Foothold
1. smbmap anonymous login to download the documents
2. Use credentials in the documents to login to report.solarlab.htb on port 6791
3. RCE on reportlab, put payload in the date field
2. Use credentials in the documents to login to report.solarlab.htb on port 6791
3. RCE on reportlab, put payload in the date field
PrivEsc
1. netstat -ano to find service running on 9090
2. chisel to port forward to attacker machine
3. CVE to create admin user and upload webshell
2. chisel to port forward to attacker machine
3. CVE to create admin user and upload webshell
4. look at C:\Program Files\Openfire\embedded-db\openfire.script to get admin password
5. decrypt with
5. decrypt with
6. smbclient -N //solarlab.htb/C$ -U "Administrator%password"