Beep @ Hackthebox

Beep is an easy Linux Box with more Services running. Unfortunately the way to the root is very unspectacular and most of the running services don’t really do anything and are plain rabbit holes.

Enumeration

Starting NMAP:

┌─[luka@parrot]─[~/Desktop/htb/Beep/nmap]
└──╼ $nmap -sC -sV -oA nmap 10.10.10.7 -v 
# Nmap 7.70 scan initiated Wed Jul  3 23:29:11 2019 as: nmap -sC -sV -oA nmap -v 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.023s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: APOP TOP PIPELINING AUTH-RESP-CODE IMPLEMENTATION(Cyrus POP3 server v2) EXPIRE(NEVER) USER RESP-CODES LOGIN-DELAY(0) UIDL STLS
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            742/udp  status
|_  100024  1            745/tcp  status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed OK CONDSTORE LIST-SUBSCRIBED X-NETSCAPE MULTIAPPEND UNSELECT BINARY MAILBOX-REFERRALS ANNOTATEMORE URLAUTHA0001 STARTTLS QUOTA IDLE CATENATE ID NO THREAD=REFERENCES SORT ATOMIC THREAD=ORDEREDSUBJECT SORT=MODSEQ ACL IMAP4 RENAME CHILDREN NAMESPACE RIGHTS=kxte IMAP4rev1 LITERAL+ UIDPLUS LISTEXT
443/tcp   open  ssl/https?
|_ssl-date: 2019-07-06T03:16:26+00:00; +2d05h44m36s from scanner time.
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: mean: 2d05h44m35s, deviation: 0s, median: 2d05h44m35s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul  6 06:30:51 2019 -- 1 IP address (1 host up) scanned in 198099.28 seconds

After checking nmap results we can notice that there are few things to look at. There is HTTP Server running Elastix, there are mail servers and even a mysql accessible from outside of the local box and two different ports 4445 and 10000.

I checked the last two opened ports mentioned the 4445 and 10000 first. Port 4445 doesn’t reveal much by simply running curl and telnet against it

Beep @ Hackthebox

But opening the https://10.10.10.7:10000 does the trick. Unfortunately simple credentials doesn’t seem to work. After 3-5 attempts manually i just got blocked, so it looks like a rabbit hole.

Beep @ Hackthebox
Beep @ Hackthebox

Next i checked the Elastix server on port 80.

Beep @ Hackthebox

Some simple Fingerprinting techniques didn’t really reveal what version it is running. According to metadata of the logo, it was created in Year 2017 – but that is probably the date on which the Elastix was first installed on the machine.

Beep @ Hackthebox

“Exploitation”

After checking exploit-db for Exploits (since searchsploit doesn’t show the dates when Exploit were creating) i realized that all exploits date into year 2015 and older.

Beep @ Hackthebox

I tried newer Exploit 38091 which i could’t manage to get it to work. Luckily after reading on 37637 i tested a “Ready-to-Paste” LFI-Exploit into the browser which has got me some credentials. The file itself is a configuration file.

Beep @ Hackthebox

Funny but the same password is being used for root. So all i had to do was to ssh onto the box using root and pasting the password above.

┌─[root@parrot]─[/home/luka/Desktop/htb/Beep/exploits]
└──╼ #ssh -l root 10.10.10.7
The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established.
RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.7' (RSA) to the list of known hosts.
root@10.10.10.7's password: 
Last login: Fri Aug 25 18:05:54 2017

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@beep ~]# uname -a
Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux
[root@beep ~]# cat /root/root.txt 
xxxxxDELETEDxxxxx