HTB – Bizness

Nathan Hailu 4 mins0
Bizness

Information

  • CTF Name: Bizness
  • CTF Level: Easy
  • CTF Description: Apache Ofbiz
  • Date: 6/4/2024
  • Platform: HTB
  • Category: Machine

Hello Guys, Today i was little bit Distracted but i was trying to plan the Bizness CTF from HTB, it looks Easy But it took me a lot also done with some little help. Enjoy …

Findings

External

Enumeration

  • I started My Simple nmap scan to make things quick.
  • While the nmap scan i was checking the site, also running my Directory Bruteforce with fuff
    • It was little bit hard to pass the self-signed cert on ffuf, Because i haven’t tried that before:-(
  • The site footer Contains a Powered by text
  • Also my ffuf have got 1 directory saying control so I tried to access the page. but it throw an error, but we can grab some information from the error, i confirmed that the site have some thing called Apache OFbiz.

Gaining Access

  • I tried to Google if there is any exploit for this and i got 1 that can do authentication bypass
  • Then I started my listener
  • and executed the exploit
  • Boom We got Shell.
  • We got user flag.

Internal

Enumeration

  • Tried to Enumerate many directories for password and some sensitive data manually but things we got are not working.
  • Tried To access the file docker/docker-entrypoint.sh most of the time there might be some configurations over there(from experience)
  • I found this on the page
  • it shows that they are using SHA1with salt and also there is a path for the file opening framework/resources/templates/AdminUserLoginData.xml.
  • as you see there is a currentPassword hash, it says some SHA, so the hash is SHA with some prefix salt.
  • It was not Help Full so i stack over here, at this point i tried to get some help, and found out to check the database thing, that the apache ofbiz uses a database called Derby.
  • and this database files have extension of .dat. So i tried to list all the .dat files on the computer.
  • As you see almost all are from this path /runtime/data/derby/ofbiz/seg0 so went there and tried to Find anything containing SHA with ma beloved strings and grep tool.
  • as you see we got $SHA Hash. So lets Crack this Hash, when i try john it says no password hash.
  • Lets google how to crack derby SHA
  • Used this tool and cracked the Hash.

Maintaining Access

  • we tried to use it to be root with su and it worked!! and Got root flag.

    THANK YOUUUU

Nathan Hailu

Content Creator | Penetration testing Specialist | Mentor | Hackthebox top 1%

Related Articles

You May Have Missed