Bizness

Enumeration

We start with some basic nmap scan looking for open ports on the first 1000 ports.

nmap --open 10.10.11.252

Here we can see an ssh and http services running.

Open 10.10.11.252 in browser, it will show the hostname after redirection.

Add the IP and hostname to /etc/hosts

Now when we open the IP we enter the website.

Lets perform directory enumeration using dirsearch.

From here we see there is a login page https://bizness.htb/control/login. Opening it we see it is using Apache OFBiz. Take notes of every information you gather so later you know what vulnerabilities to search for.

Vulnerability Analysis

We search the browser for CVE’s for Apache OFBiz.

And we find CVE-2024-51467.

This vulnerability not only exposes the ERP system to potential exploitation but also opens the door to a Server-Side Request Forgery (SSRF) exploit, presenting a dual threat to organizations relying on Apache OFBiz.

Exploitation

I discovered a repository that enables us to exploit this vulnerability. 👇

GitHub - jakabakos/Apache-OFBiz-Authentication-Bypass: This repo is a PoC with to exploit CVE-2023-51467 and CVE-2023-49070 preauth RCE vulnerabilities found in Apache OFBiz.GitHub

Clone it using git clone command, don’t forget to add .git on the end

Once we have it, we want to execute the payload.

Start a netcat listener in a new terminal and than execute the payload in the first terminal.

Looking back on our netcat listener we can see we got the reverse shell.

Searching around we find the user flag.

Priviliege Escalation

Searching around the files and gathering more information we come through a valuable file which contains a SHA-Hashed password.

Before we use Hashcat for cracking the hash, let's first sanitize the data using CyberChef. This will reverse the encoding changes made by base64.urlsafe_b64encode() and prepare it for hash analysis.

Now paste the output in hashcat with the following flags.

And we got “monkeybizness” as the password.

Login as super user and get the flag.

Root flag: