4. Jab

4.1. Machine Info

jab

<<<<<<< HEAD

4.2. Recon

4.2.1. port

  • dns: DC01.jab.htb

  • kerberos, samba, ldap (with ssl)

  • XMPP(Jabber | Extensible Messaging and Presence Protocol) Server (with ssl)

    • jabber: 5222,5262,5275

    • 5269, Wildfire(Openfire) XMPP Client

    • 7070, realserver

    • 7443, ssl/oracleas-https

    • 7777, socks5

    • 9389, .NET Message Framing

PORT      STATE SERVICE             VERSION
53/tcp    open  domain              Simple DNS Plus
88/tcp    open  kerberos-sec        Microsoft Windows Kerberos (server time: 2024-02-24 19:04:26Z)
135/tcp   open  msrpc               Microsoft Windows RPC
139/tcp   open  netbios-ssn         Microsoft Windows netbios-ssn
389/tcp   open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-24T19:05:46+00:00; -25s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-24T19:05:46+00:00; -25s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
3268/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2024-02-24T19:05:46+00:00; -25s from scanner time.
3269/tcp  open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-24T19:05:46+00:00; -25s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
5222/tcp  open  jabber
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
|   STARTTLS Failed
|   info:
|     unknown:
|     errors:
|       invalid-namespace
|       (timeout)
|     compression_methods:
|     features:
|     capabilities:
|     auth_mechanisms:
|     stream_id: 8f9nx0ggl4
|     xmpp:
|_      version: 1.0
5223/tcp  open  ssl/jabber
|_ssl-date: TLS randomness does not represent time
| xmpp-info:
|   STARTTLS Failed
|   info:
|     unknown:
|     compression_methods:
|     features:
|     capabilities:
|     errors:
|       (timeout)
|     xmpp:
|_    auth_mechanisms:
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5262/tcp  open  jabber
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info:
|   STARTTLS Failed
|   info:
|     unknown:
|     errors:
|       invalid-namespace
|       (timeout)
|     compression_methods:
|     features:
|     capabilities:
|     auth_mechanisms:
|     stream_id: 6c66nklsvl
|     xmpp:
|_      version: 1.0
5263/tcp  open  ssl/jabber
| xmpp-info:
|   STARTTLS Failed
|   info:
|     unknown:
|     compression_methods:
|     features:
|     capabilities:
|     errors:
|       (timeout)
|     xmpp:
|_    auth_mechanisms:
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5269/tcp  open  xmpp                Wildfire XMPP Client
| xmpp-info:
|   STARTTLS Failed
|   info:
|     unknown:
|     compression_methods:
|     features:
|     capabilities:
|     errors:
|       (timeout)
|     xmpp:
|_    auth_mechanisms:
5270/tcp  open  ssl/xmpp            Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5275/tcp  open  jabber
| xmpp-info:
|   STARTTLS Failed
|   info:
|     unknown:
|     errors:
|       invalid-namespace
|       (timeout)
|     compression_methods:
|     features:
|     capabilities:
|     auth_mechanisms:
|     stream_id: 5s52ucfaj5
|     xmpp:
|_      version: 1.0
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5276/tcp  open  ssl/jabber
| fingerprint-strings:
|   RPCCheck:
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
| xmpp-info:
|   STARTTLS Failed
|   info:
|     unknown:
|     compression_methods:
|     features:
|     capabilities:
|     errors:
|       (timeout)
|     xmpp:
|_    auth_mechanisms:
5985/tcp  open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7070/tcp  open  realserver?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP:
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Sat, 24 Feb 2024 19:04:26 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Sat, 24 Feb 2024 19:04:32 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help:
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck:
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest:
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq:
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7443/tcp  open  ssl/oracleas-https?
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP:
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest:
|     HTTP/1.1 200 OK
|     Date: Sat, 24 Feb 2024 19:04:39 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Sat, 24 Feb 2024 19:04:45 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help:
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck:
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest:
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq:
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
|_ssl-date: TLS randomness does not represent time
7777/tcp  open  socks5              (No authentication; connection not allowed by ruleset)
| socks-auth-info:
|_  No authentication
9389/tcp  open  mc-nmf              .NET Message Framing
47001/tcp open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc               Microsoft Windows RPC
49665/tcp open  msrpc               Microsoft Windows RPC
49666/tcp open  msrpc               Microsoft Windows RPC
49667/tcp open  msrpc               Microsoft Windows RPC
49671/tcp open  msrpc               Microsoft Windows RPC
49686/tcp open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
49687/tcp open  msrpc               Microsoft Windows RPC
49688/tcp open  msrpc               Microsoft Windows RPC
49752/tcp open  msrpc               Microsoft Windows RPC
49768/tcp open  msrpc               Microsoft Windows RPC
8 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5222-TCP:V=7.94SVN%I=7%D=2/25%Time=65DA3DE8%P=x86_64-pc-linux-gnu%r
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2019 (96%), Microsoft Windows 10 1709 - 1909 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows 10 1709 - 1803 (91%), Microsoft Windows 10 1809 - 2004 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server 2016 build 10586 - 14393 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

4.2.2. Jabber, Openfire Client

Install Pidgin and register a new user:

image-20240226011818766

image-20240226011825982

image-20240226011831464

Search chat rooms authorized test and unauthorized test2:

image-20240226012357900

image-20240226011947018

Enable Plugins: History, XMPP Service Discovery which is used to search services & chat rooms:

image-20240226012221573

Save log into local, Search for Users using regular expression sign, and then collect those usernames (for futher brute forcing users with ‘Do not require Kerberos preauthentication’):

image-20240226012630694

image-20240226012413895

image-20240226012420188

image-20240226012655646

└─╼$ cat output.log | grep -Eo "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,6}" | sort -u | awk -F'@' '{print $1}' | tee users.txt

└─╼$ cat users.txt | head -n 5
aaaron
aallen
aaltman
aanderson
aarrowood

4.3. Foothold

=======

38e3e6a ([+] Add season4 machine info.)

Notice: the full version of write-up is here.

4.4. Exploit Chain

port scan -> dns, kerberos, samba, ldap, openfire(jabber) -> create new user -> enum openfire chat rooms & search usernames by discover plugin -> kerberoasting to get three user without preauthentication & jmontgomery is crackable -> openfire login as jmontgomery & more chat rooms -> svc_openfire credential -> able to conduct DCOM Exec (dcomexec | powershell) -> svc_openfire shell -> system enumeration: openfire processes hosted by higher privilege -> port forwarding & signin as svc_openfire -> plugin upload: webshell -> revshell -> system priv & dump hashes -> admin priv

4.5. Beyond Root

4.5.1. T1558.003: Kerberoasting

Kerberoasting is an attack method that takes advantage of the Kerberos protocol’s feature for service ticket generation to crack the passwords of user accounts. This technique is recognized in the MITRE ATT&CK framework under the identifier T1558.003: Kerberoasting. Attackers leverage this method by requesting service tickets from the Key Distribution Center (KDC) and then work to decrypt the hashes contained within these tickets offline, in order to obtain the user’s password. The impacket-getnpusers tool facilitates this process by identifying users that have not been configured with the protection of requiring Kerberos preauthentication, which essentially allows attackers to request TGS tickets without needing to authenticate first.

4.5.2. DCOM

The Distributed Component Object Model (DCOM) is a Microsoft technology for communication among software components distributed across networked computers. DCOM, which originally was an extension of the Component Object Model (COM), enables interaction between software components on the same network. It was introduced with Windows NT 4.0.

Check whether remote server has a DCOM object and enum DCOM members:

Method1: runas + CreateInstance & GetTypeFromProgID + Get-Member

runas.exe /user:jab.htb\svc_openfire /netonly powershell
---
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","10.129.225.190")); $com | Get-Member

image-20240226024628108

Method2: cmd, powershell commands locally

image-20240226025607197