In this post, I would like to share a walkthrough of the Bizness Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Bizness machine?
For the user flag, you will need to exploit CVE-2023-49070, an authentication bypass vulnerability in Apache OFBiz.
As for the root flag, you need to be able to analyze the source code of the application’s hashing function to understand how the password hash is generated and then reverse the process. The required hash value can be obtained using CyberChef.
Information Gathering on Bizness Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start scanning the port
┌─[darknite@parrot]─[~/Documents/htb/bizness]
└──╼ $nmap -sC -sV 10.10.11.252 -oA intial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-24 21:57 EDT
Nmap scan report for 10.10.11.252
Host is up (0.27s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e21d5dc2e61eb8fa63b242ab71c05d3 (RSA)
| 256 3911423f0c250008d72f1b51e0439d85 (ECDSA)
|_ 256 b06fa00a9edfb17a497886b23540ec95 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
443/tcp open ssl/http nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
| tls-nextprotoneg:
|_ http/1.1
| tls-alpn:
|_ http/1.1
|_http-server-header: nginx/1.18.0
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after: 2328-11-10T20:03:40
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.09 seconds
┌─[darknite@parrot]─[~/Documents/htb/bizness]
└──╼ $
Let’s access the website interface
Nothing interesting has been found on the website interface.
The source of structure for the Apache OFBiz here
Let’s jump into the structure that we found earlier after the research on the internet from GitHub.
On the website bottom, we managed to notice the 18.12 version of the Apache OFBiz.
CVE-2023-49070 Vulnerability
While looking for known security issues, we found a recent one called CVE-2023-49070. This issue allows attackers to bypass security checks when changing passwords because of a mistake in how the system handles these requests. Using this flaw, attackers can take control of the system by exploiting another problem found earlier in the software.Pre-auth RCE Apache OFBiz 18.12.09
This security issue involves a way to bypass login checks in the outdated XML-RPC interface of OFBiz. The system incorrectly handles a parameter that can be used with requirePasswordChange, allowing access even with empty or incorrect login details. This flaw lets attackers skip the usual authentication process.
Java version 11 must be installed on the attacker’s machine for this exploit to work.
The source for the exploit can be found here
The Python script is run, and an error is provided stating that ysoserial-all.jar has not been found in the same directory.
We need to download the jar file from the same directory
Let’s run the command above to obtain the shell on our attacker’s machine
We have successfully on the reverse shell connection back to us.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
We have successfully sighted the hash while analysing the progress
Let’s crack the hash with Hashcat
After a few minutes, we managed to obtain the password for the root
Therefore, we should able to change to root privileges access
We can read the root flag by typing the “cat root.txt” command
Extra Information
No responses yet