In this post, I would like to share a walkthrough of the Bizness Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Bizness machine?


For the user flag, you will need to exploit CVE-2023-49070, an authentication bypass vulnerability in Apache OFBiz.


As for the root flag, you need to be able to analyze the source code of the application’s hashing function to understand how the password hash is generated and then reverse the process. The required hash value can be obtained using CyberChef.

Information Gathering on Bizness Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start scanning the port

┌─[darknite@parrot]─[~/Documents/htb/bizness]
└──╼ $nmap -sC -sV 10.10.11.252 -oA intial 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-24 21:57 EDT
Nmap scan report for 10.10.11.252
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 3e21d5dc2e61eb8fa63b242ab71c05d3 (RSA)
|   256 3911423f0c250008d72f1b51e0439d85 (ECDSA)
|_  256 b06fa00a9edfb17a497886b23540ec95 (ED25519)
80/tcp  open  http     nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
443/tcp open  ssl/http nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
| tls-nextprotoneg: 
|_  http/1.1
| tls-alpn: 
|_  http/1.1
|_http-server-header: nginx/1.18.0
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after:  2328-11-10T20:03:40
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.09 seconds
┌─[darknite@parrot]─[~/Documents/htb/bizness]
└──╼ $

Let’s access the website interface


Nothing interesting has been found on the website interface.


The source of structure for the Apache OFBiz here


Let’s jump into the structure that we found earlier after the research on the internet from GitHub.


On the website bottom, we managed to notice the 18.12 version of the Apache OFBiz.

CVE-2023-49070 Vulnerability

While looking for known security issues, we found a recent one called CVE-2023-49070. This issue allows attackers to bypass security checks when changing passwords because of a mistake in how the system handles these requests. Using this flaw, attackers can take control of the system by exploiting another problem found earlier in the software.

Pre-auth RCE Apache OFBiz 18.12.09


This security issue involves a way to bypass login checks in the outdated XML-RPC interface of OFBiz. The system incorrectly handles a parameter that can be used with requirePasswordChange, allowing access even with empty or incorrect login details. This flaw lets attackers skip the usual authentication process.


Java version 11 must be installed on the attacker’s machine for this exploit to work.



The source for the exploit can be found here


The Python script is run, and an error is provided stating that ysoserial-all.jar has not been found in the same directory.


We need to download the jar file from the same directory



Let’s run the command above to obtain the shell on our attacker’s machine


We have successfully on the reverse shell connection back to us.


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access



We have successfully sighted the hash while analysing the progress



Let’s crack the hash with Hashcat



After a few minutes, we managed to obtain the password for the root


Therefore, we should able to change to root privileges access


We can read the root flag by typing the “cat root.txt” command

Extra Information