Read my writeup for Shibboleth machine on
TL;DR
User: Found vhosts of Zabbix system, Using scanner/ipmi/ipmi_dumphashes
metasploit module we dumped the Administrator
password of Zabbix, Using Zabbix we get a remote command execution and we get a reverse shell as zabbix
, Using the same password before we get the user ipmi-svc
.
Root: Exploiting the DB 10.3.25-MariaDB
using CVE-2021-27928 to get a reverse shell as root
.