HackTheBox - Shibboleth

preview_player
Показать описание
00:00 - Intro
00:57 - Running NMAP
04:10 - The footer talks about BMC, explaining why I jumped to IPMI when reading this
05:30 - Running a Virtual Host (VHOST) Scan with Wfuzz to try and find a domain that points to an ILO
08:20 - Talking about IPMI
10:15 - Running Metasploit to dump the IPMI Hash and then crack it with hashcat
15:10 - Running IPMITool to explore the interface, there isn't anything really here
19:30 - Logging into Zabbix with the credentials and then fumbling around creating a malicious check
29:25 - Zabbix kills our shell pretty quickly, just running a second command really fast in order to keep a process alive
32:00 - Attempting to get into the Zabbix database, need to switch to the ipmi-svc user
34:57 - Showing a cool MySQL command \G to display results in a table form, useful when dumping a lot of columns
36:05 - Running LinPEAS
39:30 - No real exploit paths found, checking for exploits in the MYSQL Server and finding CVE-2021-27928 (WSREP)
41:10 - Performing the MySQL WSREP Exploit and getting root
  1. IppSec
Рекомендации по теме
HackTheBox - Shibboleth 0:44:22

HackTheBox - Shibboleth

HackTheBox | Shibboleth 0:26:02

HackTheBox | Shibboleth 🔒 (Linux | Medium) | Beginners Walkthrough

HackTheBox – Shibboleth 0:21:46

HackTheBox – Shibboleth Walkthrough - In English

Hackthebox - Shibboleth 0:09:47

Hackthebox - Shibboleth Walkthrough - Medium

[HTB] Shibboleth | 0:42:29

[HTB] Shibboleth | Walkthrough

Linux Shared Object 0:20:07

Linux Shared Object Files - Shibboleth Beyond Root [HackTheBox]

CertMike Explains Shibboleth 0:05:05

CertMike Explains Shibboleth

Maquina Shibboleth Hack 2:08:45

Maquina Shibboleth Hack The Box (Live Completo)

QTNA #62: Shibboleth 0:02:21

QTNA #62: Shibboleth

Custom Binary Exploit 0:30:08

Custom Binary Exploit - Overgraph [HackTheBox]

shibboleth demo 0:00:28

shibboleth demo

What is Shibboleth? 0:00:18

What is Shibboleth?

Forward Shell Development 0:40:16

Forward Shell Development - Inception [HackTheBox]

HackTheBox - Apocalyst 0:29:11

HackTheBox - Apocalyst

HackTheBox(HTB) | Cap 0:09:22

HackTheBox(HTB) | Cap 🚢 (Linux | Easy)

HackTheBox - Undetected 0:53:01

HackTheBox - Undetected

IPMI Dump Hashes 0:38:38

IPMI Dump Hashes & Zabbix RCE | Shibboleth WalkThrough

HackTheBox - Writer 0:21:18

HackTheBox - Writer Walkthrough - In English

Hacker IPMI & 0:25:08

Hacker IPMI & MySQL, cracker un hash pour prendre le contrôle de ce serveur ! [HTB] [Shibboleth]...

Pre-Auth RCE in 0:00:18

Pre-Auth RCE in Moodle Part I - PHP Object Injection in Shibboleth

HTB - Shibboleth 0:50:23

HTB - Shibboleth (medium) walkthrough (ITA)

Launch your cybersecurity 0:29:50

Launch your cybersecurity career: IppSec's advice on how to become a skilled professional

How to Access 0:03:23

How to Access IMU Electronic Resources Through Shibboleth

Maquina Shibboleth Hack 1:25:56

Maquina Shibboleth Hack The Box Estilo OSCP #oscp #pentester #redteam

Комментарии
Автор

Interview with InsiderPHD, PowerSIEM video, Altered and Shibboleth walkthroughs, all in one week! Thank you for all your hard work and dedication Ippsec

null_
Автор

Hi Ippsec! Thank you so much for your videos! Just wanted to say: When your reverse shell in Zabbix kept dying, there is a far easier way than doing this double-shell stunt. The second parameter of the system.run[command, mode] can be used for that. If you had set it to nowait, Zabbix would have started your shell without waiting for the command to return (thereby killing it), so it would keep running in the background ;)

armancastell
Автор

I found the hash and then was stuck trying to get a shell with ipmi using the SOL command. I thought I had enumerated everything but I missed the V Host. Once I saw that as the next step I got all the way to checking the sql version, down to googling for exploits and just went right over the exploit. Frustrated I had it! But didn't look hard enough at first. Thanks so much for another great video.

ellerionsnow
Автор

Great narrative. Thank you for sharing!

michalczapnik
Автор

There is another way a bit easier to get shell through the Zabbix. In Administration > Scripts panel you can just create or edit/clone some script and put the bash reverse shell there. Then the script can be executed by clicking in the host in Monitoring > Hosts.

willianjaques
Автор

I tried the ssh key and found that you needed to be root to activate the service lol thanks Ippsec for this walk-through. Learned a lot from this.

RmDGaming
Автор

Shibboleth was such a good machine experience. I really enjoyed it. Took me longer than expected :) Didn't want to abuse sudo since it is not intended way. EDIT: seems it wouldn't work anyway lol

robbie_
Автор

Awesome walkthrough as usual. For connecting to mysql, you can give password in command line (thought not good practice :) ). You cannot have space between '-p' and password and then it will work

rajin
Автор

In your opinion, Blackarch linux better than Kali or Parrot? or Blackarch linux is a positiv point for me, when i am looking for a job opportunity related to Penetration Tester?

razmjumehdi
Автор

43:03 the private /tmp is a mount_namespaces(7)

berndeckenfels
Автор

You should do a video on your parrot box, they have changed it since and it's not as nice looking.

BennyM
Автор

Great video as always :) I have a real pentest scenario where I have to do a double shell because the process terminates. Unfortunately your method of double shell didn't work as well. Is there any other alternative?

frencikurti
Автор

how do you remember all command flags....

thomasandolf
Автор

Still don't understand how you'd supposed to know the usage of IPMI

vriMz
Автор

As usual, thanks for the knowledge! When I did the box I did not have privileges to write to /dev/shm? However /tmp/ worked fine in my case.

The_Dark_Cats
join shbcf.ru