🔎🦶Enumeration/Foothold
Shibboleth is a Medium box from HTB created by knightmare and mrb3n. This box features an exploitable IPMI
on Port 623
via UDP
which using msfconsole
, we can get an Administrative hash. Next, we can crack the hash with john
and use it to log into Zabbix (a subdomain we find with ffuf
). We use the Zabbix actions area for a reverse shell and the Zabbix config file once on the box to find MariaDB
credentials. These credentials allow us to log in to MariaDB
locally showing that MariaDB
is running 10.3.25 and is vulnerable to CVE-2021-27928.
Before I begin each machine I kick off a full port scan with RustScan
and pipe the open ports found into NMAP
:
Once complete, I take the scan and convert it to HTML
. I do this as force of habit from client engagements:
Upon viewing the site I get a 404 stating shibboleth.htb as the site. I add it to my host file and navigate back to the site:

Shibboleth.htb showing a FlexStart Bootstrap template.
Reviewing the website it appears to be a static Bootstrap template. In the footer I notice the following:

Shibboleth.htb footer mentioning Zabbix.
which is not part of the original template. I kick off a GoBuster
to look for sub-domains trying both VHOST
and DNS
modes. It comes back with nothing useful so I try ffuf
using the header flag to ignore some of the noise I was getting with other tools:
I get a few hits; I add them to my host file and navigate to each sub-domain. All three sub-domains point to a Zabbix portal requiring credentials:

zabbix.shibboleth.htb showing a login page for Zabbix.
I begin enumerating the sub-domain well kicking off a secondary full port and UDP
scans in the background with NMAP
. I always find if I’m hitting a wall with a particular port its usually a rabbit hole or a false positive on an initial scan.
After coming up dry on the enumeration of the VHOST
my NMAP UDP
scan comes back stating Port 623
is available.
A short Google later pulls an article HackTricks – UDP IPMI which is a great all-in-one resource I’ve used extensively. I load up msfconsole
and filled in the following options:
After receiving the hash I used john
to crack the hash. Normally I will start with john
on my HTB VM and then move to hashcat
on my main machine if I need extra power:
Using the username/password found in the hash I log into the Zaddix Dashboard found on the sub-domain earlier.

zabbix.shibboleth.htb dashboard after logging in.
Navigating around the Zabbix dashboard I first tried Configuration > Actions however I was unable to get a shell. Finally I find THIS article on Stack Overflow. I navigate to Hosts > Shibboleth and clicked Create at the top right of the screen. I then added in a bash
reverse shell adding in the syntax provided on the article:

Zabbix custom action with reverse shell one-liner.
🔪 Attacker Machine
Once on the box I check the home
directory for active users and checked for password reuse:
🔝Escalation to Root
The password for the Dashboard was also the password for the ipmi-svc user. As the ipmi-svc account I was able to get the user flag. Next step was to elevate our permissions to root. I began my enumeration with the Zabbix configuration as during my initial research it mentioned a database connection.
Now that I had the database password I was able to log in to MySQL
. I looked around to see if any additional users/passwords existed. I also tried elevating myself to root with the password without success. Finally I researched the MariaDB
version 10.3.25 to find out it was vulnerable.
I found a GitHub repository, Al1ex CVE-2021-27928 and followed the instructions. After following the instructions I received a root shell back:
🔪 Attacker Machine (Tab 1)
🔪 Attacker Machine (Tab 2)
🎯 Victim Machine
After following the instructions the session came back on the reverse shell for root.