Shibboleth machine is a vulnerable machine with Linux operating system found among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full port scan
As a result of port scanning, 80/tcp http Apache and 623/udp asf-rmcp ports were found to be open. We detected 623.protu from the Udp port, let’s see if there is a vulnerability related to it.
IPMI is known as intelligent platform management interface. It is a hardware-based computer management system used for system management and monitoring. IPMI provides system administrators with the ability to manage and monitor the system even if the system is inaccessible. Let’s look at the vulnerabilities related to IPMI from searchsploit.
Let’s try to exploit this vulnerability here with the help of msfconsole
Here it says that users can obtain the SHA1 hash value, let’s use this vulnerability.
After specifying rhosts here, when I run
Administrator:609a9caa8201000011757f26b353e0146d09fa98ee3cb2277ee144711ecc19cffb132bed4b76fb97a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:93acb79f1351dfdc3e7170b3ae806844670c465d
We have the hash.
We note this hash and continue.
We provide enumeration over port 80.
We provided input values in the web interface, we looked at the source code and we did not get any results.
We are scanning hidden files and directories with Gobuster.
The directories /assets, /blog.html, /changelog.txt, /forms, /index.html, /Readme.txt, /server-status were detected. We could not get any valuable information between them.
Subdomain scan with Wfuzz
monitor, monitoring, zabbix detected. After adding these subdomains to /etc/hosts file, we access them. Monitor and zabbix presented the same screen, we could not access the monitoring subdomain.
Can we log in here with the hash we obtained?
This hash obtained with Hashcat is broken.
Password cracked as ilovepumkinpie1
Let’s log in with this credential information.
Username: Administrator
Password: ilovepumkinpie1
Let’s see if there is a vulnerability here on zabbix
Let’s searchsploit from version here
We got our Shell.
In this shell, we could not get the user shell, when the user typed the password we obtained, he could log in, we obtained the uer flag.
We got our user flag but we could not access root.
We provide local enumeration to get root.
Port 3306 is running inside mysql.
Mysql version 10.3.25-MariaDB is old in root user
We see the Zabbix configuration files.
Let’s provide enmueration here
DBUser=zabbix
DBPassword=bloooarskybluh
We’ve identified the credentials.
Let’s see if there’s an exploit for the version of the DB.
Here we see command execution. Let’s create a file with msfvenom to use this vulnerability. Then we will upload this msfvenom file to the other side and then listen back with nc. And when we play this script with mysql, it will give us a user with root privileges.
Shell came with root authorization to the side we listened to with nc we listened to Ardaka
Comments
Pingback: OSCP Prep – HTB all Linux Machine – Muhammed AYGÜN