💼Bizness
Enumeration
First, let's identify all the running services. We can do a quick nmap scan:
Looks like we have a webserver, so let's run feroxbuster
to try and find some interesting files or directories:
One of the results is the /ap
endpoint, which is running Apache Ofbiz v18.12. A quick Google search finds CVE-2023-49070, which allows for unauthenticated RCE!
Exploitation
Let's start a reverse shell listener using ncat
:
And then we can use the PoC exploit (https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass):
And now we have a simple shell. The next step is to upgrade it to a TTY shell so we can get better control.
Privilege Escalation
OfBiz uses the default credentials of admin:ofbiz
, but from initial testing on the website, the admin account has been changed. It's probable that whatever password admin has been set to is the same for root
(typical scenario of password reuse), so let's try to find where passwords are stored in OfBiz.
I started with running "grep -r "password" /opt/ofbiz" and found that passwords are stored in XML as follows:
Thus, we can do:
There's a few entries, ie 47b56994cbc2b6d10aa1be30f70165adb305a41a
, but Crackstation.net reveals it has ofbiz
, which we know isn't right. However, there is an interesting match:
We can add -a
to our grep command to show binary matches:
Now we have an interesting match that contains a salted SHA hash. Essentially, we have $mode$salt$hash
, and we can convert this to a format that John or Hashcat supports. We need to go from Base64url -> Base64 -> Hex
Looking at the https://hashcat.net/wiki/doku.php?id=example_hashes we can use mode 110 or 120 for salted SHA. All-in-all, our Hashcat command will be:
We have now cracked the password, and can try it with root
Last updated