md.

Evidence Ledger

Live Access State

Attack Map

Current Graph

Pwnbox
  |
  | pending validation
  v
<TARGET>
  |
  +-- HTTP/80 [advisory: IIS + Eloquia web app]
  |     |
  |     +-- eloquia.htb [advisory: Django app]
  |     |     |
  |     |     +-- article/report/admin bot [unvalidated]
  |     |     +-- OAuth callback/account linking [unvalidated]
  |     |     +-- admin SQL Explorer [unvalidated]
  |     |
  |     +-- qooqle.htb [advisory: OAuth provider]
  |
  +-- WinRM/5985 [advisory: credential pivot]

Verified Chain

Pwnbox
  -> HTTP/80 IIS + Django apps
  -> eloquia.htb / qooqle.htb OAuth flow
  -> OAuth CSRF account linking through reported article/admin bot
  -> Eloquia admin panel
  -> SQL Explorer SQLite load_extension()
  -> Admin Article banner upload of DLL
  -> RCE as ELOQUIA\web
  -> Edge Login Data + Local State DPAPI extraction
  -> WinRM as ELOQUIA\Olivia.KAT
  -> Failure2Ban writable SYSTEM service executable
  -> service restart race overwrite
  -> root flag copied to C:\Temp\root.txt

Hypothesis Ranking

All four ranked hypotheses were live-validated and used.

Transition Proof Requirements

Memory Summary

Status: Approved and ingested into private CTF LightRAG.

Metadata

• Platform: HackTheBox
• Content type: Machine
• Name: Eloquia
• OS: Windows
• Difficulty: Insane
• Workspace: <local workspace><TARGET>-Eloquia

Verified Chain

1. External scan exposed only IIS HTTP on 80 and WinRM on 5985.
2. HTTP redirect and vhost validation confirmed eloquia.htb and qooqle.htb.
3. Eloquia used Qooqle OAuth without meaningful state/PKCE protection.
4. A reported article with a browser beacon caused the admin bot to visit a Pwnbox listener, receive a fresh Qooqle authorization code, and hit Eloquia's OAuth callback in the admin session.
5. Logging in through Qooqle then granted Eloquia admin panel access.
6. SQL Explorer exposed SQLite query execution and allowed load_extension().
7. Anonymous SMB DLL loading failed because Windows blocked guest access.
8. Admin Article banner upload accepted a DLL and exposed the relative path under static/assets/images/blog/.
9. Loading the uploaded DLL gave RCE as web.
10. Edge Login Data and Local State under the web profile were extracted; a native DPAPI DLL decrypted the Chromium master key in the live web context.
11. Offline Edge password decryption recovered a WinRM-valid user credential.
12. The WinRM user had write permission on the SYSTEM Failure2Ban.exe service binary.
13. An overwrite loop won the service restart race and replaced the service binary with a minimal copy-flag payload.

Reusable Lessons

• For OAuth CSRF/admin-bot chains, make the callback server mint authorization codes on demand; short-lived codes make pre-generation unreliable.
• Treat listener hits carefully: ignore unrelated paths to avoid mistaking public crawler traffic for admin-bot success.
• Use image beacons alongside meta-refresh when article HTML injection needs reliable browser delivery.
• If SQLite UNC load_extension() reaches SMB but Windows blocks guest access, pivot to local upload paths instead of cracking captured NetNTLM immediately.
• Admin forms may have weaker file validation than public user-facing forms.
• When PowerShell is blocked by policy, native DLLs can still call DPAPI APIs directly in the target user's context.
• For Windows service restart races, run an overwrite loop and poll for payload effects rather than trying to stop/start the service without rights.

Do Not Ingest

• Raw flags
• Recovered <password redacted>
• Admin cookies
• DPAPI key material
• Browser credential database contents

Session Resume

Current Status

• Phase: Complete
• User flag: captured in loot/user.txt
• Root flag: captured in loot/root.txt
• Current access: WinRM credential for Eloquia\Olivia.KAT recovered from Edge DPAPI and validated live
• Last confirmed action: Failure2Ban executable overwrite race succeeded and SYSTEM payload copied root flag

Known Advisory Intelligence

• Expected hostnames: eloquia.htb, qooqle.htb
• Expected ports: 80/tcp, 5985/tcp
• Expected chain: OAuth CSRF/account takeover -> SQLite DLL RCE -> Edge DPAPI credential extraction -> WinRM -> Failure2Ban service hijack/race -> SYSTEM

Post-Solve Tasks

1. Keep raw flags and recovered credentials in loot/ only.
2. Prepare sanitized memory summary for user approval before LightRAG ingestion.
3. Do not ingest raw cookies, flags, <password redacted>, DPAPI key material, or credential dump output.

Notes

State Mutations

Custom Tooling

Windows Payload Requirements

• SQLite extension DLL must match target architecture.
• Prefer a minimal proof payload first, then a controlled file-copy or shell payload after validation.
• Record compile command, hash, upload path, and trigger query.
• For service replacement, snapshot original binary hash, ACL, path, and service state before writing.

Dead Ends

Record abandoned paths with proof and reason so later agents do not repeat them.