Enumeration

Port Scanning

TCP

# Nmap 7.92 scan initiated Fri Dec 10 01:33:54 2021 as: nmap -sC -sS -sV -oN nmap_full.txt -vvv -p- shibboleth.htb
Nmap scan report for shibboleth.htb (10.10.11.124)
Host is up, received echo-reply ttl 63 (0.051s latency).
Scanned at 2021-12-10 01:33:55 EST for 77s
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: FlexStart Bootstrap Template - Index
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
|_http-server-header: Apache/2.4.41 (Ubuntu)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Dec 10 01:35:12 2021 -- 1 IP address (1 host up) scanned in 78.00 seconds

UDP

# Nmap 7.92 scan initiated Fri Dec 10 06:57:55 2021 as: nmap -sU -vvv -oN nmap_udp_full.txt --min-rate=2000/5000/10000 --open shibboleth.htb
Nmap scan report for shibboleth.htb (10.10.11.124)
Host is up, received echo-reply ttl 63 (0.048s latency).
Scanned at 2021-12-10 06:57:55 EST for 2s
Not shown: 7 closed udp ports (port-unreach)
PORT      STATE         SERVICE           REASON
2/udp     open|filtered compressnet       no-response
3/udp     open|filtered compressnet       no-response
                
------ snipped ------

623/udp   open          asf-rmcp          udp-response ttl 63

623 UDP port 🤔, what could asf-rmcp be?

Found some procedure guidelines in book.hacktricks.xyz

Exploring UDP service

I shall enumerate the version using msfconsole.

So the service version is 2.0 and let’s use metasploit’s exploit for version 2.0 to retrieve the password hash as per the article

A d m i n i s t r a t o r : b 9 d 2 0 5 1 f 8 2 0 5 0 0 0 0 d 5 8 7 4 4 1 7 c 3 6 7 d c e 0 8 4 3 2 b d b 9 3 0 d 4 5 6 f 7 e 0 3 0 8 4 d 5 b 6 6 b d 9 a d 5 0 b 7 9 9 a 7 b 3 9 7 1 6 3 e a 1 2 3 4 5 6 7 8 9 a b c d e f a 1 2 3 4 5 6 7 8 9 a b c d e f 1 4 0 d 4 1 6 4 6 d 6 9 6 e 6 9 7 3 7 4 7 2 6 1 7 4 6 f 7 2 : 3 8 e f 2 b 0 5 f f 9 a 6 0 a b 3 1 c 0 3 8 3 f 3 c b 1 3 8 6 b d 2 d 4 9 6 c 4

Cracked the hash

Administrator:ilovepumkinpie1

Web Enumeration

Subdomain Enumeration

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://shibboleth.htb/" -H "Host:FUZZ.shibboleth.htb" --fw 18

Found 3 sub-domains

  1. monitor
  2. monitoring
  3. zabbix

feroxbuster -u http://shibboleth.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt

No interesting directory found.

Enumerating Zabbix

I found a interesting scripts for enumerating Zabbix in GitHub

Detecting version

I found a script for enumerating Zabbix version. And it detected it as 5.0

Foothold

Let’s break into Zabbix to gain a our foothold.

Logged in with the creds found from the UDP service

Zanbbix 5.0.17 is the version which is running

Go to configuration > hosts > items > create item

I wrote the payload for reverse shell in key.

I got a shell then lets su to ipmi-svc with the password we have.

Got user

Privilege Escalation

Open Ports

Linpeas

Found Nothing interesting

Manual Enumeration

Found password for mysql db

grep -iR "password" /etc/ 2>/dev/null | uniq | sort

MYSQL DB CREDS

zabbix:bloooarskybluh

Command Injection - MARIADB

CVE-2021-27928 exploit can be found in this repo

Rooted the machine