Hack The Box: Beep Write-up (#2)

10 min readJun 20, 2020

Let’s begin!

Reconnaissance

We start with a quick nmap scan.

nmap -sC -sV -O -oA nmap/basic 10.10.10.7

-sC: Default nmap script
-sV: Service/version info
-O: Enable OS detection
-oA: Output scan results in 3 different formats

We got the following results:

Port 22 — Running SSH service of version OpenSSH 4.3 (protocol 2.0)
Port 25 — Running Simple Mail Transfer Protocol (SMTP) Postfix smtpd
Port 80 — Running Web Service Apache httpd 2.2.3
Port 110 — Running Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7–7.el5_6.4
Port 111 — Running rpcbind service
Port 143 — Running Cyrus imapd 2.3.7-Invoca-RPM-2.3.7–7.el5_6.4
Port 443 — Running Web Service over SSL (HTTPS) Apache httpd 2.2.3
Port 993 — Running Cyrus imapd over SSL
Port 995 — Running Cyrus pop3d over SSL
Port 3306 — Running MySQL (Version ???)
Port 4445 — Running upnotifyp
Port 10000 — Running MiniServ 1.570 (Webmin httpd)

We need to run a full nmap scan to make sure we did not miss any ports. So let's run full nmap scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.7

-p-: scan all ports from 1–65535

We got the following results:

Port 877 — Running rpcbind service
Port 4190 — Running Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7–7.el5_6.4 (included w/cyrus imap)
Port 4559 — Running HylaFAX 4.3.10
Port 5038 — Running Asterisk Call Manager 1.1

Again, you see we didn't see the above 4 ports in the quick nmap scan. So make this as a habit. We go for the last UDP nmap scan.

nmap -sU -O -p- -oA nmap/udp 10.10.10.7

The scan result for the UDP takes forever. This is because of the way how TCP and UDP Protocols work differently. We can speed up this scan with timing options but there is a risk, reducing the accuracy of your scan. If you are interested, you can read here. So I skipped this scan.

Service Enumeration

I always like to start to enumerate with common service ports that have high chances to get access to the target. Let’s begin with the webserver.

Port 80,443 Apache httpd 2.2.3

Visit the URL to port 80 redirects us to port 443 (https) with a login form of Elastix application.

A quick Google search about “Elastix” reveals it is an unified communications server software that links together IP PBX, emails, IM, faxing and collaboration functionality. IP PBX is a Voice over IP (VoIP) phone system for business. Sounds to me this Beep box is related to the phone system. I tried to log in to this page with default credentials but it didn't work. I also checked the “View Page Source” for hints but nothing interesting is there. Let’s run dirb to enumerate web directory.

dirb  https://10.10.10.7/

We got the following outputs:

After I enumerate all the above directories, /admin and /vtigercrm seems to be interesting. Let’s access them.

I tried default credential for this page and it did not work as well. But I got version information FreePBX 2.8.1.4. Let’s do a search for CVE information and exploits. Google didn't give much CVE information for this version. Searching in searchsploit gives a list. Particularly this one exploit linked to Elastix software. We will test this in Exploit section.

Next, we access to /vtigercrm.

We got the version number vtiger CRM 5.1.0. Let’s Google this version number for CVEs and exploits. This version of vtiger CRM is vulnerable to Local File Inclusion (LFI). Here are the CVE-2012–4867 and the exploit.

So I leave this until here and let’s move to the next web service port.

Port 10000 MiniServ 1.570 (Webmin httpd)

Let’s access to the URL with port 10000.

We got this login page. I tried default passwords, it blocked the access after 5 failed attempts. Then after 2 to 3 mins, it will be unblocked automatically. I also checked the “View Page Source” nothing interesting is there.

Port 25 SMTP Service

Let’s do quick telnet to this mail service.

telnet 10.10.10.7 25

Good! email service is working and we can see our new email is in a queue. We attack this when others seem to be not working to get access to the target.

Port 110, 995 (POP3) and Port 143, 993,4190 (IMAP)

These are mail client services required to access email remotely. We need valid credentials to login into these services. We back to this if we find any info in the later section.

Port 111 and 877 Rpcbind service

These 2 ports are used by rpcbind service. Let’s see if anything interesting by executing the following command:

rpcinfo -p 10.10.10.7

As expected nothing further we can be enumerated.

Port 4559 HylaFAX 4.3.10

This is open-source FAX service software. Google search for “HylaFAX 4.3.10” didn't show any CVEs or exploit.

Port 5038 Asterisk Call Manager 1.1

A quick search on this software, it is used to manage calls like transfer calls, maintain current call session and control VoIP phone system. I didn't find any CVEs or exploits.

Port 3306 MySQL

For MySQL, I can't find the version information. I also tried nmap script to enumerate but it did not work. So I skipped this.

Port 4445 upnotifyp

I didn't find much info on this port.

So with that information, Let’s begin our attack.

Exploitation

#1 HTTPS

Method #1

Let’s download the exploit “FreePBX 2.10.0 / Elastix 2.2.0 — Remote Code Execution” to our kali machine.

searchsploit -m exploits/php/webapps/18650.py

We have to edit and fix to this code to bypass SSL verification. Otherwise, you will end up with SSL error.

In the above screenshot, I have added the fix. Please update your lhost, lport and rhost. One more thing, you need to find the correct extension for this exploit to work. I used the default 1000 as per the exploit and it did not work.

The response fails for the default extension 1000

I used this tool called svwar form the GitHub project SIPVicious to automate the process to find the correct extension to get a response.

svwar -m INVITE -e100-500 10.10.10.7

We got the following result.

Let’s update our exploit with 233 as the extension value. Alternatively, we can do this by sending the request to Burp Intruder. But you need to be patient for the outcome. Mark your payload like below screenshot.

Add your payload value to the list and start the attack.

You will get a different result when the valid extension value hit.

We are good to go to the next step.

On your Kali Linux, set up a netcat listener on port 4444.

nc -nlvp 4444

Execute the Python exploit.

python 18650.py

We got the shell. Let’s upgrade the shell to a fully interactive shell. Execute this python onliner.

python -c 'import pty; pty.spawn("/bin/bash")'

Then send this shell to the background by pressing CTRL+Z. After that, execute below command.

stty raw -echo;fg

Reverse shell to fully interactive shell

Now we have a fully interactive shell with tab completion. Now let’s escalate the privilege to root. We follow the method as in the exploit.

Seems like user asterisk in the sudoer list. Let’s check that.

That's right. Let’s use nmap interactive mode and get the root shell.

sudo nmap --interactive

Nice!

Grab the root flag.

Root flag

Grab the user flag.

User flag

Method #2

We use LFI vulnerability exist in /vtigercrm page. From exploit DB (refer to the exploit link shared earlier) we copy the code and paste in the URL.

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

We got the following result.

We can send this request to Burp Repeater and get the response in a nice format.

We take note on the user names that have/bin/bash. We use this for SSH login using a technique called “Password Spraying” with Hydra. Hydra is a remote network brute force password cracking tool.

Let’s find the configuration file location of the asterisk since we are using this LFI in the context of the asterisk. As per the software documentation, the location is at /etc/asterisk/manager.conf. Let’s read the content trough this LFI.

We get back the following result.

Now we have a secret. Let’s test in /vtigercrm login page with the username admin.

Nice! We successfully login into the admin page. Let’s quickly check the Settings tab for any file upload option or server settings.

This admin page doesn’t have any server settings configured. But we have file upload option under Setting > Company Details.

Kali Linux has web shells. You can find here:

root@kali:~# ls -l /usr/share/webshells/php/
total 44
-rw-r--r-- 1 root root  4515 Aug 18  2015 findsock.c
-rw-r--r-- 1 root root  2800 Aug 18  2015 php-backdoor.php
-rwxr-xr-x 1 root root  3467 Aug 18  2015 php-findsock-shell.php
-rwxr-xr-x 1 root root  5491 Aug 18  2015 php-reverse-shell.php
-rw-r--r-- 1 root root 13585 Aug 18  2015 qsd-php-backdoor.php
-rw-r--r-- 1 root root   328 Aug 18  2015 simple-backdoor.php

I use php-reverse-shell.php for the reverse shell. Edit the file and change the value to your Kali Linux IP and desired port.

Copy the php-reverse-shell.php to php-reverse-shell.php.jpg. Because only .jpg extension file we can upload.

cp php-reverse-shell.php php-reverse-shell.php.jpg

Set a netcat listener in your Kali Linux.

nc -nlvp 4444

Now upload the php-reverse-shell.php.jpg file and click save button.

We got the shell in the context of user “asterisk”. Now you know what to do next. User asterisk is a member of the sudoer list.

Again we got the root shell!

Method #3

We use “Password Spraying” technique to test SSH login with the discovered credentials using Hydra. Create a user.txt file with usernames as below.

Now we are ready to run hydra.

hydra -L users.txt -p jEhdIekWmdjE 10.10.10.7 -f -v -t 4 ssh

-L: User list
-p: Password
-f: Exit when a login/pass pair is found
-v: Verbose mode
-t: Run TASKS number of connects in parallel per target (default: 16)

Awesome! We got successful for root user. Let’s test SSH now.

Nice! Seems like the password being used for many logins.

I tested the https://10.10.10.7:10000 webmin page with username as root and password as jEhdIekWmdjE and it works.

Great! I have shown you 3 different ways how to get into the Beep box and escalate privilege to root.

Attack Strategy Map

I summarised my attack vectors in this map.

Thank you for reading :-) Next box is the Shocker.