So before going to further enumeration I thought to run a UDP scan in the meanwhile.
Now we have two ports open 623 and 80.
Let’s start with enumeration on port 80 first.
Web enumeration
Before enumerating the web page add the machine name(shibboleth.htb) into the /etc/hosts file.
Nothing interesting in these.
So Let’s do subdomain enumeration using gobuster
Got 3 subdomains and all of them redirects to same link “zabbix.shibboleth.htb”
After googling I came to know about zabbix.
Zabbix is a mature and effortless enterprise-class open source monitoring solution for network monitoring and application monitoring of millions of metrics.
Dumping ipmi_hashes
On visiting the subdomain we found earlier we get a login page .I tried with common passwords and some sqli but it required something more.
Let’s enumerate the UDP port 623 now.
On little googling I got a metasploit module for dumping the hashes of the ipmi users
And we get the Administrator hash .I got the output file in john format .Now let’s crack it using john.
Password Reuse and logging into zabbix
Now we have the administrator password for ipmi . So I tried reusing the creds for zabbix login page and got success there.
Command execution through system.run
Now we are administrator inside the zabbix account .And we have a basic understanding of zabbix that it is a monitoring software .
So if can get the way of executing commands on this we can get a reverse shell.
I googled it and got an article on it.
Let’s see how it works .
Goto configuration>hosts>items>create new item
We can run command using the system.run[] inside the key parameter.
And then click test and then we can see the output inside the get value.
Getting shell as Zabbix
Now we get the reverse shell through this .So let’s do it.
First let’s create our reverse shell by encoding it to base64 .
It was very useful.
Glad to hear