Beep is an easy Linux Box with more Services running. Unfortunately the way to the root is very unspectacular and most of the running services don’t really do anything and are plain rabbit holes.
┌─[luka@parrot]─[~/Desktop/htb/Beep/nmap] └──╼ $nmap -sC -sV -oA nmap 10.10.10.7 -v # Nmap 7.70 scan initiated Wed Jul 3 23:29:11 2019 as: nmap -sC -sV -oA nmap -v 10.10.10.7 Nmap scan report for 10.10.10.7 Host is up (0.023s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http Apache httpd 2.2.3 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: APOP TOP PIPELINING AUTH-RESP-CODE IMPLEMENTATION(Cyrus POP3 server v2) EXPIRE(NEVER) USER RESP-CODES LOGIN-DELAY(0) UIDL STLS 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 742/udp status |_ 100024 1 745/tcp status 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: Completed OK CONDSTORE LIST-SUBSCRIBED X-NETSCAPE MULTIAPPEND UNSELECT BINARY MAILBOX-REFERRALS ANNOTATEMORE URLAUTHA0001 STARTTLS QUOTA IDLE CATENATE ID NO THREAD=REFERENCES SORT ATOMIC THREAD=ORDEREDSUBJECT SORT=MODSEQ ACL IMAP4 RENAME CHILDREN NAMESPACE RIGHTS=kxte IMAP4rev1 LITERAL+ UIDPLUS LISTEXT 443/tcp open ssl/https? |_ssl-date: 2019-07-06T03:16:26+00:00; +2d05h44m36s from scanner time. 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) 4445/tcp open upnotifyp? 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: MiniServ/1.570 |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com Host script results: |_clock-skew: mean: 2d05h44m35s, deviation: 0s, median: 2d05h44m35s Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Jul 6 06:30:51 2019 -- 1 IP address (1 host up) scanned in 198099.28 seconds
After checking nmap results we can notice that there are few things to look at. There is HTTP Server running Elastix, there are mail servers and even a mysql accessible from outside of the local box and two different ports 4445 and 10000.
I checked the last two opened ports mentioned the 4445 and 10000 first. Port 4445 doesn’t reveal much by simply running curl and telnet against it
But opening the https://10.10.10.7:10000 does the trick. Unfortunately simple credentials doesn’t seem to work. After 3-5 attempts manually i just got blocked, so it looks like a rabbit hole.
Next i checked the Elastix server on port 80.
Some simple Fingerprinting techniques didn’t really reveal what version it is running. According to metadata of the logo, it was created in Year 2017 – but that is probably the date on which the Elastix was first installed on the machine.
After checking exploit-db for Exploits (since searchsploit doesn’t show the dates when Exploit were creating) i realized that all exploits date into year 2015 and older.
I tried newer Exploit 38091 which i could’t manage to get it to work. Luckily after reading on 37637 i tested a “Ready-to-Paste” LFI-Exploit into the browser which has got me some credentials. The file itself is a configuration file.
Funny but the same password is being used for root. So all i had to do was to ssh onto the box using root and pasting the password above.
┌─[root@parrot]─[/home/luka/Desktop/htb/Beep/exploits] └──╼ #ssh -l root 10.10.10.7 The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established. RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.7' (RSA) to the list of known hosts. email@example.com's password: Last login: Fri Aug 25 18:05:54 2017 Welcome to Elastix ---------------------------------------------------- To access your Elastix System, using a separate workstation (PC/MAC/Linux) Open the Internet Browser using the following URL: http://10.10.10.7 [root@beep ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [root@beep ~]# uname -a Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux [root@beep ~]# cat /root/root.txt xxxxxDELETEDxxxxx