Intro
Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Bizness". This CTF-Challenge can be found at the platform HackTheBox. You have to find 2 flags in this challenge.
Discovery
The first thing what I do is to fire up Kali Linux and run an nmap scan on that host.
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-27 10:56 CET
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:56
Completed NSE at 10:56, 0.00s elapsed
Initiating NSE at 10:56
Completed NSE at 10:56, 0.00s elapsed
Initiating NSE at 10:56
Completed NSE at 10:56, 0.00s elapsed
Initiating Ping Scan at 10:56
Scanning 10.129.124.88 [4 ports]
Completed Ping Scan at 10:56, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:56
Completed Parallel DNS resolution of 1 host. at 10:56, 0.05s elapsed
Initiating SYN Stealth Scan at 10:56
Scanning 10.129.124.88 [65535 ports]
Discovered open port 22/tcp on 10.129.124.88
Discovered open port 80/tcp on 10.129.124.88
Discovered open port 443/tcp on 10.129.124.88
Discovered open port 46751/tcp on 10.129.124.88
Completed SYN Stealth Scan at 10:57, 35.68s elapsed (65535 total ports)
Initiating Service scan at 10:57
Scanning 4 services on 10.129.124.88
Completed Service scan at 10:57, 12.24s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.129.124.88
Retrying OS detection (try #2) against 10.129.124.88
Retrying OS detection (try #3) against 10.129.124.88
Retrying OS detection (try #4) against 10.129.124.88
Retrying OS detection (try #5) against 10.129.124.88
Initiating Traceroute at 10:57
Completed Traceroute at 10:57, 0.03s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 10:57
Completed Parallel DNS resolution of 2 hosts. at 10:57, 0.04s elapsed
NSE: Script scanning 10.129.124.88.
Initiating NSE at 10:57
Completed NSE at 10:57, 5.11s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 1.47s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.01s elapsed
Nmap scan report for 10.129.124.88
Host is up (0.032s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
| 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
443/tcp open ssl/http nginx 1.18.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| tls-nextprotoneg:
|_ http/1.1
|_http-title: Did not follow redirect to https://bizness.htb/
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-12-14T20:03:40
| Not valid after: 2328-11-10T20:03:40
| MD5: b182:2fdb:92b0:2036:6b98:8850:b66e:da27
|_SHA-1: 8138:8595:4343:f40f:937b:cc82:23af:9052:3f5d:eb50
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.18.0
46751/tcp open tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=1/27%OT=22%CT=1%CU=42755%PV=Y%DS=2%DC=T%G=Y%TM=65B4D39
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11
OS:NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%R
OS:UCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 21.996 days (since Fri Jan 5 11:03:03 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 29.51 ms 10.10.14.1
2 29.79 ms 10.129.124.88
NSE: Script Post-scanning.
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Initiating NSE at 10:57
Completed NSE at 10:57, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 67.22 seconds
Raw packets sent: 66360 (2.924MB) | Rcvd: 65705 (2.632MB)
Nmap discovers 4 ports, port 22 which is ssh. To this port I go back later. Port 80, which is HTTP, this I want to look now. Also port 443 this could also be an HTTP server wrapped with SSL/TLS. The last port which sounds interesting to me is port 46751.
Initial access
The first thing what I could do, is just visiting the service with my browser and burpsuite.
Well, there is an corporate website. I decided to run gobuster on it and may it revleals some hidden path, during my manual analysis of this website.
After some I switched back to gobuster but it found only the path control, I decided to open this path.
There was nothing spectacular yet, so I decided to run dirb may it finds more than gobuster. In the meantime, I try to figure out if this OFbiz instance is vulnerable to CVE-2023-49070 & CVE-2023-51467, which affects version before 18.12.10 may it's an installed version.
Nope, it seems not vulnerable to these two CVE's.
But dirb has found more results than gobuster, which I can look for.
The first I start is the accounting, and this looks very interesting. Here is an registration panel from Apache OFBiz.
Well the installed Apache OFBiz is version 18.12 which is vulnerable to these CVE's, or?
Well my mistake before was I incorrectly set the url to the OFbiz instance, but now I have access to the machine.
First flag
Now I have shell access to this machine the first thing what I#ve done is to look who am I, and yes I currently the user ofbiz. Well, I navigated to his home directory and there is the first flag.
user.txt: 345aa4ea35d1a9f73beaf1337849cc45
Getting root
After getting the flag I added my SSH key to this user, in order to get proper SSH access to this machine.
After getting proper SSH access I loaded linpeas.sh to enumerate all potential privilege escalation vectors. It listed me many files related to ofbiz, and very interesting was the files from Derpy. where I found this weired hash.
I search the sourcecode of OFBiz and found the function pbkdf2HashCrypt in HashCrypt.java This lets me think about to reconvert it to hex to may get an valid SHA-1 hash which I could crack with hashcat.
Salt = d + toHex(base64_decode(uP0_QaVBpDWFeo8-dRzDqRwXQ2I))
After a bit time, and testing it with hashcat, I firgured out this recipe for cyberchef. I short the base64 decoding should be url safe, and at the end after converting it to hex, I added whitespace removal to get an 40 byte sha1 hash.
Salt = d + remove_whitespace(toHex(base64_url_safe_decode(uP0_QaVBpDWFeo8-dRzDqRwXQ2I)))
The converted hash I cracked with hashcat and it gives me a password.
Well, what I can do with it? First what I tried was t login into the OFBiz-Panel, but no luck. There was nothing what could help me. I tried it as sudo password for user ofbiz but still no luck, I tried to use this password for user root, and this had worked for me. The last thing what I've done was to grab the flag, which completes the challenge.
root.txt: d2b1954b1549a5d838c4bf7be490050b
This machine was harder for me after playing a long time no CTF, but I enjoyed it 😄 I hope you enjoyed it and see you next time 😃