Bizness
Release: January 7; 2024 Difficulty: Easy; OS: Linux; Points: 20; Seasson: Seasson 4
Last updated
Release: January 7; 2024 Difficulty: Easy; OS: Linux; Points: 20; Seasson: Seasson 4
Last updated
We start with some basic nmap scan looking for open ports on the first 1000 ports.
Here we can see an ssh and http services running.
Open 10.10.11.252 in browser, it will show the hostname after redirection.
Add the IP and hostname to /etc/hosts
Now when we open the IP we enter the website.
Lets perform directory enumeration using dirsearch.
We search the browser for CVE’s for Apache OFBiz.
And we find CVE-2024-51467.
This vulnerability not only exposes the ERP system to potential exploitation but also opens the door to a Server-Side Request Forgery (SSRF) exploit, presenting a dual threat to organizations relying on Apache OFBiz.
Clone it using git clone command, don’t forget to add .git on the end
Once we have it, we want to execute the payload.
Start a netcat listener in a new terminal and than execute the payload in the first terminal.
Looking back on our netcat listener we can see we got the reverse shell.
Upgrade the tty for easier navigation. If you dont know how to do that, check this page (make the page and link up).
Searching around we find the user flag.
Searching around the files and gathering more information we come through a valuable file which contains a SHA-Hashed password.
Now paste the output in hashcat with the following flags.
And we got “monkeybizness” as the password.
Login as super user and get the flag.
Root flag:
From here we see there is a login page . Opening it we see it is using Apache OFBiz. Take notes of every information you gather so later you know what vulnerabilities to search for.
I discovered a repository that enables us to exploit this vulnerability.
Before we use Hashcat for cracking the hash, let's first sanitize the data using . This will reverse the encoding changes made by base64.urlsafe_b64encode() and prepare it for hash analysis.
