How to get root on and secure access to your Supermicro IPMI (version 315):

Prerequisites:
1) Admin access to the IPMI (user / password)
2) Firmware image (to extract the configuration decryption key)
3) A number of tools (openssl, tar, dropbear...)

TL;DR summary:
1) Extract aes key from firmware image
2) Log into IPMI web interface and download config
3) Decrypt and untar config
4) Modify lighttpd.conf to use include_shell to execute one of the other .conf files
5) Repack the config (re-encrypting optional)
6) Restore the 'config' using the web interface
7) Move the temporary .conf shell script to a different name on the /nv jffs2 partition 
8) Use the permanent root gained through this to replace the insecure fixed ssh keys with personalized secure ones you generated
9) Lock the system down using iptables

And now a bit more in-depth:
$ binwalk SMT_X9_315.bin
DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
1572864         0x180000        CramFS filesystem, little endian size 8372224 version #2 sorted_dirs CRC 0xe0f8f23d, edition 0, 5156 blocks, 1087 files  
9961472         0x980000        Zip archive data, at least v2.0 to extract, compressed size: 1124880, uncompressed size: 2331112, name: "kernel.bin"  
11086504        0xA92AA8        End of Zip archive 
12058624        0xB80000        CramFS filesystem, little endian size 1945600 version #2 sorted_dirs CRC 0x75aaf428, edition 0, 926 blocks, 204 files  

The first cramfs is the one we need (the root filesystem).
Use dd to extract it, then loop-mount it and run strings on bin/ipmi_conf_back_tool to extract the openssl command and keys:

$ strings bin/ipmi_conf_backup_tool | grep openssl -B1 -A1

Decrypt config:
$ openssl aes-256-cs -in config.bin -out decrypted.tar.gz -k KEYGOESHERE

Untar config:
$ tar xvzf decrypted.tar.gz

Modify lighttpd.conf to execute shell script:
$ echo 'include_shell "test -r /nv/setup.sh && source /nv/setup.sh || source /nv/vm_image.conf"' > preserve_config/lighttpd.conf

Replace vm_image.conf with shell script:
(Warning I did some last minute changes and can't test them right now, handle with care!)
$ cat > preserve_config/vm_image.conf <<EOF
#!/bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
exec >>/tmp/setup.log
exec 2>&1
echo hello world
if ! test -r /nv/setup.sh; then
  mv /nv/vm_image.conf /nv/setup.sh
fi
if ! test -r /nv/sh; then
  cat > /nv/sh <<ENDNVSH
#!/bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PS1="root@wpcm450:#"
export PATH PS1
exec /bin/sh -l
ENDNVSH
  chmod 755 /nv/sh
fi
if ! test -r /tmp/dropbear.pid; then
  cp /dropbear/sbin/dropbear /tmp/patched_dropbear
  echo -e "/nv/sh\0" > /tmp/patch
  dd if=/tmp/patch of=/tmp/patched_dropbear bs=1 seek=109344 conv=notrunc
  killall dropbear
  RSAKEY=/dropbear/bin/dropbear_rsa_host_key
  if test -r /nv/dropbear.rsa.key; then
    RSAKEY=/nv/dropbear.rsa.key
  fi
  echo using rsa key $RSAKEY
  setsid /tmp/patched_dropbear -p 22 -I 600 -r $RSAKEY -d /tmp/nodsskey -P /tmp/dropbear.pid
  echo locking down network access
  iptables -F INPUT
  iptables -A INPUT -p tcp \! --syn -j ACCEPT
  iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -A INPUT -p udp --sport 53 -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  iptables -P INPUT DROP
fi
echo setup done
EOF

Repack the config:
$ tar -czf config.bin preserve_config

Upload the config using the web interface.

When everything went correctly and I didn't make any typos above, you should be able to log in using ssh and it should drop you into a root shell instead of the normal SMASH shell (which you can still access using the /SMASH/msh command).
Once you've done that, you can replace the ssh private key with one you generated yourself:

Since the dropbear doesn't seem to have scp compiled in, use cat to do so:
$ cat > /nv/dropbear.rsa.key <<EOF
YOURKEYGOESHERE
EOF
Shared publiclyView activity