Fired Proving Grounds Write-Up
SUMMARY
This write-up covers the Fired machine from Offsec’s Proving Grounds, a Linux machine where an XMPP server admin panel was exploited via a known authentication bypass.
Port 9090 hosted an Openfire 4.7.0 admin panel. The version was vulnerable to CVE-2023-32315, an authentication bypass that creates a new admin account. After logging in, a malicious Java plugin (included in the CVE exploit repository) was uploaded via the Plugins section. Navigating to the plugin’s management tool and authenticating with the default plugin password provided a System Command execution panel. A BusyBox reverse shell was sent and received.
Privilege escalation involved enumerating Openfire’s data directory. Recursively grepping for passwords inside /var/lib/openfire/embedded-db revealed the root SSH password in cleartext. Authenticating via SSH as root completed the machine.
PATH TO FOLLOW
- Reconnaissance & Openfire Discovery on Port 9090
- CVE-2023-32315 Authentication Bypass & Admin Account Creation
- Malicious Java Plugin Upload & System Command Execution
- Reverse Shell via BusyBox
- Openfire Embedded Database Grep for Cleartext Root Password
- SSH Access as Root
Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.