Introduction to Solarlab:

This write-up will explore the “Solarlab” machine from Hack The Box, categorized as an Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Solarlab” machine from Hack The Box by achieving the following objectives:

User Flag:

  • Enumeration Findings

During web enumeration on port 80, no noteworthy results were found. However, port 6791 redirected to another subdomain which revealing a login form. SMB enumeration followed, where shares were listed using smbclient -L //solarlab.htb -N, and access was gained to the Documents share. This exploration led to the discovery of a file named details-file.xlsx, which contained various account credentials.

  • Exploiting the Vulnerability

With the “blake” credentials, a successful login was made at another subdomain. The “travel approval” feature was examined, which included a function to generate PDFs. Analyzing the PDF with ExifTool revealed it was created using the ReportLab PDF Library, linked to CVE-2023-33733. A PowerShell reverse shell payload was crafted and embedded into the exploit from GitHub. After starting a listener, the payload was executed in the PDF generation request, successfully providing shell access and allowing for user flag retrieval.

Root Flag:

  • Accessing Admin Files

While exploring the Openfire directory, I came across the embedded-db folder where the admin password was stored in an encrypted format. I used a decryption tool from GitHub to extract the password.

Enumerating the Solarlab Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

nmap -sC -sV -oN nmap_initial.txt 10.10.11.16

Nmap Output:

┌─[darknite@parrot]─[~/Documents/htb]
└──╼ $nmap -sC -sV 10.10.11.16 -oA intial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 17:18 EDT
Nmap scan report for 10.10.11.16
Host is up (0.18s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
80/tcp  open  http          nginx 1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
|_http-server-header: nginx/1.24.0
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
6791/tcp open  http    nginx 1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
|_http-server-header: nginx/1.24.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-09-19T21:19:02
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: 1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.98 seconds

Analysis:

  • Port 80 (HTTP): Nginx 1.24.0 web server redirecting to solarlab.htb.
  • Port 135 (MSRPC): Windows RPC for remote procedure calls.
  • Port 139 (NetBIOS-SSN): NetBIOS for file/printer sharing on Windows.
  • Port 445 (Microsoft-DS): Likely SMB for network file sharing.
  • Port 6791 (HTTP): Nginx 1.24.0 web server redirecting to report.solarlab.htb:6791.

Web Enumeration on Solarlab machine

Perform web enumeration to discover potentially exploitable directories and files.

gobuster dir -u http://10.10.11.16 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt

Let’s navigate to the website’s user interface.

There’s nothing further to explore on the website, and Burp Suite didn’t reveal any valuable information.

Another subdomain enumeration on the Solarlab machine

Let’s run Gobuster to scan for directories, expecting results aligned with what Nmap has already shown.

Burp Suite didn’t reveal any valuable information.

We have a login form, so let’s attempt to log in using the credentials we obtained earlier. The error messages are specific: testing each username shows that ‘AlexanderK’ and ‘ClaudiaS’ generate different error responses. It seems likely that the passwords are incorrect, so we should try combining the passwords we collected earlier.

Exploitation

SMBclient enumeration

While exploring port 445 for potential exploits, we used smbclient to attempt a guest login. To our surprise, no password was required, granting us access to the shared drive and its documents. Upon reviewing details-file.xlsx, we discovered a list containing staff logins, social security numbers, and other sensitive personal information from Solar Labs.

We found that Blake is a user, and his login information was included in the Excel file.

CVE-2023-33733 vulnerability

Now we can access the ReportHub Dashboard. After some analysis, we noted that each option creates a PDF. There’s a vulnerability (CVE-2023-33733) that can be exploited through the PDF generation feature, enabling us to obtain a reverse shell into the local network.

To execute this, I used a reverse shell generator and integrated the payload into a Python script.

Here are the simplified steps to obtain the reverse shell:

First, insert the payload into the Python script. After setting this up, we can intercept and modify the Training Request text to include the malicious script. Before forwarding the response, we set up a listener on port 9007.

We can view the user flag by entering cat user.txt.

Escalate to Root Privileges Access

Privilege Escalation:

In one of the directories, we found a user.db file. We can use the type command to retrieve the user login information.

Portfowarding the port

While exploring, we found a user named openfire using the Get-LocalUser command. After some research, we learned that openfire is an instant messaging and group chat server, with services operating on ports 9090 and 9091.

I verified this with the command below, which showed the IP and port as 127.0.0.1:9090.

It works perfectly!

CVE-2023-32315 Vulnerability

Although we don’t have any specific leads on Openfire logins, we can exploit CVE-2023-32315 to bypass authentication.

We now have a username and password that we can use to access Openfire.

After entering our credentials, we are welcomed by the Openfire GUI.

For the exploit we just used, there’s a .jar plugin we can upload that provides a server management tool. The default password for this tool is 123.

The management tool is located on the home GUI page under server -> server settings -> management tools. We can use the dropdown menu to select “system command,” allowing us to execute commands similarly to the command prompt.

We can apply the same technique as before to obtain a reverse shell as Blake. We’ll use the reverse shell generator as we did earlier, insert it into the command GUI, and set up Netcat as a listener.

We’ve successfully pivoted from Blake to Openfire. While exploring the directory, we noticed “embedded-db,” which seems promising. By using the type command, we can retrieve an encrypted Administrator password.

We also found a password key in openfire.script. We can easily decrypt the Openfire password hash using the openfire_decrypt tool linked below.

Once we do that, we’ll have the administrator password.

The error message suggests that in SMBEXEC (commonly used to execute commands on a remote Windows system via SMB), you cannot change directories (CD) as you would in a regular shell. Instead, you must use full paths for any commands or files. This limitation arises because SMBEXEC doesn’t keep a session environment that supports directory changes, so providing the full path ensures the command knows exactly where to find the specified files or commands.

I executed another command as the administrator to retrieve the root flag.

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *