HackTheBox - Shibboleth
Вставка
- Опубліковано 16 чер 2024
- 00:00 - Intro
00:57 - Running NMAP
04:10 - The footer talks about BMC, explaining why I jumped to IPMI when reading this
05:30 - Running a Virtual Host (VHOST) Scan with Wfuzz to try and find a domain that points to an ILO
08:20 - Talking about IPMI
10:15 - Running Metasploit to dump the IPMI Hash and then crack it with hashcat
15:10 - Running IPMITool to explore the interface, there isn't anything really here
19:30 - Logging into Zabbix with the credentials and then fumbling around creating a malicious check
27:50 - Discovering what we were doing wrong, we didn't want to put quotes in the system.run command
29:25 - Zabbix kills our shell pretty quickly, just running a second command really fast in order to keep a process alive
32:00 - Attempting to get into the Zabbix database, need to switch to the ipmi-svc user
34:57 - Showing a cool MySQL command \G to display results in a table form, useful when dumping a lot of columns
36:05 - Running LinPEAS
39:30 - No real exploit paths found, checking for exploits in the MYSQL Server and finding CVE-2021-27928 (WSREP)
41:10 - Performing the MySQL WSREP Exploit and getting root
Interview with InsiderPHD, PowerSIEM video, Altered and Shibboleth walkthroughs, all in one week! Thank you for all your hard work and dedication Ippsec
Hi Ippsec! Thank you so much for your videos! Just wanted to say: When your reverse shell in Zabbix kept dying, there is a far easier way than doing this double-shell stunt. The second parameter of the system.run[command,mode] can be used for that. If you had set it to nowait, Zabbix would have started your shell without waiting for the command to return (thereby killing it), so it would keep running in the background ;)
That worked great! Thank for the tip.
I found the hash and then was stuck trying to get a shell with ipmi using the SOL command. I thought I had enumerated everything but I missed the V Host. Once I saw that as the next step I got all the way to checking the sql version, down to googling for exploits and just went right over the exploit. Frustrated I had it! But didn't look hard enough at first. Thanks so much for another great video.
Great narrative. Thank you for sharing!
Awesome walkthrough as usual. For connecting to mysql, you can give password in command line (thought not good practice :) ). You cannot have space between '-p' and password and then it will work
There is another way a bit easier to get shell through the Zabbix. In Administration > Scripts panel you can just create or edit/clone some script and put the bash reverse shell there. Then the script can be executed by clicking in the host in Monitoring > Hosts.
Cool, thanks! Good to note!
For this box, I don't think the user you log in as has access to the Administration menu though. It seems the user is a "Zabbix Admin" rather than "Zabbix Super Admin", and so lacks access to that menu.
finally🥰thanks
Shibboleth was such a good machine experience. I really enjoyed it. Took me longer than expected :) Didn't want to abuse sudo since it is not intended way. EDIT: seems it wouldn't work anyway lol
I tried the ssh key and found that you needed to be root to activate the service lol thanks Ippsec for this walk-through. Learned a lot from this.
43:03 the private /tmp is a mount_namespaces(7)
Great video as always :) I have a real pentest scenario where I have to do a double shell because the process terminates. Unfortunately your method of double shell didn't work as well. Is there any other alternative?
If you search Ippsec.rocks for nohup, you’ll see me do it correctly there on a different zabbix box 😂
@@ippsec thanks for the fast response. I tried nohup, but unfortunately it dies as well.
You should do a video on your parrot box, they have changed it since and it's not as nice looking.
In your opinion, Blackarch linux better than Kali or Parrot? or Blackarch linux is a positiv point for me, when i am looking for a job opportunity related to Penetration Tester?
💪😍❤️💋
🎃 🥧 #1
how do you remember all command flags....
muscle memory
he's only done it 15000 times
Still don't understand how you'd supposed to know the usage of IPMI
Should have IPMI on kracken... 😂
I do have a ilo on it 😂 just always forget the ip, so it’s quicker to just push a button
1st comment
As usual, thanks for the knowledge! When I did the box I did not have privileges to write to /dev/shm? However /tmp/ worked fine in my case.