WriteUp - HackTheBox

Shibboleth is a medium machine on HackTheBox that requires regular web application enumeration for user access and critical service version assessment for privilege escalation

biggest take away from this machine is the reminder to always look into services running on UDP

Getting Into It

As with other HTB machines we start off by adding the machines name to our /etc/hosts file and proceeding with a regular port scan to probe for open ports on the target

futher UDP scan shows IPMI running on its regular port 623, Intelligent Platform Management Interface (IPMI) is a collection of specifications that define communication protocols for talking both across a local bus as well as the network.

IPMI has a vulnerability which Basically,** allows you to request the server for the hashes MD5 and SHA1 of any username and if the username exists those hashes will be sent back.** And there is a **metasploit module **for testing this

msf > use auxiliary/scanner/ipmi/ipmi_dumphashes

running the module againts the web server we are able to secure the hash of the the Administrator user

proceeding to crack the hash we recover a password for the Administrator account

for those interested the hash format is “IPMI2 RAKP HMAC-SHA1” which is module 7300 on hashcat

without any further use of the IPMI protocol we proceed to enumerating TCP port 80


Enumerating port 80 shows a bootstrap HTML template running with no angle of exploitation

further check by way of subdomain enumeration reveals one web applications running on two different subdomains

“monitor” and “zabbix”

Looking at the subdomain we find Zabbix to be running, Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services.

Though there is no way to figure the version of zabbix running, by reading the advisory on the zabbix official website we figure recent version of the zabbix web application to be vulnerable to an Authenticated Remote Code Execution Vulnerability

Zabbix 5.0.17 — Remote Code Execution (RCE) (Authenticated)

running the exploit against the target we secure a shell as the user Zabbix

reading the user.txt **file requires us to be privilege as the **ipmi-svc user, we can do lateral privileged escalation to the ipmi-svc user by “su ipmi-svc” using the password earlier gathered from the IPMI vulnerability


Horizontal Privileged Escalation

By looking for credentials in configuration files

using find to enumerate conf files

we are able to read clear text database credentials in the **zabbix_server.conf **file

authenticating to the MySql database with the credentials from the configuration file, we immediately notice the version of MySql to be a 10.3.25-MariaDB which is vulnerable to a code execution as CVE:2021–27928

service version enumeration

exploiting the vulnerability require the attacker to create a reverse_shell binary preferable with msfvenom which is to be supplied to MySql as an executable using the -e parameter

creating a elf binary with msfvenom

we proceed the exploitation process by transferring the reverse shell payload to the target machine then connecting the MySql once again with the SET GLOBAL wsrep_provider variable set to our binary as illustrated in the PoC

*PoC available at https://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html

mysql -u <user> -p -h <ip> -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'

Setting up a listener and running the exploit give us a a shell with root privileges as the MySql Service is running with root privileges

And as always, Remember

The difference between a noob and a hacker is that, a hacker has failed more than a noob has ever tried