InfoSec LAB

Shibboleth_DB

Created: 2 min read

Local DB

I initially discovered that the port 3306 is up and listening on the loopback address then, i found out that the mysqld process is running with the privileges of the root user. a critical misconfiguration

Zabbix, by default, stores the DB credential in the zabbix_server.conf file, which can be found in the various location depending on the installation, version and environment

zabbix@shibboleth:/$ find / -name zabbix_server.conf -ls -type f 2>/dev/null
    39531     24 -rw-r-----   1 root     ipmi-svc    21863 Apr 24  2021 /etc/zabbix/zabbix_server.conf

in my case, it’s located in the /etc/zabbix directory and had the ownership set to root:ipmi-svc

ipmi-svc@shibboleth:/etc/zabbix$ grep -v "^#" /etc/zabbix/zabbix_sgrep -v "^#" /etc/zabbix/zabbix_server.conf
 
LogFile=/var/log/zabbix/zabbix_server.log
LogFileSize=0
PidFile=/run/zabbix/zabbix_server.pid
SocketDir=/run/zabbix
 
DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh
 
SNMPTrapperFile=/var/log/snmptrap/snmptrap.log
Timeout=4
AlertScriptsPath=/usr/lib/zabbix/alertscripts
ExternalScripts=/usr/lib/zabbix/externalscripts
FpingLocation=/usr/bin/fping
Fping6Location=/usr/bin/fping6
LogSlowQueries=3000
StatsAllowedIP=127.0.0.1

However, I was able to read the file after making lateral movement to the ipmi-svc user it indeed contains the db credential; zabbix:bloooarskybluh

MariaDB

ipmi-svc@shibboleth:/etc/zabbix$ mysql -uzabbix -pbloooarskybluh
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2937
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Connecting to the backend DB reveals the precise version information; 10.3.25-MariaDB-0ubuntu0.20.04.1

Vulnerability

┌──(kali㉿kali)-[~/…/htb/labs/shibboleth/CVE-2021-27928]
└─$ searchsploit MariaDB 10
---------------------------------------------------------------- ---------------------------------
 Exploit Title                                                  |  Path
---------------------------------------------------------------- ---------------------------------
MariaDB 10.2 - 'wsrep_provider' OS Command Execution            | linux/local/49765.txt
---------------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No Results

At the first glance, the target instance of MariaDB doesn’t seem to be vulnerable as the exploit shows the version 10.2

┌──(kali㉿kali)-[~/…/htb/labs/shibboleth/CVE-2021-27928]
└─$ searchsploit -x linux/local/49765.txt

Upon close inspection the exploit works against the target. moving on to the [[shibboleth_privilege_escalation#cve-2021-27928|Privilege Escalation]] phase

Interactive Graph View

Backlinks