OSCP PREPROTİONS – HTB Shibboleth

Shibboleth machine is a vulnerable machine with Linux operating system found among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of port scanning, 80/tcp http Apache and 623/udp asf-rmcp ports were found to be open. We detected 623.protu from the Udp port, let’s see if there is a vulnerability related to it.

IPMI is known as intelligent platform management interface. It is a hardware-based computer management system used for system management and monitoring. IPMI provides system administrators with the ability to manage and monitor the system even if the system is inaccessible. Let’s look at the vulnerabilities related to IPMI from searchsploit.

Let’s try to exploit this vulnerability here with the help of msfconsole

Here it says that users can obtain the SHA1 hash value, let’s use this vulnerability.

After specifying rhosts here, when I run
Administrator:609a9caa8201000011757f26b353e0146d09fa98ee3cb2277ee144711ecc19cffb132bed4b76fb97a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:93acb79f1351dfdc3e7170b3ae806844670c465d
We have the hash.
We note this hash and continue.

We provide enumeration over port 80.

We provided input values in the web interface, we looked at the source code and we did not get any results.
We are scanning hidden files and directories with Gobuster.

The directories /assets, /blog.html, /changelog.txt, /forms, /index.html, /Readme.txt, /server-status were detected. We could not get any valuable information between them.
Subdomain scan with Wfuzz

monitor, monitoring, zabbix detected. After adding these subdomains to /etc/hosts file, we access them. Monitor and zabbix presented the same screen, we could not access the monitoring subdomain.

Can we log in here with the hash we obtained?
This hash obtained with Hashcat is broken.

Password cracked as ilovepumkinpie1
Let’s log in with this credential information.
Username: Administrator
Password: ilovepumkinpie1

Let’s see if there is a vulnerability here on zabbix

Let’s searchsploit from version here

We got our Shell.

In this shell, we could not get the user shell, when the user typed the password we obtained, he could log in, we obtained the uer flag.

We got our user flag but we could not access root.
We provide local enumeration to get root.

Port 3306 is running inside mysql.

Mysql version 10.3.25-MariaDB is old in root user

We see the Zabbix configuration files.
Let’s provide enmueration here

DBUser=zabbix
DBPassword=bloooarskybluh
We’ve identified the credentials.
Let’s see if there’s an exploit for the version of the DB.

Here we see command execution. Let’s create a file with msfvenom to use this vulnerability. Then we will upload this msfvenom file to the other side and then listen back with nc. And when we play this script with mysql, it will give us a user with root privileges.

Shell came with root authorization to the side we listened to with nc we listened to Ardaka

Comments

  1. Pingback: OSCP Prep – HTB all Linux Machine – Muhammed AYGÜN

  2. e-commerce

    Wow, amazing weblog structure! How lengthy have you ever been running a blog for?
    you make running a blog glance easy. The whole look of your web site is fantastic, as smartly as the content
    material! You can see similar here najlepszy sklep

  3. dobry sklep

    Hi there! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to
    get my blog to rank for some targeted keywords but I’m not seeing very good gains.
    If you know of any please share. Many thanks!
    You can read similar blog here: Najlepszy sklep

  4. Rastrear Teléfono Celular

    El software de monitoreo de teléfonos móviles CellSpy es una herramienta muy segura y completa, es la mejor opción para un monitoreo efectivo de teléfonos móviles. La aplicación puede monitorear varios tipos de mensajes, como SMS, correo electrónico y aplicaciones de chat de mensajería instantánea como Snapchat, Facebook, Viber y Skype. Puede ver todo el contenido del dispositivo de destino: ubicación GPS, fotos, videos e historial de navegación, entrada de teclado, etc.

  5. hitman.agency

    Hey! Do you know if they make any plugins to help with SEO?
    I’m trying to get my website to rank for some targeted keywords but I’m not seeing very good
    gains. If you know of any please share. Thank you! You can read similar text here:
    GSA List

  6. Balmorex Pro

    I don’t even know how I ended up here, but I thought this post was good. I don’t know who you are but certainly you’re going to a famous blogger if you aren’t already 😉 Cheers!

  7. Serolean review

    Have you ever thought about including a little bit more than just your articles? I mean, what you say is valuable and everything. However just imagine if you added some great visuals or videos to give your posts more, “pop”! Your content is excellent but with images and videos, this website could certainly be one of the very best in its field. Superb blog!

  8. uWeed Deutschland

    This is really attention-grabbing, You’re a very skilled blogger. I have joined your rss feed and look ahead to in search of more of your wonderful post. Additionally, I have shared your web site in my social networks!

  9. meilleur cbd suisse

    you’re really a good webmaster. The website loading speed is amazing. It seems that you’re doing any unique trick. Furthermore, The contents are masterpiece. you have done a magnificent job on this topic!

  10. Java Burn

    Good day very nice blog!! Man .. Excellent .. Amazing .. I’ll bookmark your site and take the feeds additionally?KI am glad to find a lot of useful information here in the submit, we want develop extra strategies on this regard, thanks for sharing. . . . . .

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir