Cyberdefenders Writeup:Openfire Lab
Hey folks! Today, I will write about solving the Openfire lab. It’s my first write-up, so I hope you find it useful.
First, here is the scenario for the lab:
As a cybersecurity analyst, you are tasked with investigating a data breach targeting your organization’s Openfire messaging server. Attackers have exploited a vulnerability in the server, compromising sensitive communications and potentially exposing critical data. Your task is to analyze the provided network capture files using Wireshark. Identify evidence of the exploitation, trace the attacker’s actions, and uncover indicators of compromise.
The first thing I did was look at the lab questions. I found one important thing to search for: CVE Openfire. After searching and opening many pages, I found a helpful write-up about Openfire CVE called “Path Traversal in Openfire Leads to RCE.” It helped me understand what Openfire is and what the Vulnerability is.
Then, I decided to start with the last question.
Q9: What is the CVE of the vulnerability exploited?:CVE-2023–32315
Then, I opened the machine and the PCAP file, but I was a bit confused. The first question was:
Q1: What is the CSRF token value for the first login request?
So, I thought about the GET and POST methods. I used the following filter in Wireshark:
http.request.method == GET or http.request.method == POSTThis showed me both GET and POST requests. I then looked at the first login request with the POST method, checked it and Found what i need
So The Answer is : tmJU6J9uym8oIOD
and also the answer of second question is
Q2:What is the password of the first user who logged in?Admin@Passw0rd#@#
Let’s jump to the third question:
Q3: What is the 1st username that was created by the attacker?
What I did was scroll down until I found “user-create” and looked at the line. There, I found the username: 3536rr
Q4 :What is the username that the attacker used to login to the admin panel?
It asked about the username used in the login. We saw that the attacker created three users. So, I will check the first POST request and look for the username.
So the Answer is :a7zo4l
Q5:What is the name of the plugin that the attacker uploaded?
Okay, then I will scroll down and look for the POST method and check the line that has the upload also
Yes the Filename of plugin is :openfire-plugin.jar
Q6:What is the first command that the user executed?
It asked about the command. So, I will search for the line that has the POST method and the command, and also look in the HTML form.
So Answer is :whoami
Q7:Which tool did the attacker use to get a reverse shell?
Okay, I looked at the last POST method that had the command, and I found nc. So, the answer is: Netcat.
Q8:Which command did the attacker execute on the server to check for network interfaces?
I picked the last line, opened the TCP stream, and scrolled until I found all the commands that were executed. I found that the command was :ifconfig.
CONGRATULATIONS! It’s done.
See you in the next write-up!
