There are numerous open ports detected on the Windows system. As we explore further, we observe several domain names. To facilitate access to these domains, we should add their entries to the /etc/hosts file.
At first glance, the presence of open ports 88 and 389 indicates the presence of a domain controller. We can also notice some non-standard ports 5222 , 5269 , 7070 , 7443 , 7777. From the same Nmap result we can understand that this machine running XMPP protocol.
Doing some googlin, we have messaging service to explore. let’s dig on it to learn more about it.
First of all we need to find a way to interact with this service, so again doing some googling we find something interesting.
Since we've identified that the machine is running the server, we now require a client to interact with it. As this is a well-known and open protocol, finding a suitable client should be relatively straightforward.
Now, we need to download a client, let’s pick pidgin as client since it’s super easy to install and use.
To access the chatroom, you'll need to create an account on the server. Once you've done that, you can join the test2@conference.jab.htb chat room. However, if there's no one currently present in the chat room, you may not find anyone to interact with. In such a case, you can leave the chat room.
Additionally, using a pidgin’s plugin we can do service discovery.
As very first step we can try to enumerate all users inside the jab.htb domain to do we need:
Another important insight gained from this action is the harvesting of TGT (ticket-granting ticket) hashes. This is made possible due to the absence of pre-authentication, making the server vulnerable to AS_REP roasting attacks.
Run HashCat on those hashes using rockyou.txt
We got The password of jmontgomery. Now we can go back to pidgin and login using those creds.
After Login we search for rooms again. We found a new room: Pentest2003.
Joining that room gives us the password of svc_openfire.
Initial Access
Using impacket’s dcomexec.py and svc_openfire's creds we can get a reverse shell.
We have our user flag.
Privilege Escalation
Upon conducting further enumeration, we uncovered the presence of peculiar ports, specifically 9090 and 9091, active on the local system.
We can test whether we have a web app:
Upon receiving a response with HTTP/1.1 200 OK, we can deduce that a web application is indeed running locally. To facilitate interaction with this application, we must establish port forwarding from the DC machine to our attack box, allowing access to the service locally on our box. We'll employ the well-known tool Chisel to accomplish this task.
First we need to setup a chisel server on our attack box:
Next, we need to transfer chisel and then setup a client on DC compute then connect to server:
To utilize Chisel effectively, we'll need to download a version suitable for Linux to use on Kali and another version for Windows to use on the target system.
Now, by navigating to http://127.0.0.1:9090, we gain access to and can interact with this web application.
We Can Login using svc_openfire username and his password we found earlier.
This web server is vulnerable to CVE-2023–32315.
