HackTheBox | SolarLab

In this walkthrough, I demonstrate how I obtained complete ownership of SolarLab on HackTheBox
HackTheBox | SolarLab

Initial Foothold Hint

  • What service can be accessed anonymously (no authentication required)? And what information have you found upon accessing this service?
  • Where else on the box presents a login form?
    • Have you tested the information you've found against this target?
    • What do you notice about error messages with specific usernames?
    • One of the users does not match the pattern that causes this error
  • When you find the login, click around the application.
    • Lots of input points. Have you filled out the form just to see what happens?
    • Download the file to your local machine and analyze it. There should be some breadcrumbs that will tell you how this file was generated
    • Have you found the CVE?

Privilege Escalation Hint

  • How are your network pivoting and tunneling skills?
    • Did you find the admin portal for the service?
    • What version of the service is running and what CVEs exist for it?
  • Once on the box as the service account:
    • What files are you able to read? Did you find anything interesting?
    • Hint: What kind of database is the vulnerable service using?
  • What kind of encryption is in use on this service?
    • How might you go about revealing the secret in plaintext?

Nmap Results

# Nmap 7.94SVN scan initiated Mon May 13 13:06:00 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.215.232
Nmap scan report for 10.129.215.232
Host is up (0.045s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          nginx 1.24.0
|_http-title: Did not follow redirect to http://solarlab.htb/
|_http-server-header: nginx/1.24.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
6791/tcp open  http          nginx 1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
|_http-server-header: nginx/1.24.0
7680/tcp open  pando-pub?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-05-13T17:07:53
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 13 13:08:29 2024 -- 1 IP address (1 host up) scanned in 149.48 seconds

In the output for tcp/80 and tcp/6791, we can see a redirect to solarlab.htb and report.solarlab.htb respectively. Let's get those hostnames added to our /etc/hosts file.

echo '10.129.215.232        solarlab.htb report.solarlab.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.