HackTheBox | Bizness Walkthrough

Abdulrhman

3 min readFeb 25, 2024

Hi!!

Please ignore any type of grammar errors.

This machine is newly published one and it has a little bit tricks specially in Privilege Escalation section.

Before starting, you can add bizness.htb to /etc/hosts.

So let’s get started with enumeration.

Enumeration

Nmap Scan

nmap -T4 -v -p- -sCV <target_ip>

We got four open ports: 22, 80, 443, 36265.

But I like to focus here on 80, 443, So let’s access the web.

Web

I noticed when i access http://bizness.htb i got redirected to https://bizness.htb.

Now let’s move to do some directory bruteforce. I like to use dirsearch.

And while it’s running, i like to go to the web app to navigate through it and do manual enumeration, But I found nothing interesting.

dirsearch -u http://bizness.htb/

When I visit the first endpoint, I got redirected to a login page and the logo caught my attention.

I tried to do some SQLi or bruteforce on Admin account but i got nothing, So here I went search on google with OFBiz exploit and I got there was a CVE.

I used this github repo https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass

After following the POC, I’ve got a shell on the machine.

After i got shell, i get user.txt file.

Now let’s try to do Privilege Escalation.

After searching for a while and nothing is found. I decided to read any readable or writable file and here AdminUserLoginData.xml caught my attention.

find / -readable -writable 2>/dev/null

When i opened it, I found it contains a password hash.

I’ve got so excited, but there is a problem this hash contains a salt so we need to find anything related to salt in order to crack this hash.

So I returned back to read files, until I found this in the derby database files

It seems to be “SHA” for SHA-1 hashing algorithm and “d” for the salt.

Here I search a lot about how to crack it and I found this python script.

import hashlib
import base64

def createHash(hash_type, salt, value):
    hash_obj = hashlib.new(hash_type)
    hash_obj.update(salt.encode('utf-8'))
    hash_obj.update(value)
    hashed_bytes = hash_obj.digest()
    result = f"${hash_type}${salt}${base64.urlsafe_b64encode(hashed_bytes).decode('utf-8').replace('+', '.')}"
    return result

hash_type = "SHA1"
salt = "d"
search = "$SHA1$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I="
wordlist = '/usr/share/wordlists/rockyou.txt'

with open(wordlist, 'r', encoding='latin-1') as password_list:
    for password in password_list:
        value = password.strip()
        hashed_password = createHash(hash_type, salt, value.encode('utf-8'))

        if hashed_password == search:
            print(f'Found Password:{value}, hash:{hashed_password}')
            break