So I did it the hard way:
I looked out for the BMC's flash chip, cleaned up the pins and used a chip grabber and SPI programmer to read out the flash.
This was pretty straight forward, but I had to use an updated flashrom code, as the flash chip is a MX25L25635F which was not included in the current Ubuntu Linux release, which I am using.
After figuring out the pin-outs, I connected GND, MISO, MOSI, CLK, CS, but left +3,3V open. Then I powered up the board and read everything from the flash chip into a file.
Looking into the flash image, I found the wsman configuration, which points to a simple_auth.passwd file, which consists of 4 password hashes ;-)
The used encryption method is pretty old: Traditional Unix Crypt (DES). That means the password is at max 8 characters long and the valid characters are ascii 7-bit.
The first user is obvious: ADMIN with the hashed password of ADMIN.
Since ADMIN/ADMIN does not work on either IPMItool nor on the Webinterface, I assume they have disabled that user, which is quite clever, as every script-kiddy will try to attempt the default usernames on IPMI Interfaces.
So there are 3 hashes left. I give hashcat and my trusty Geforce 1060 GPU a try and hopefully I will figure out at least one password, so that I can do a factory reset. Then I can finally continue on my path to power up this little mainboard
Cheers,
Daniel