search

HTB | JAB

Machine - https://app.hackthebox.com/machines/Jabarrow-up-right

IP - 10.10.11.4

hashtag
NMAP

└─$ nmap -sC -sV -p 53,88,135,139,389,445,593,5270,5276,7070,7443,49665,49667,49673,49694,49699,49781 10.10.11.4 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-26 19:56 IST
Nmap scan report for 10.10.11.4
Host is up (0.58s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-26 14:26:46Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: jab.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2025-08-26T14:28:25+00:00; +3s from scanner time.
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
5270/tcp  open  ssl/xmpp      Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5276/tcp  open  ssl/jabber    Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     capabilities: 
|     features: 
|     xmpp: 
|     compression_methods: 
|     errors: 
|       (timeout)
|     auth_mechanisms: 
|_    unknown: 
7070/tcp  open  http          Jetty
|_http-title: Openfire HTTP Binding Service
7443/tcp  open  ssl/http      Jetty
|_http-title: Openfire HTTP Binding Service
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
49781/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-08-26T14:28:08
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 3s, deviation: 0s, median: 2s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 127.36 seconds

hashtag
Port 53

hashtag
Port 445

Noting the successful anonymous login, I tried SMB Null session enumeration of usernames via RID cycling, but did not have permissions to make RPC calls.

hashtag
Port 88

not able to enumerate

I tried to do userenum via Kerbrute but the attack is going for too long (looks like a rabbit hole)

We found more than 1800 valid usernames

Let’s try AS-REP Roasting

I tried via impacket-GetNPUser, but since it was taking too much time, I moved on

hashtag
Port 5270

XMPP is the Extensible Messaging and Presence Protocol, a set of open technologies for instant messaging, presence, multi-party chat, voice and video calls, collaboration, lightweight middleware, content syndication, and generalized routing of XML data.

(reference - https://bishopfox.com/blog/xmpp-underappreciated-attack-surfacearrow-up-right)

Let’s try to connect via Pidgin

I’ll open Pidgin and it says I have no accounts configured:

I’ll click “Add…” and select XMPP from the “Protocol” drop-down, and fill out the rest:

Le’t accept the certificate

Now it prompt for registration, let’s do that

Now we can select our user and the chat panel pops up

From the menu, “Tools” –> “Room List” will give a series of dialogs that leads to a list of the rooms on this server:

conference.jab.htb is automatically filled in. Clicking “Find Rooms” returns two:

I don’t have access to test room

But we can join test2 room, and it has some messages

The image is just text encoded data

On looking around we find Search for Users

and it gives us a search directory

On searching, it spat out everything

But there isn’t a way to export the list

asking ChatGPT to find a way to export it suggests opening a debug window and searching again

Now I can save

Let’s copy the list

We can extract username

hashtag
Fotthold/shell

hashtag
Shell as svc_openfire

hashtag
ASREP Roast

Now, with this new list, we can perform ASREP Roast and we found three hash

Let’s crack em

We found JMontgomery’s cred

We can Auth via LDAP and SMB

Since we do not have anything via SMB, let’s see if we can connect to XMPP via jmontgomery cred

hashtag
Connecting jmontgomery over XMPP

Let’s connect jmontgomery over XMPP

Now we can see a new Room

Let’s connect to that room

From this chat, we now know the credentials of svc_openfire

We can auth via LDAP and SMB

nothing new was there over SMB

hashtag
Bloodhound

On analysing, we found out that SVC_OPENFIRE@JAB.HTB - > ExecuteDCOM - > DC01.JAB.HTB

hashtag
ExecuteDCOM

The user SVC_OPENFIRE@JAB.HTB has membership in the Distributed COM Users local group on the computer DC01.JAB.HTB.

This can allow code execution under certain conditions by instantiating a COM object on a remote machine and invoking its methods.

DCOM is built on top of the TCP/IP RPC protocol (TCP ports 135 + high ephemeral ports) and may leverage several different RPC interface UUIDs(outlined here). In order to use DCOM, one must be authenticated. Consequently, logon events and authentication-specific logs(Kerberos, NTLM, etc.) will be generated when using DCOM.

reference - https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-modelarrow-up-right and https://bloodhound.specterops.io/resources/edges/execute-dcomarrow-up-right

Let’s try to ping our machine from the box via DCOM MMC20

Now we can try to get revshell

found user.txt

hashtag
Privilege Escalation

hashtag
Shell as Administrator

hashtag
Port forwarding

we can see port 9090 and 9091 being hosted internally

let’s use chisel to do port forwarding

hashtag
Openfire admin console

We can see there is openfire console at port 9091

We can login via svc_openfire

hashtag
CVE-2023-32315

I found thisarrow-up-right GitHub Now I need to upload openfire-management-tool-plugin.jar Then goto tab server > server settings > Management tool and Access web shell with password "123"

Here we can see program home page

Now we have to select system command

and we can execute cmd

and we are nt authority\\system

we get root.txt

we can also get revshell

PreviousHTB | JobNextHTB | Flight

Last updated