Enum
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
echo "-----------------------------------------------------"
echo "TCP is done, startng udp (slowwwwww)
echo "-----------------------------------------------------"
sudo nmap -T4 -sU -A -vv -p- -o udp --min-rate 1000 $IP
Services:
Used this to add a user
username: 9o6orr password: s27b0a
Run exploit
login with newly added user
goto tab plugin > upload plugin openfire-management-tool-plugin.jar
goto tab server > server settings > Management tool
Access websehll with password "123"
we got a shell
local
39dcf3ffce8bc1f250163034c5687bca
we delete the admin user
now we can re-register as admin with our own password by modifying the previous exploit
username: admin password: 6qztyc
well that did nothing extra for us - we were already admins
passback attack
check for passback attacks
proof
4fbdad1e1ce4b613922d95ac812f5128