In this post, I would like to share a walkthrough of the Shibboleth Machine from HackTheBox

This room has been considered difficulty rated as a Medium machine on HackThebox

Source: Shibboleth icon on Hack The Box Website

What will you gain from the Shibboleth machine?

For the user flag, you will abuse the ipmi service where we can retrieve the hashes.

As for the root flag, you need to exploit CVE-2021-27928 to get root privileges access

Information Gathering on Shibboleth Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

From the Nmap output, we only found port 80 which leads to http://shibboleth.htb

Let’s access the website interface to find any vulnerability that we can exploit

The website interface looks very simply which shows some information on the FlexStart product

Sadly, we didn’t manage to find any vulnerability on the website itself.

Let’s enumerate the website directory by using gobuster tool

Sadly, we didn’t manage to locate any interesting directories.

As a result, let us try to enumerate the subdomain which might give us some useful information.

The output gives us a lot of directories that status 302

After a while, we managed to get a subdomain that give us the Status:200 as follows:

  • zabbix.shibboleth.htb
  • monitor.shibboleth.htb
  • monitoring.shibboleth.htb

However, all those subdomains only show a login page for the Zabbix interface.

Firstly, we need to find out the credentials that are required to be inserted. Sadly, the credentials such as username=admin password=admin are incorrect.

Therefore, let’s search for the credentials to access the Zabbix Dashboard.

While looking at the previous information that we obtained, we didn’t find any useful information yet. As a result, let’s try to run again Nmap but we should be focusing on UDP if there’s any.

Gaining Privileges Access on Shibboleth

It will take a while to retrieve the result (20 minutes for me) and we found out there’s a port 623/UDP on the machine which serves as asf-rmcp

To be honest, I have limited knowledge of the port and service mentioned over here. So, let’s do some research on the port and service

Source: Port 623 (tcp/udp) :: SpeedGuide

For those who want to read about the service, you can look at the screenshot above.

While googling on the internet, i found out that there’s a Metasploit (msfconsole) module that we can use for this activity.

However, I try to avoid using msfconsole as much as possible, but I cannot avoid it here. (If you have another method than Msfconsole, do approach me so that I can learn that method)

Let’s start the Metasploit by executing “msfconsole” command

We can look at the module available that is related to ipmi

Before proceeding with the actual exploit, we need to be aware of the version that has been used on ipmi

By inserting the IP of the machine on the module by executing the command “set RHOSTS 10.10.11.124

We can obtain the information needed by executing the “run” command

From the output, we can sight that IPMI 2.0 has been installed on the machine

We can retrieve the dumphashes by using the module above.

By inserting the IP of the machine on the module by executing the command “set RHOSTS 10.10.11.124

Finally, we managed to obtain the dumphashes by running the module

However, the hashes will appear different when you run the module every time.

Cracking the password using hashcat

We noted that the hashes mode for those hash is 7300

We managed to obtain the password from the hashes by using hashcat commands such as:

hashcat -m 7300 <filename> </location of rockyou been save>/rockyou.txt

As shown in the screenshot above, we are required to insert the credentials we found earlier.

Zabbix Dashboard

As shown above, we have successfully accessed the Zabbix Dashboard.

Under Configurations settings, we need to look at Hosts columns which lead to something that looks like as screenshot above

We need to create added item so that we can insert the reverse shell payload into the system.

The website interface will look like the screenshot above. For us to inject the system with our shell payload, you can execute it under Key Column by clicking the Select Button

As shown above, we can click the system.run[command, <mode>]

As a result, it will show something as above.

We should change the command with shell payload while <mode> should change to nowait

Meanwhile, we should start our nc listener

Next, we should click the Add Button so that we retrieve the reverse shell connection back to us

Sadly, we didn’t manage to retrieve back the reverse shell connection

If the previous payload doesn’t work, we can change our shell payload such as shown above. (Collection of shell payload can be found here

Uwu! It worked!

The command above is only used to stabilize the shell that we obtained.

Inside the home directory, we notice there’s an ipmi-svc directory

We can access the ipmi-svc privileges access by executing the command “su ipmi-svc” with the password that we found earlier

We can read the user flag by running the “cat user.txt” command

Escalate the Root Privileges Access

Normally, there are a few directories that you might need to investigate such as:

  • /etc/
  • /var/
  • /opt/

After a while, I notice there is an interesting folder in the /etc/ directory which contains the Zabbix folder over there.

When I open the zabbix_server.conf file, i found some information such as database name, username, and password

Let’s access the MySQL database with information that we obtained earlier.

We also notice the MariaDB version as i highlighted above.

From my research, we need to create a malicious payload that uses the .so format

As a result, we need to transfer the malicious file into the victim’s machine

We should start our nc listener on the attacker’s terminal

We need to execute the code as shown above (SET GLOBAL wsrep_provider=”<location of the malicious that you store>”;

Voila! We managed to get a reverse shell connection back to us as Root Privileges Access

We can read the root flag by executing the “cat root.txt” command

-THE END-

Happy Learning Guys!

Extra Information

We can go to /etc/shadow so that we can unlock and read the write-up

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *