🐒BIZNESS
Welcome, cyber adventurers! Embark on a thrilling journey through "Bizness" on Hack The Box (HTB) in this Open Beta 4 edition. As you gear up for adrenaline-pumping challenges, I extend my best wishes
Hacking Phases for Bizness HTB:
Information Gathering
Directory Enumeration
Vulnerability Analysis
Exploitation
Privilege Escalation
Let's dive into the digital depths!
I => Information Gathering
Initial Reconnaissance
Our first maneuver involves deploying nmap
for active port reconnaissance.
Command:
Result Snapshot:
Open Ports: 22 (SSH), 80 (HTTP), 443 (HTTPS), 38621 (Unknown)
Host Discovery: bizness.htb (10.10.11.252) discovered with significant latency.
Action:
Redirected to https://bizness.htb. Updated our
/etc/hosts
file.Initial website visit was inconclusive.
Visual Insight:
II => Directory Enumeration
Uncovering Hidden Gems
Using dirsearch
to reveal obscured paths.
Command:
Findings:
Discovered a login page at http://bizness.htb/control/login.
Apache OFBiz in use – a potential exploit target.
Visual Evidence:
III => Vulnerability Analysis
Identifying the Achilles' Heel
Discovered a critical CVE for Apache OFBiz - CVE-2023-51467, indicating Remote Code Execution (RCE).
Intel Source:
IV => Exploitation
Deploying the Cyber Arsenal
Found a repository tailor-made for exploiting this CVE.
Exploit Repository: CVE-2023-51467 Exploit
Gaining the Foothold
Exploit Execution:
Result:
Successfully established a reverse shell.
Shell Stabilization:
Victory Snapshot:
Achievement Unlocked: User Compromised
V => Privilege Escalation
Establishing a Strong hold
Command:
Secure Access:
Privilege Escalation Attempts
Searching for SUID Files
Checked for exploitable SUID files.
Command:
Outcome:
No significant SUID files found.
Scanning for Internal Ports
Searched for listening internal ports.
Command:
Outcome:
No notable internal ports detected.
Automated Scouting with LinPEAS
Deployed linpeas.sh
for vulnerability scanning.
LinPEAS Deployment:
Further Analysis: Re-ran LinPEAS and saved output for detailed local analysis.
On the Target Machine:
On the Local Machine:
Outcome:
LinPEAS did not reveal significant leads, hinting at a potential rabbit hole.
Exploring Alternative Avenues
The Quest for Ultimate Power
The search for a direct escalation path was challenging, but persistence led to potential password clues.
Password Hunt:
Discovery:
Files indicating password usage.
Encountered a SHA-1 hash and a .dat file revealing a Base64 encoded SHA1 structure.
Crucial Discovery:
I found this XML file and the hashed password.
As you're aware, cracking the SHA was an insurmountable task without knowing the SALT value. Therefore, I embarked on a meticulous search through various files that contained password-related data, specifically looking for a pattern akin to (($SHA1)($SALT)($HASH))
Encountered a SHA-1 hash and a .dat file revealing a Base64 encoded SHA1 structure.
Cracking the Hash
Python Script for Decryption: Script for SHA1 Decryption
Hashcat Strategy:
Converted from base64 using CyberChef for Hashcat compatibility. CyberChef
To effectively utilize Hashcat for our cracking purposes, a preliminary step of data refinement is necessary. This is due to the initial encoding using
base64.urlsafe_b64encode()
, which modifies certain characters - '/' becomes '_', and '+' is turned into '-'. To rectify this and prepare our data accurately for Hashcat, we'll employ the capabilities of CyberChef. This tool is adept at making the required character replacements and transforming our data into a hex format. This conversion is a critical process to ensure that the data is in the optimal format for our subsequent cracking procedures with Hashcat.Hashcat command:
Eureka Moment:
Final Triumph:
Command:
ANOTHER${IFS}SHITY${IFS}THING<<<SEE${IFS}YOU/:
Last updated