HTB: solarlab Writeup

Machine Information

Attribute	Details
Name	solarlab
OS	Windows
Difficulty	Medium
Points	N/A
Release Date	N/A
IP Address	`10.129.12.112`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (7.0/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐☆☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐⭐☆☆
CTF-like: ⭐⭐⭐☆☆

solarlab is a Medium-difficulty Windows machine from HackTheBox featuring a Flask-based PDF generation application (ReportHub). The attack path involves SMB share enumeration to extract credentials from an Excel file, authentication to the ReportHub web application, and exploitation of CVE-2023-33733 (ReportLab RCE vulnerability) through the PDF generation functionality.

TL;DR: SMB enumeration → Credential extraction → ReportHub login → CVE-2023-33733 exploitation → RCE → Privilege escalation.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.12.112

Results:

139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?  |_smb-enum-services: ERROR: Script execution failed (use -d

Service Enumeration

Hostname: solarlab.htb Subdomain: report.solarlab.htb

echo "10.129.12.112 solarlab.htb" >> /etc/hosts
echo "10.129.12.112 report.solarlab.htb" >> /etc/hosts

Open Ports:

Port	Service	Details
80	HTTP	Web server
135	MSRPC	Windows RPC endpoint mapper
139	NetBIOS	NetBIOS session service
445	SMB	Server Message Block (SMB 3.1.1)
6791	HTTP (nginx 1.24.0)	ReportHub application

SMB Enumeration:

smbclient -L //10.129.12.112 -N

Discovered Shares:

Documents (readable without authentication) — Contains:
- details-file.xlsx (credentials)
- old_leave_request_form.docx
- concepts/ folder

Vulnerability Assessment

Identified Vulnerabilities:

CVE-2023-33733 — ReportLab RCE via PDF generation (Primary exploitation vector)
CVE-2024-29988 — Investigated during reconnaissance
CVE-2023-38831 — Investigated during reconnaissance (potential chaining vector)

Initial Foothold

The Documents share on the SMB service is accessible without authentication:

smbclient //10.129.12.112/Documents -N
> ls
> get details-file.xlsx
> get old_leave_request_form.docx

Step 2: Credential Extraction

The details-file.xlsx file contains employee credentials:

Identified Credentials:

Email	Username	Password(s)
alexander.knight@gmail.com	AlexanderK	Multiple variants provided
claudia.springer@gmail.com	ClaudiaS	Not specified in notes
blake@purdue.edu	BlakeB	`ThisCanB3typedeasily1@`

Valid Login: BlakeB:ThisCanB3typedeasily1@

Step 3: ReportHub Application Access

Navigate to http://report.solarlab.htb:6791 and authenticate with BlakeB credentials.

Application Features:

The ReportHub application (Flask-based PDF generation) provides the following endpoints:

/leaveRequest — Generate leave request PDF
/homeOfficeRequest — Generate home office request PDF
/trainingRequest — Generate training request PDF
/travelApprovalForm — Generate travel approval PDF

All endpoints support image upload functionality (restricted to .jpg, .jpeg, .png).

Step 4: CVE-2023-33733 Exploitation (Incomplete - See Limitations)

The PDF generation functionality in ReportHub is vulnerable to CVE-2023-33733, a Remote Code Execution vulnerability in ReportLab (Python library for PDF generation).

Attack Vector:

The vulnerability can be triggered through malicious image files or crafted input fields during PDF generation.

Status: Full exploitation path and payload details were not fully documented in the reconnaissance notes. Refer to CVE-2023-33733 PoC repositories for exploitation techniques.

User Compromise

Credential Discovery

Credentials were extracted from the details-file.xlsx file accessible via anonymous SMB share access.

BlakeB Account Used for ReportHub Authentication:

Username: BlakeB
Password: ThisCanB3typedeasily1@
Email: blake@purdue.edu

Application Authentication

After obtaining credentials, successful authentication to the ReportHub web application allows access to all PDF generation endpoints.

User Flag

Status: User flag extraction method not documented in reconnaissance notes. Typically obtained after achieving initial code execution via CVE-2023-33733.

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration (Post-RCE)

After achieving remote code execution via CVE-2023-33733, enumeration commands would include:

whoami
whoami /priv
net user
systeminfo
Get-Process

Exploitation (Root/Administrator)

Status: Privilege escalation technique was not documented in the reconnaissance notes. The method(s) used to escalate from the compromised ReportHub application context to administrative access require further investigation.

Potential Attack Vectors:

Token impersonation or privilege token issues
Misconfigured Windows services
Unpatched kernel exploits
Group policy vulnerabilities
SeImpersonate/SeAssignPrimaryToken privilege abuse

Root Flag

Status: Root flag extraction method not documented.

🚩 Root Flag: <REDACTED>

Attack Chain Summary

1. Network Enumeration (nmap)
   |
   v
2. SMB Share Discovery & Anonymous Access
   |
   v
3. Credential Extraction (details-file.xlsx)
   |
   v
4. ReportHub Application Login (BlakeB)
   |
   v
5. CVE-2023-33733 Exploitation (ReportLab RCE)
   |
   v
6. Initial Code Execution
   |
   v
7. Privilege Escalation (method TBD)
   |
   v
8. Administrative Access (SYSTEM/Administrator)

Tools Used

Tool	Purpose
`nmap`	Port scanning and service fingerprinting
`smbclient`	SMB share enumeration and file extraction
`python3`	Scripting and exploit execution
`curl`/`wget`	HTTP requests to ReportHub endpoints
`burp`	HTTP request interception and PDF generation analysis
`python-xlsx`	Excel file parsing and credential extraction
`reportlab`	Understanding PDF generation vulnerabilities
`nc`	Reverse shell listener (post-exploitation)
`powershell`	Post-exploitation enumeration (Windows)

Vulnerability Reference

#	Vulnerability	Component	Severity	Impact
1	CVE-2023-33733	ReportLab (PDF generation)	CRITICAL	Remote Code Execution (Primary exploit)
2	Anonymous SMB Access	SMB Share (Documents)	High	Credential disclosure via Excel file
3	Weak Password Policy	ReportHub Account	Medium	Credentials in plaintext within Excel
4	CVE-2024-29988	(Investigated)	-	Reconnaissance only, not exploited
5	CVE-2023-38831	(Investigated)	-	Reconnaissance only, potential chaining vector

Key Learnings

SMB Enumeration First: Anonymous SMB access can lead to direct credential discovery without authentication.
Excel Files as Intelligence: Office documents (especially .xlsx) in shared drives often contain sensitive data (credentials, employee information).
Web Application Frameworks: Flask-based applications using ReportLab for PDF generation are vulnerable to CVE-2023-33733 if not patched.
Defense-in-Depth: Multiple layers of security (anonymous SMB → credentials → app authentication → RCE) can be bypassed with systematic enumeration.
Reconnaissance Completeness: While initial access vectors were thoroughly identified, full exploitation and privilege escalation paths require complete documentation for knowledge transfer.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Medium #CVE-2023-33733 #ReportLab #SMB #ReportHub #Flask

Limitations & Notes

Incomplete Sections:

This writeup documents the reconnaissance findings and initial foothold phase thoroughly. However, the following sections were not fully detailed in the original engagement notes:

CVE-2023-33733 Exploitation: Specific payload, injection vector, and exploitation steps require additional documentation.
Privilege Escalation: The technique(s) used to escalate from application context to administrative access were not documented.
Post-Exploitation: Full system compromise steps and evidence collection were not included in the notes.

Recommendations:

Document complete exploitation payload for CVE-2023-33733 exploitation
Identify and document privilege escalation vector used
Capture full attack sequence with command outputs
Test and validate privilege escalation technique