Obtain a user's NTLM hash and crack it to find the password.
Use the user's credentials to access port "5222" and obtain credentials for another user.
Use the obtained credentials to explore further and run BloodHound to identify potential paths.
Gain shell access on DC01 and search for ways to escalate privileges.
Access the web application and upload a shell to compromise the domain.
lets begin
I started with the usual Nmap scan and while it was running i also did some enumeration on common ports like "smb/rpc/ldap" but i didn't find anything interesting so here are the Nmap results
# Nmap 7.94SVN scan initiated Wed Mar 20 13:52:35 2024 as: nmap -A -T4 -oN nmap.txt -Pn 10.10.11.4
Warning: 10.10.11.4 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.4 (10.10.11.4)
Host is up (0.22s latency).
Not shown: 902 closed tcp ports (conn-refused), 85 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-20 17:59:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-20T18:01:24+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
|_ssl-date: 2024-03-20T18:01:31+00:00; +2s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-20T18:01:26+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info:
| STARTTLS Failed
| info:
| features:
| errors:
| invalid-namespace
| (timeout)
| compression_methods:
| auth_mechanisms:
| capabilities:
| xmpp:
| version: 1.0
| stream_id: 2llsnnt55f
|_ unknown:
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
5269/tcp open xmpp Wildfire XMPP Client
| xmpp-info:
| Respects server name
| STARTTLS Failed
| info:
| features:
| errors:
| host-unknown
| (timeout)
| compression_methods:
| auth_mechanisms:
| capabilities:
| xmpp:
| version: 1.0
| stream_id: axra5bza2w
|_ unknown:
7070/tcp open realserver?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP:
| HTTP/1.1 400 Illegal character CNTL=0x0
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
| GetRequest:
| HTTP/1.1 200 OK
| Date: Wed, 20 Mar 2024 17:59:24 GMT
| Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
| Content-Type: text/html
| Accept-Ranges: bytes
| Content-Length: 223
| <html>
| <head><title>Openfire HTTP Binding Service</title></head>
| <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
| </html>
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Wed, 20 Mar 2024 17:59:36 GMT
| Allow: GET,HEAD,POST,OPTIONS
| Help:
| HTTP/1.1 400 No URI
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 49
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: No URI</pre>
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| TerminalServerCookie:
| HTTP/1.1 400 Illegal character CNTL=0x3
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x3</pre>
7777/tcp open socks5 (No authentication; connection failed)
| socks-auth-info:
|_ No authentication
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port7070-TCP:V=7.94SVN%I=7%D=3/20%Time=65FB23FB%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,189,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2020\x20Mar\x
SF:202024\x2017:59:24\x20GMT\r\nLast-Modified:\x20Wed,\x2016\x20Feb\x20202
SF:2\x2015:55:02\x20GMT\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x2
SF:0bytes\r\nContent-Length:\x20223\r\n\r\n<html>\n\x20\x20<head><title>Op
SF:enfire\x20HTTP\x20Binding\x20Service</title></head>\n\x20\x20<body><fon
SF:t\x20face=\"Arial,\x20Helvetica\"><b>Openfire\x20<a\x20href=\"http://ww
SF:w\.xmpp\.org/extensions/xep-0124\.html\">HTTP\x20Binding</a>\x20Service
SF:</b></font></body>\n</html>\n")%r(RTSPRequest,AD,"HTTP/1\.1\x20505\x20U
SF:nknown\x20Version\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nC
SF:ontent-Length:\x2058\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\
SF:x20505</h1><pre>reason:\x20Unknown\x20Version</pre>")%r(HTTPOptions,56,
SF:"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2020\x20Mar\x202024\x2017:59:
SF:36\x20GMT\r\nAllow:\x20GET,HEAD,POST,OPTIONS\r\n\r\n")%r(RPCCheck,C7,"H
SF:TTP/1\.1\x20400\x20Illegal\x20character\x20OTEXT=0x80\r\nContent-Type:\
SF:x20text/html;charset=iso-8859-1\r\nContent-Length:\x2071\r\nConnection:
SF:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\
SF:x20character\x20OTEXT=0x80</pre>")%r(DNSVersionBindReqTCP,C3,"HTTP/1\.1
SF:\x20400\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/ht
SF:ml;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\
SF:r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20charact
SF:er\x20CNTL=0x0</pre>")%r(DNSStatusRequestTCP,C3,"HTTP/1\.1\x20400\x20Il
SF:legal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/html;charset=is
SF:o-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\n\r\n<h1>Ba
SF:d\x20Message\x20400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x
SF:0</pre>")%r(Help,9B,"HTTP/1\.1\x20400\x20No\x20URI\r\nContent-Type:\x20
SF:text/html;charset=iso-8859-1\r\nContent-Length:\x2049\r\nConnection:\x2
SF:0close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20No\x20URI</
SF:pre>")%r(TerminalServerCookie,C3,"HTTP/1\.1\x20400\x20Illegal\x20charac
SF:ter\x20CNTL=0x3\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nCon
SF:tent-Length:\x2069\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x2
SF:0400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x3</pre>");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-03-20T18:01:14
|_ start_date: N/A
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
After a lengthy enumeration i moved on to enumerate users to check if any of them have the "don't require Kerberos authentication" setting enabled using the Kerbrute tool.
I managed to obtain NTLM hashes for some users but they weren't in the correct format for Hashcat so to extract valid usernames from these hashes i utilized the "Get-NPUsers" tool.
Then i attempted to enumerate further using the credentials of this user but I didn't discover anything significant so I decided to interact with port "5222" and after researching the 'XMPP' protocol which stands for Extensible Messaging and Presence Protocol and commonly used in messaging platforms, collaboration tools, and Internet of Things (IoT) devices i installed the "Pidgin" tool.
sudo apt install pidgin
Next i launched Pidgin and selected the XMPP protocol.
Then i added the user "jmontgomery" account credentials here
And the account successfully logged in
To gather the room list you can find it here
and click on find Rooms
We found an interesting room called "pentest2003" If we click on it
We will be in the chat room, where we will find these user credentials.
Enumerating with these credentials i noticed that this user doesn't have shell access over SMB or WinRM, and I didn't gather any special information. So i decided to run BloodHound.
When the homepage loads i just simply use the credentials of the compromised user "svc_openfire"
And it works! I searched if there is any upload option on the site and you know what we're going to do if we find it right? xD I found it in this path so we need to upload a plugin with a .jar extension.
After searching for this version of Openfire i found it vulnerable. Additionally i found a web shell plugin. So i uploaded it and finally get the root flag and compromise the domain.
This script is easy to understand, and we discovered that the version of Openfire is vulnerable to path traversal and broken access authentication. it allows unauthenticated access to application files by using Unicode characters in URL encoding.
%u002e%u002e/%u002e%u002e = ../..
So the exploit is divided into 3 phases. Let's explain:
Phase 1:
Access the page "user-groups.jsp" by exploiting path traversal then take CSRF token and jsessionid.
Phase 2:
In the last phase, we access "user-create.jsp" using the same technique and create our fake user with the role admin. But in our case we already have access with compromised credentials.
Access the admin panel and upload the malicious plugin for RCE.
In our scenario we don't need to go through phases 1 and 2 because we already have the credentials of the user "svc_openfire" allowing us to access the admin panel directly we just need to upload the malicious plugin.
So the user can execute DCOM over "DC01". Let's use it to get our first shell and first flag so first i generated a PowerShell reverse shell and encoded it in Base64 format using this
But wait a minute, we need to understand this CVE-2023-32315 first because as we know we're not script kiddies who just execute exploits without knowing what happens in the background xD Here is the link to the CVE
I just selected this code snippet, which is the exploit phase:
