Post Image

HackTheBox – Shibboleth

Recon:

nmap scan:

└─$ nmap -A -sCV -p80 10.10.11.124                                                                                                                                                                            
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-18 15:18 CEST                                                                                                                                              
Nmap scan report for shibboleth.htb (10.10.11.124)                                                                                                                                                            
Host is up (0.040s latency).                                                                                                                                                                                  
                                                                                                                                                                                                              
PORT   STATE SERVICE VERSION                                                                                                                                                                                  
80/tcp open  http    Apache httpd 2.4.41                                                                                                                                                                      
|_http-title: FlexStart Bootstrap Template - Index                                                                                                                                                            
|_http-server-header: Apache/2.4.41 (Ubuntu)                                                                                                                                                                  
                                                                                                                                                                                                              
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                
Nmap done: 1 IP address (1 host up) scanned in 7.45 seconds                                                                                                                                                   
                                                                                                                                                                                                             

gobuster scan:

└─$ gobuster dir -u http://shibboleth.htb -w /usr/share/wordlists/dirb/common.txt -x php -o scans/gobuster_intial                                                                                      [10/86]
===============================================================                                                                                                                                               
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://shibboleth.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2022/09/18 15:21:16 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.hta.php             (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/assets               (Status: 301) [Size: 317] [--> http://shibboleth.htb/assets/]
/forms                (Status: 301) [Size: 316] [--> http://shibboleth.htb/forms/] 
/index.html           (Status: 200) [Size: 59474]                                   
/server-status        (Status: 403) [Size: 279]

subdomain wfuzz scan:

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                      
=====================================================================

000000099:   200        29 L     219 W      3687 Ch     "monitor"                                                                                                                                    
000000346:   200        29 L     219 W      3687 Ch     "monitoring"                                                                                                                                 
000000390:   200        29 L     219 W      3687 Ch     "zabbix"                                                                                                                                     
000009532:   400        10 L     35 W       306 Ch      "#www"                                                                                                                                       
000010581:   400        10 L     35 W       306 Ch      "#mail"

There was nothing interesting on the main page.

All subdomain navigate to the same page:

I could not find any exploit that works for that version and cofiguration.

Then i run udp port scan and found open port:

Zabbix is monitoring tool, so i thought that the port is related to zabbix.

https://www.techopedia.com/definition/2219/intelligent-platform-management-interface-ipmi

Almost all the information about IPMI exploitation forward me to metasploit modules. I used to avoid metasploit since it’s forbidden for oscp but this time i need to use it.

I used *dumphashes module since it we can get credentials with that one.

We got the hash

I cracked hash with hashcat:

Now i have creds:

Administrator:ilovepumkinpie1

When i used them for zabbix login page it worked:

I found exploit that takes advantage of 'Create Item’ capability which allows us to gain RCE

exploit script:

https://www.exploit-db.com/exploits/50816

With this exploit we gained foothold

linpeas scan interesting results:

Getting user was classical scenario of password reusage.

I run linpeas once again:

mysql creds:

zabbix:bloooarskybluh

We can also see that mysql service is run under root

After login to mysql as zabbix i found mysql zabbix user hashes:

I could not crack since that’s bcrypt(blowfish) hashes it so i decided to change it.

Firsly i generated bcrypt blowfish password:

Then i updated user table:

Now we can log on zabbix as Admin user:

I thought that i may find something useful here but i did not.

This did not help us so i went back and looked at linpeas.

I started looking for some other possible ways to elevate privileges then it came to my mind that database is run under root permission and i didn’t investigate that fact well.

This db version is:

When i googled this version of maria db, uncle google told me that this version of MariaDB has RCE vulnerability!

I also found POC for exploit this vulnerability:

https://github.com/Al1ex/CVE-2021-27928

This exploit is quite easy since we just need to create rev shell file with .so extension using msfvenom. Then we set mariadb wsrep_provider path to location of that file.

Conclusions:

It was really fun box. I would sey it was rather on easier side of medium difficulty.

It was good opportunity to learn something about zabbix and IPMI.

For IPMI i advise to read this article:

https://www.rapid7.com/blog/post/2013/07/02/a-penetration-testers-guide-to-ipmi/

svgmPDF 7.0 LFI exploit
svg
svgHackTheBox - Forge

Leave a reply