1. Bizness

1.1. Machine Info

1.2. Recon

  • nmap

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp    open  http       nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to https://bizness.htb/
443/tcp   open  ssl/http   nginx 1.18.0
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK
| Not valid before: 2023-12-14T20:03:40
|_Not valid after:  2328-11-10T20:03:40
| tls-alpn:
|_  http/1.1
|_http-server-header: nginx/1.18.0
| tls-nextprotoneg:
|_  http/1.1
|_http-title: Did not follow redirect to https://bizness.htb/
|_ssl-date: TLS randomness does not represent time
45639/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • path

    • https://bizness.htb/accounting/control/main

    • Apache OFBiz. Release 18.12

$ dirsearch -u https://bizness.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/qwe/pwk/s4/Bizness/reports/https_bizness.htb/__24-01-09_07-12-16.txt

Target: https://bizness.htb/

[07:12:16] Starting:
[07:12:23] 302 -    0B  - /accounting  ->  https://bizness.htb/accounting/
[07:12:32] 302 -    0B  - /catalog  ->  https://bizness.htb/catalog/
[07:12:33] 302 -    0B  - /common  ->  https://bizness.htb/common/
[07:12:34] 302 -    0B  - /content  ->  https://bizness.htb/content/
[07:12:34] 302 -    0B  - /content/debug.log  ->  https://bizness.htb/content/control/main
[07:12:34] 302 -    0B  - /content/  ->  https://bizness.htb/content/control/main
[07:12:34] 200 -   34KB - /control
[07:12:34] 200 -   34KB - /control/
[07:12:35] 200 -   11KB - /control/login
[07:12:37] 302 -    0B  - /error  ->  https://bizness.htb/error/
[07:12:37] 302 -    0B  - /example  ->  https://bizness.htb/example/
[07:12:40] 302 -    0B  - /images  ->  https://bizness.htb/images/
[07:12:40] 302 -    0B  - /index.jsp  ->  https://bizness.htb/control/main
[07:12:54] 200 -   21B  - /solr/admin/file/?file=solrconfig.xml
[07:12:54] 200 -   21B  - /solr/admin/
[07:12:54] 302 -    0B  - /solr/  ->  https://bizness.htb/solr/control/checkLogin/

image-20240109231814744

  • subdomain: nothing

1.3. Foothold

Notice: the full version of write-up is here.

1.4. Exploit Chain

port scan -> web path recon -> service version -> CVE found -> exp -> user shell -> hash values found -> crack -> root shell