Openfire Lab

Q1) What is the CSRF token value for the first login request?

http.request.method == POST

Answer: tmJU6J9uym8oIOD

Q2) What is the password of the first user who logged in?

http.request.method == POST

Answer: Admin@Passw0rd#@#

Q3) What is the 1st username that was created by the attacker?

frame contains "create"
#OR
http.request.uri contains "create"

Answer: 3536rr

Q4) What is the username that the attacker used to login to the admin panel?

http.request.method == POST

Then follow tcp stream.

Answer: a7zo4l

Q5) What is the name of the plugin that the attacker uploaded?

http.request.method == POST

Then follow http stream.

Answer: openfire-plugin.jar

Q6) What is the first command that the user executed?

http.request.method == POST
http.request.uri contains "action"

Answer: whoami

Q7) Which tool did the attacker use to get a reverse shell?

http.request.uri contains "action"

Answer: netcat

Q8) Which command did the attacker execute on the server to check for network interfaces?

The attacker utilized port 8888 for establishing a reverse shell. Let's apply a filter to focus on traffic associated with this port.

tcp.port == 8888

Next, let's follow the tcp stream.

Answer: ifconfig

Q9) What is the CVE of the vulnerability exploited?

Answer: CVE-2023-32315

Last updated