BIZNESS
Welcome, cyber adventurers! Embark on a thrilling journey through "Bizness" on Hack The Box (HTB) in this Open Beta 4 edition. As you gear up for adrenaline-pumping challenges, I extend my best wishes
Last updated
Was this helpful?
Welcome, cyber adventurers! Embark on a thrilling journey through "Bizness" on Hack The Box (HTB) in this Open Beta 4 edition. As you gear up for adrenaline-pumping challenges, I extend my best wishes
Last updated
Was this helpful?
Information Gathering
Directory Enumeration
Vulnerability Analysis
Exploitation
Privilege Escalation
Let's dive into the digital depths!
Our first maneuver involves deploying nmap for active port reconnaissance.
Command:
Result Snapshot:
Open Ports: 22 (SSH), 80 (HTTP), 443 (HTTPS), 38621 (Unknown)
Host Discovery: bizness.htb (10.10.11.252) discovered with significant latency.
Action:
Redirected to https://bizness.htb. Updated our /etc/hosts file.
Initial website visit was inconclusive.
Using dirsearch to reveal obscured paths.
Command:
Findings:
Discovered a login page at http://bizness.htb/control/login.
Apache OFBiz in use – a potential exploit target.
Discovered a critical CVE for Apache OFBiz - CVE-2023-51467, indicating Remote Code Execution (RCE).
Intel Source:
Found a repository tailor-made for exploiting this CVE.
Exploit Repository: CVE-2023-51467 Exploit
Exploit Execution:
Result:
Successfully established a reverse shell.
Shell Stabilization:
Victory Snapshot:
Achievement Unlocked: User Compromised
Command:
Secure Access:
Checked for exploitable SUID files.
Command:
Outcome:
No significant SUID files found.
Searched for listening internal ports.
Command:
Outcome:
No notable internal ports detected.
Deployed linpeas.sh for vulnerability scanning.
LinPEAS Deployment:
Further Analysis: Re-ran LinPEAS and saved output for detailed local analysis.
On the Target Machine:
On the Local Machine:
Outcome:
LinPEAS did not reveal significant leads, hinting at a potential rabbit hole.
The search for a direct escalation path was challenging, but persistence led to potential password clues.
Password Hunt:
Discovery:
Files indicating password usage.
Encountered a SHA-1 hash and a .dat file revealing a Base64 encoded SHA1 structure.
Crucial Discovery:
I found this XML file and the hashed password.
As you're aware, cracking the SHA was an insurmountable task without knowing the SALT value. Therefore, I embarked on a meticulous search through various files that contained password-related data, specifically looking for a pattern akin to (($SHA1)($SALT)($HASH))
Encountered a SHA-1 hash and a .dat file revealing a Base64 encoded SHA1 structure.
Python Script for Decryption: Script for SHA1 Decryption
Hashcat Strategy:
Converted from base64 using CyberChef for Hashcat compatibility. CyberChef
To effectively utilize Hashcat for our cracking purposes, a preliminary step of data refinement is necessary. This is due to the initial encoding using base64.urlsafe_b64encode(), which modifies certain characters - '/' becomes '_', and '+' is turned into '-'. To rectify this and prepare our data accurately for Hashcat, we'll employ the capabilities of CyberChef. This tool is adept at making the required character replacements and transforming our data into a hex format. This conversion is a critical process to ensure that the data is in the optimal format for our subsequent cracking procedures with Hashcat.
Hashcat command:
Eureka Moment:
Final Triumph:
Command:
ANOTHER${IFS}SHITY${IFS}THING<<<SEE${IFS}YOU/:
