Writeup ChocolateFire from Dockerlabs

You have two options: READ or WATCH me on YouTube how I complete this CTF Machine.

Do not press the Subscribe Button, It's ILLEGAL 😁😆😅😂🤣

Let's start our reconnaissance with a quick nmap scan:

nmap -p- --open -sV -sC -sS --min-rate=5000 -n -Pn 172.17.0.2 -oN Nmap1

-p- - Search for ports

--open - List open ports

-sS - A quick scan mode

-sC - Use a set of reconnaissance scripts

-sV - Find the version of the open service

--min-rate=5000 - Makes the reconnaissance even faster by sending no fewer than 5000 packets

-n - No DNS resolution

-Pn - No ping

-oN - Save file name

Port 9090 is open:

If we access the web service running on port 9090, we see the following:

It returns a login where we have access with the username and password 'admin'

Seeing the version, we will look for ways to access the machine, and by going to the plugins window, we can upload .jar files, and we can using the exploit from GitHub:

Or we can use Metasploit; if you watch the video, you'll see how I use the exploit from GitHub, but for now, let's do it with Metasploit.

use exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315

Now we do a show options and fill in the fields we need:

We use the run command to start the exploit.

And we are root

Thank you so much for reading this. Please don't forget to check out my YouTube channel and subscribe. Thank you all!