sudo masscan -p1-65535,U:1-65535 10.129.44.43 --rate=1000 -e tun0
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-05-15 22:36:28 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 6791/tcp on 10.129.44.43
Discovered open port 139/tcp on 10.129.44.43
Discovered open port 445/tcp on 10.129.44.43
Discovered open port 135/tcp on 10.129.44.43
Discovered open port 80/tcp on 10.129.44.43
rate: 0.00-kpps, 100.00% done, waiting -33-secs, found=5
Scan Services Open Port
sudo nmap -p '6791, 139, 445, 135, 80' -sVSC -A -oN nmap_detailed_all_tcp_ports.txt 10.129.44.43 -v2
[sudo] password for replican:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-16 05:40 WIB
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:40
Completed NSE at 05:40, 0.00s elapsed
Initiating Ping Scan at 05:40
Scanning 10.129.44.43 [4 ports]
Completed Ping Scan at 05:40, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 05:40
Scanning solarlab.htb (10.129.44.43) [5 ports]
Discovered open port 6791/tcp on 10.129.44.43
Discovered open port 135/tcp on 10.129.44.43
Discovered open port 139/tcp on 10.129.44.43
Discovered open port 80/tcp on 10.129.44.43
Discovered open port 445/tcp on 10.129.44.43
Completed SYN Stealth Scan at 05:40, 0.06s elapsed (5 total ports)
Initiating Service scan at 05:40
Scanning 5 services on solarlab.htb (10.129.44.43)
Completed Service scan at 05:40, 11.17s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against solarlab.htb (10.129.44.43)
Retrying OS detection (try #2) against solarlab.htb (10.129.44.43)
Initiating Traceroute at 05:40
Completed Traceroute at 05:40, 0.05s elapsed
Initiating Parallel DNS resolution of 1 host. at 05:40
Completed Parallel DNS resolution of 1 host. at 05:40, 0.04s elapsed
NSE: Script scanning 10.129.44.43.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:40
NSE Timing: About 99.86% done; ETC: 05:41 (0:00:00 remaining)
Completed NSE at 05:41, 40.24s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.20s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.00s elapsed
Nmap scan report for solarlab.htb (10.129.44.43)
Host is up, received echo-reply ttl 127 (0.039s latency).
Scanned at 2024-05-16 05:40:42 WIB for 56s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 nginx 1.24.0
|_http-title: SolarLab Instant Messenger
|_http-server-header: nginx/1.24.0
| http-methods:
|_ Supported Methods: GET HEAD
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
6791/tcp open http syn-ack ttl 127 nginx 1.24.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://report.solarlab.htb:6791/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP (85%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows XP SP3 (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94%E=4%D=5/16%OT=80%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=66453A22%P=x86_64-pc-linux-gnu)
SEQ(SP=103%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=U)
OPS(O1=M53CNW8NNS%O2=M53CNW8NNS%O3=M53CNW8%O4=M53CNW8NNS%O5=M53CNW8NNS%O6=M53CNNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M53CNW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 19797/tcp): CLEAN (Timeout)
| Check 2 (port 46928/tcp): CLEAN (Timeout)
| Check 3 (port 17281/udp): CLEAN (Timeout)
| Check 4 (port 59848/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 0s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-05-15T22:41:01
|_ start_date: N/A
TRACEROUTE (using port 6791/tcp)
HOP RTT ADDRESS
1 39.81 ms 10.10.14.1
2 40.15 ms solarlab.htb (10.129.44.43)
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:41
Completed NSE at 05:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.15 seconds
Raw packets sent: 93 (7.776KB) | Rcvd: 34 (2.080KB)
after all scan in http port using dirsearch we found nothing usefull. so continue
Configuration
echo '10.129.44.43 solarlab.htb report.solarlab.htb' | sudo tee -a /etc/hosts
Exploitation
ReportHUb is not a real name and is a rabbithole
after many, afterall we can login smb using anonymous credentials
SMB anonymous
smbclient -L 10.129.44.43 -U anonymous
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\anonymous]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Documents Disk
IPC$ IPC Remote IPC
SMB1 disabled -- no workgroup available
smbclient \\\\10.129.44.43\\Documents
Can't load /etc/samba/smb.conf - run testparm to debug it
Password for [WORKGROUP\replican]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Fri Apr 26 21:47:14 2024
.. DR 0 Fri Apr 26 21:47:14 2024
concepts D 0 Fri Apr 26 21:41:57 2024
desktop.ini AHS 278 Fri Nov 17 17:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 19:27:21 2023
My Music DHSrn 0 Fri Nov 17 02:36:51 2023
My Pictures DHSrn 0 Fri Nov 17 02:36:51 2023
My Videos DHSrn 0 Fri Nov 17 02:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 17:35:57 2023
7779839 blocks of size 4096. 1893544 blocks available
smb: \> dir
. DR 0 Fri Apr 26 21:47:14 2024
.. DR 0 Fri Apr 26 21:47:14 2024
concepts D 0 Fri Apr 26 21:41:57 2024
desktop.ini AHS 278 Fri Nov 17 17:54:43 2023
details-file.xlsx A 12793 Fri Nov 17 19:27:21 2023
My Music DHSrn 0 Fri Nov 17 02:36:51 2023
My Pictures DHSrn 0 Fri Nov 17 02:36:51 2023
My Videos DHSrn 0 Fri Nov 17 02:36:51 2023
old_leave_request_form.docx A 37194 Fri Nov 17 17:35:57 2023
7779839 blocks of size 4096. 1893544 blocks available
smb: \> get details-file.xlsx
getting file \details-file.xlsx of size 12793 as details-file.xlsx (64.7 KiloBytes/sec) (average 64.7 KiloBytes/sec)
smb: \> exit
dan kita juga bisa meng enumerate smb user dengan ini dgn cara :
nah dapet deh. tinggal pakai, jgn lupa dipahami juga skid
dapet user passnya lgsg aja up plugin rce sesuai instruksi.
mendapatkan openfire user
setelah kita dapet openfire user. kita dapet liat di db file openfire ( ketika rooting / enumerating ) selalu cek db file
db openfire ini sendiri ada di Programfiles embedded-db C:\Program Files\Openfire\embedded-db
INSERT INTO OFUSER VALUES('admin','gjMoswpK+HakPdvLIvp6eLKlYh0=','9MwNQcJ9bF4YeyZDdns5gvXp620=','yidQk5Skw11QJWTBAloAb28lYHftqa0x',4096,NULL,'becb0c67cfec25aa266ae077e18177c5c3308e2255db062e4f0b77c577e159a11a94016d57ac62d4e89b2856b0289b365f3069802e59d442','Administrator','admin@solarlab.htb','001700223740785','0')
INSERT INTO OFPROPERTY VALUES('passwordKey','hGXiFzsKaAeYLjn',0,NULL)
kita dapet credentials admin dan password key untuk dec dari hash ini.
untuk dec openfire password enc ini bs searching aja pasti nemu
