Shibboleth is a Medium box from HTB created by knightmare and mrb3n. This box features an exploitable
Port 623 via
UDP which using
msfconsole, we can get an Administrative hash. Next, we can crack the hash with
john and use it to log into Zabbix (a subdomain we find with
ffuf). We use the Zabbix actions area for a reverse shell and the Zabbix config file once on the box to find
MariaDB credentials. These credentials allow us to log in to
MariaDB locally showing that
MariaDB is running 10.3.25 and is vulnerable to CVE-2021-27928.
Before I begin each machine I kick off a full port scan with
RustScan and pipe the open ports found into
Once complete, I take the scan and convert it to
HTML. I do this as force of habit from client engagements:
Upon viewing the site I get a 404 stating shibboleth.htb as the site. I add it to my host file and navigate back to the site:
Shibboleth.htb showing a FlexStart Bootstrap template.
Reviewing the website it appears to be a static Bootstrap template. In the footer I notice the following:
Shibboleth.htb footer mentioning Zabbix.
which is not part of the original template. I kick off a
GoBuster to look for sub-domains trying both
DNS modes. It comes back with nothing useful so I try
ffuf using the header flag to ignore some of the noise I was getting with other tools:
I get a few hits; I add them to my host file and navigate to each sub-domain. All three sub-domains point to a Zabbix portal requiring credentials:
zabbix.shibboleth.htb showing a login page for Zabbix.
I begin enumerating the sub-domain well kicking off a secondary full port and
UDP scans in the background with
NMAP. I always find if I’m hitting a wall with a particular port its usually a rabbit hole or a false positive on an initial scan.
After coming up dry on the enumeration of the
NMAP UDP scan comes back stating
Port 623 is available.
A short Google later pulls an article HackTricks – UDP IPMI which is a great all-in-one resource I’ve used extensively. I load up
msfconsole and filled in the following options:
After receiving the hash I used
john to crack the hash. Normally I will start with
john on my HTB VM and then move to
hashcat on my main machine if I need extra power:
Using the username/password found in the hash I log into the Zaddix Dashboard found on the sub-domain earlier.
zabbix.shibboleth.htb dashboard after logging in.
Navigating around the Zabbix dashboard I first tried Configuration > Actions however I was unable to get a shell. Finally I find THIS article on Stack Overflow. I navigate to Hosts > Shibboleth and clicked Create at the top right of the screen. I then added in a
bash reverse shell adding in the syntax provided on the article:
Zabbix custom action with reverse shell one-liner.
🔪 Attacker Machine
Once on the box I check the
home directory for active users and checked for password reuse:
🔝Escalation to Root
The password for the Dashboard was also the password for the ipmi-svc user. As the ipmi-svc account I was able to get the user flag. Next step was to elevate our permissions to root. I began my enumeration with the Zabbix configuration as during my initial research it mentioned a database connection.
Now that I had the database password I was able to log in to
MySQL. I looked around to see if any additional users/passwords existed. I also tried elevating myself to root with the password without success. Finally I researched the
MariaDB version 10.3.25 to find out it was vulnerable.
I found a GitHub repository, Al1ex CVE-2021-27928 and followed the instructions. After following the instructions I received a root shell back:
🔪 Attacker Machine (Tab 1)
🔪 Attacker Machine (Tab 2)
🎯 Victim Machine
After following the instructions the session came back on the reverse shell for root.