gbermudez2

Openfire Writeup

May 1, 2025

Link: Openfire Lab

References

• NIST
• VulnCheck

Summary

• Tools used: Wireshark
• MITRE ATT&CK Tactics: Initial Access, Execution, Persistence, Discovery, Command and Control

Procedure

1. This scenario involves a .pcap file containing network traffic from malicious activity affecting an Openfire server. Wireshark will be my main tool for discovering any IoCs and evidence of attacker actions.

   

2. First, I need to find out if there are any signs of login activity to the server. Openfire is a messaging application server, so it’ll be useful in determining any suspicious users accessing these messages.
   • Usually these logins use the HTTP protocol, so putting the search term “http” in the Filter field brings up all relevant data.

   • To look for a login request, we have to find a POST request, since a user would have to enter in credentials:

     

   • Inside the packet data, we find some curious information, like the username, password, and CSRF token, which are all useful.

   • A user attempting to log in as “admin” raises some red flags, though it’s best to investigate further before jumping to conclusions.

     

3. Next, I went through the logs further to find any indicators of account creation, perhaps by the attacker.

   • I thought at first that the account names would either try to blend in (like “Administrator”), but I found an interesting set of network logs that prove otherwise:

     

   • It seems that after failing to log into the admin account three times, the attacker created 3 new accounts with random strings of numbers and letters.

   • What’s curious is that in the account creation parameters, the value isadmin is set to “on”, which means the attacker used the user-create.jsp file on the server via directory traversal to create an account with admin privileges:

     

   • The attacker later logs in with these credentials, which returns a 302 Found response from the server, signifying a successful login (compared to the previous failed 200 OK responses).

     

4. After confirming that the attacker was trying to access the system, the next reasonable step is to find out the attacker’s objectives.

   • Luckily, we don’t have to look far to find out. The attacker seems to have submitted a POST request, uploading a plugin called openfire-plugin.jar to the server.

     

   • Looking further down the logs, I spotted a few obvious POST commands that utilized this uploaded openfire-plugin.jar file. In the post URL, they had an “action=command” string appended to them.

   • I opened the details for the first one I saw, and spotted the following form item:

     

   • The attacker used “whoami” to likely figure out their privileges.

   • The very next POST request was where the main malicious activity was put into place, with the command “nc” (netcat) being used to form a connection between the server and the attacker, perhaps to perform data exfiltration:

     

   • Now that the attacker established a reverse shell from port 8888, we can now examine further activity by looking through TCP traffic on port 8888 to IP 192[.]168[.]18[.]60.

   • Various commands like uname -a and ifconfig are shown in the Packet bytes.

     

After doing some more research, I found an article referencing this vulnerability as CVE-2023-32315, with a CVE 3.0 score of 7.5 (NIST). The premise of the vulnerability involves directory traversal leading into remote code execution. According to VulnCheck, this vulnerability is still present in the wild.