HackTheBox://Bizness
Nmap Scan
On this box, the CVE-2023-51467 is exploited. It’s present on the Apache OFBiz framework. Then once the foothold is landed, enumeration is done to find information such as the underlying database to get creds and the reversing of an encoding function to get the SHA1SUM hash. The hash is then cracked with hashcat.
At first we start with an Nmap scan to enumerate ports and services.
┌──(kali㉿kali)-[~/HTB/Bizness]
└─$ sudo nmap -sC -sV -p- $IP -oN scan.full.nmap
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-06 21:59 CET
Nmap scan report for bizness.htb (10.10.11.252)
Host is up (0.054s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
| 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
443/tcp open ssl/http nginx 1.18.0
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after: 2328-11-10T20:03:40
|_http-server-header: nginx/1.18.0
|_http-trane-info: Problem with XML parsing of /evox/about
| tls-nextprotoneg:
|_ http/1.1
|_http-title: 400 The plain HTTP request was sent to HTTPS port
43511/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.51 secondsWe can observe that the following services are running:
- SSH on port 22
- Nginx webserver on port 80 and 443
- A possibly tcpwrapped application on port 43511
Note:
A TCP wrapper is a host-based access control program. A service can be TCP wrapped such as the wrapper gives access to only authorized hosts. When nmap marks a port as TCP wrapped, it means that the TCP handshake as been fully made but has been closed afterwards before receiving data. This is not the only reason why a port can be marked as TCP wrapped. For example, firewalls can reply that way to port scans.When observing the results of the HTTP port 80, we can see that the request has been redirected to bizness.htb. We must add this hostname for local DNS resolution to our /etc/hosts file since this is not a domain known by remote DNS servers.
┌──(kali㉿kali)-[~/HTB/Bizness]
└─$ echo $IP bizness.htb | sudo tee -a /etc/hosts The Webapp
When accessing the webapp we land on a basic home page with no links to other internal pages. There is a contact form that has it’s submit button disabled. If we edit the HTML and enable it, nothing interesting happens. A div that contains the home page with the ID errormessage appears. The only interesting element we can take note of is the mention of “Powered by Apache OFBiz”.
Fuzzing
We can attempt to do a basic fuzzing to discover more endpoints. Here we will use Ffuf with a wordlist aiming directories from SecLists.
After a while, we end up hitting control as a valid endpoint. When visiting it, a error message shows up and confirms that we are dealing with a OFBiz application.
CVE-2023-51467
Finding a known vulnerability for OFBiz can be a good road to follow. After a quick google search, we end up finding the CVE-2023-51467 that leads to a authentication bypass vulnerability. More information can be found on Sonicwall’s blog post.
We can use this POC to automate the exploit process and get a reverse shell connection. After a few attempts with different commands, we are able to successfully get a shell using Netcat and being logged in as the user ofbiz. It’s a good practice from here to stabilize our shell to get more functionality. We have landed in the /opt/ofbiz directory upon the execution of the reverse shell which seems to contain the application source code. The user flag is accessible in the ofbiz user’s home directory.
Note:
For even more ease of use, we can add our public SSH key to the authorized_keys file, which can be created if not present.
Getting Root
Docker Entrypoint Script
After enumeration of basic things such as environment variables, running services and files, we are able to find a docker-entrypoint.sh script. This script seems to contain a function that processes a given password several times and inserts it in the ./framework/resources/templates/AdminUserLoginData.xml file to set the admin password.
###############################################################################
# Create and load the password hash for the admin user.
load_admin_user() {
if [ ! -f "$CONTAINER_ADMIN_LOADED" ]; then
TMPFILE=$(mktemp)
# Concatenate a random salt and the admin password.
SALT=$(tr --delete --complement A-Za-z0-9 </dev/urandom | head --bytes=16)
SALT_AND_PASSWORD="${SALT}${OFBIZ_ADMIN_PASSWORD}"
# Take a SHA-1 hash of the combined salt and password and strip off any additional output form the sha1sum utility.
SHA1SUM_ASCII_HEX=$(printf "$SALT_AND_PASSWORD" | sha1sum | cut --delimiter=' ' --fields=1 --zero-terminated | tr --delete '\000')
# Convert the ASCII Hex representation of the hash to raw bytes by inserting escape sequences and running
# through the printf command. Encode the result as URL base 64 and remove padding.
SHA1SUM_ESCAPED_STRING=$(printf "$SHA1SUM_ASCII_HEX" | sed -e 's/\(..\)\.\?/\\x\1/g')
SHA1SUM_BASE64=$(printf "$SHA1SUM_ESCAPED_STRING" | basenc --base64url --wrap=0 | tr --delete '=')
# Concatenate the hash type, salt and hash as the encoded password value.
ENCODED_PASSWORD_HASH="\$SHA\$${SALT}\$${SHA1SUM_BASE64}"
# Populate the login data template
sed "s/@userLoginId@/$OFBIZ_ADMIN_USER/g; s/currentPassword=\".*\"/currentPassword=\"$ENCODED_PASSWORD_HASH\"/g;" framework/resources/templates/AdminUserLoginData.xml >"$TMPFILE"
# Load data from the populated template.
/ofbiz/bin/ofbiz --load-data "file=$TMPFILE"
rm "$TMPFILE"
touch "$CONTAINER_ADMIN_LOADED"
fi
}
###############################################################################With this information in mind we can suppose that if we find the stored admin password, we can reverse the operations and crack it.
Finding the password
We must be able to find a database that contains credentials but no DBMS services such as Postgres, MariaDB or MySQL can be found running on the system. If we refer to OFBiz’s documentation, we can learn that the default database used is Derby. Further research let’s us learn that the database files live in a folder who’s name is the database’s name itself. This folder contains various files and folders but the one that is interesting for us to know is the seg0 folder. A simple search on the system can lead us to where the database lives.
Once the database files are located we must exfiltrate the files on our machine and inspect it. SQuirreL SQL can be used to do the inspecting work and find the USER_LOGIN table which contains the admin password.
Cracking the password
So now that we have the password \$SHA\$d\$uP0_QaVBpDWFeo8-dRzDqRwXQ2I it’s time to reverse it.
If we refer back to the docker-entrypoint.sh script, we notice that the password is stored in the following format:
\$SHA\$${SALT}\$${SHA1SUM_BASE64}Our goal here is to get back the SHA1SUM_BASE64 part to it’s original form, hence a SHA1SUM hash and crack that hash. The piece of data we will be working with is uP0_QaVBpDWFeo8-dRzDqRwXQ2I. The following script can revert the encoding process that has been made:
#!/bin/bash
# Original encoding procedure
#
# [STRING to SHA1SUM] -> [SHASUM to HEX by inserting '\x' escape sequence every 2 chars from start] -> [HEX to URL_BASE64 encode]
ENCODED_PASSWORD=$1
echo "[!] Working on encoded password: $ENCODED_PASSWORD"
# Since the padding has might been trimmed, add padding to base64 encoded string if needed
PADDING=$(( 4 - ($(printf $ENCODED_PASSWORD | wc -c) % 4) ))
if [ $PADDING != 4 ]
then
ENCODED_PASSWORD=$(printf "$ENCODED_PASSWORD" | sed "s/$/$(printf '%0.s=' $(seq 1 $PADDING))/" | tr --delete '\000')
fi
URL_BASE64_TO_HEX=$(printf "$ENCODED_PASSWORD" | basenc --base64url -d --wrap=0)
HEX_ESCAPED_TO_SHA1SUM=$(printf "$URL_BASE64_TO_HEX" | sed 's/\\x//g' | xxd -plain)
echo "[!] Decoded SHA1SUM is: $HEX_ESCAPED_TO_SHA1SUM"
Now that we have the original sha1sum and the salt, it’s time to try to crack it with hashcat. To achieve this we must use the mode 120 in hashcat. Mode is for salted sha1sum passwords with the format HASH:SALT.
We can echo that in a file for hashcat to work with as follows:
echo "b8fd3f41a541a435857a8f3e751cc3a91c174362:d" > hash.txtThen we can run the cracking session with a wordlist and obtain the password monkeybizness:
This password is valid for user root, we are able to escalate our privileges and get the root flag located in /root.
Leave a Reply