ūüĒéūü¶∂Enumeration/Foothold

Shibboleth is a Medium box from HTB created by knightmare and mrb3n. This box features an exploitable IPMI on Port 623 via UDP which using msfconsole, we can get an Administrative hash. Next, we can crack the hash with john and use it to log into Zabbix (a subdomain we find with ffuf). We use the Zabbix actions area for a reverse shell and the Zabbix config file once on the box to find MariaDB credentials. These credentials allow us to log in to MariaDB locally showing that MariaDB is running 10.3.25 and is vulnerable to CVE-2021-27928.

Before I begin each machine I kick off a full port scan with RustScan and pipe the open ports found into NMAP:

Copy

Once complete, I take the scan and convert it to HTML. I do this as force of habit from client engagements:

Copy

Upon viewing the site I get a 404 stating shibboleth.htb as the site. I add it to my host file and navigate back to the site:

Copy
Shibboleth.htb showing a FlexStart Bootstrap template.

Shibboleth.htb showing a FlexStart Bootstrap template.

Reviewing the website it appears to be a static Bootstrap template. In the footer I notice the following:

Shibboleth.htb footer mentioning Zabbix.

Shibboleth.htb footer mentioning Zabbix.

which is not part of the original template. I kick off a GoBuster to look for sub-domains trying both VHOST and DNS modes. It comes back with nothing useful so I try ffuf using the header flag to ignore some of the noise I was getting with other tools:

Copy

I get a few hits; I add them to my host file and navigate to each sub-domain. All three sub-domains point to a Zabbix portal requiring credentials:

zabbix.shibboleth.htb showing a login page for Zabbix.

zabbix.shibboleth.htb showing a login page for Zabbix.

I begin enumerating the sub-domain well kicking off a secondary full port and¬†UDP¬†scans in the background with¬†NMAP. I always find if I’m hitting a wall with a particular port its usually a rabbit hole or a false positive on an initial scan.

After coming up dry on the enumeration of the VHOST my NMAP UDP scan comes back stating Port 623 is available.

Copy

A short Google later pulls an article¬†HackTricks – UDP IPMI¬†which is a great all-in-one resource I’ve used extensively. I load up¬†msfconsole¬†and filled in the following options:

Copy

After receiving the hash I used john to crack the hash. Normally I will start with john on my HTB VM and then move to hashcat on my main machine if I need extra power:

Copy

Using the username/password found in the hash I log into the Zaddix Dashboard found on the sub-domain earlier.

zabbix.shibboleth.htb dashboard after logging in.

zabbix.shibboleth.htb dashboard after logging in.

Navigating around the Zabbix dashboard I first tried Configuration > Actions however I was unable to get a shell. Finally I find THIS article on Stack Overflow. I navigate to Hosts > Shibboleth and clicked Create at the top right of the screen. I then added in a bash reverse shell adding in the syntax provided on the article:

Zabbix custom action with reverse shell one-liner.

Zabbix custom action with reverse shell one-liner.

ūüĒ™ Attacker Machine
Copy

Once on the box I check the home directory for active users and checked for password reuse:

ūüĒĚEscalation to Root

The password for the Dashboard was also the password for the ipmi-svc user. As the ipmi-svc account I was able to get the user flag. Next step was to elevate our permissions to root. I began my enumeration with the Zabbix configuration as during my initial research it mentioned a database connection.

Copy

Now that I had the database password I was able to log in to MySQL. I looked around to see if any additional users/passwords existed. I also tried elevating myself to root with the password without success. Finally I researched the MariaDB version 10.3.25 to find out it was vulnerable.

I found a GitHub repository, Al1ex CVE-2021-27928 and followed the instructions. After following the instructions I received a root shell back:

ūüĒ™ Attacker Machine (Tab 1)
Copy

ūüĒ™ Attacker Machine (Tab 2)
Copy

ūüéĮ Victim Machine

Copy

After following the instructions the session came back on the reverse shell for root.

Copy

Rooted

Published On: April 1st, 2022 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment