Open in app

Sign in

Write

Sign in

HTB Beep Walkthrough

Max Register
7 min readAug 14, 2020

Enumeration

We will start this box with the usual Nmap scan, using -sC for default scripts and -sV for enumerating versions and -oA to output all formats.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-07 15:02 EDT
Nmap scan report for 10.10.10.7
Host is up (0.041s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE LOGIN-DELAY(0) STLS PIPELINING UIDL TOP APOP IMPLEMENTATION(Cyrus POP3 server v2) USER EXPIRE(NEVER) RESP-CODES
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: MULTIAPPEND ANNOTATEMORE UNSELECT THREAD=ORDEREDSUBJECT LISTEXT ATOMIC OK LIST-SUBSCRIBED ACL URLAUTHA0001 QUOTA X-NETSCAPE IDLE MAILBOX-REFERRALS BINARY LITERAL+ NO CATENATE THREAD=REFERENCES IMAP4rev1 SORT=MODSEQ Completed SORT CONDSTORE RIGHTS=kxte NAMESPACE UIDPLUS CHILDREN IMAP4 RENAME STARTTLS ID
443/tcp   open  ssl/https?
|_ssl-date: 2020-08-07T19:08:16+00:00; +2m34s from scanner time.
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: 2m33s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 349.92 seconds

Wow, we got a lot to work with on this box! We see that we have an apache server on port 80, and since web services seem to have the largest attack surface, let’s start there. Pulling up the web server in the browser we are greeted with a login screen for Elastix:

We don’t get any version information right off the bat with this login page. We can run a Gobuster scan against this with the following command:

gobuster dir -u https://10.10.10.7 -k -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

We must use -k to ignore SSL certificates or else we will get an error with no scan results. This scan will take some time to get through the list we provided, so let’s use this time to explore the other services running on this machine.

We have an SMTP service listening on port 25 which we can connect to using Netcat. We can manually enumerate the usernames using the VRFY command as shown below.

kali@kali:~$ nc -nv 10.10.10.7 25
(UNKNOWN) [10.10.10.7] 25 (smtp) open
VRFY root
220 beep.localdomain ESMTP Postfix
252 2.0.0 root
VRFY daemon
252 2.0.0 daemon

This could take some time doing this manually, so let’s make this easier on ourselves and use a simple python script to verify usernames using this VRFY command and a small SMTP usernames list contained in our wordlists directory.

This python script uses the SMTP username list found in our wordlists directory along with the SMTP VRFY command to verify if the username exists on the server. The server will verify the username with code 252 for existing users and 550 for nonexisting users.

Let’s clean up this output a little by piping the output to grep to search for only the lines beginning in 252 for existing users.

Lastly, we can pipe this to cut with a delimiter of “ “ and a field of 3 to cut out everything but our useful verified users.

This is a bit sloppy, as in the wild it would seem unwise to make this VRFY request multiple times as it could raise alarms with Intrusion Detection Systems. It would probably be a better idea to save the initial output to a text file then clean it up using cat.

Anyways, We can save this list of verified usernames for use later. Let’s check back with our gobuster scan and see if there is anything of interest.

The scan is still running, however, we do see a good bit of directories that are worth exploring. Let’s start out with /admin as this seems the most interesting.

Initially, we are greeted with a login prompt. However, when guessing the password with admin/admin and the like we had no luck. If we click cancel we are brought to a FreePBX page containing the version number.

We can add this version number to our notes and continue poking around in the other directories.

In the /help directory we find screenshots for backup and restore with the date being 2010. We can assume that since this is the help example, that our system has not been updated since 2010 as the help example would most likely be updated to depict the current version. Let’s see if we can find out which version of Elastix was released in 2010.

In our google search, we find a source forge page that lists all versions of Elastix and see that 2.0 was released in 2010. With this information, our Elastix version is at least 2.0 and maybe 2.2 if it was updated. With this information, we now have enough information to start exploitation.

Exploitation

We can use the searchsploit command in kali to search for possible vulnerabilities with the services that we have found during our enumeration phase. Let’s start with the Elastix server that is hosted on port 80 of our target machine.

Here we find a few vulnerabilities with Elastix. Earlier we found that we are most likely running version 2.0 or 2.2, so let’s focus on the two exploits which are closest to our version. We see that the Multiple XSS vulnerabilities are only available when an active user clicks malicious links, so that leaves us with the ‘graph.php’ Local File Inclusion vulnerability.

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

The directory /vtigercrm is not one that we saw while the gobuster scan was in progress, however, if we look back to the completed scan, we see it contains this directory:

So, let’s check this LFI vulnerability out:

We get this huge jumble of a file which is not very easy to read. If we use CTL+U to view the source the formatting is maintained and we get a readable version as shown:

Here it is easy to see multiple passwords for different accounts on the server. Looking back to the /admin/ login prompt let’s try using one of these passwords to get in. There is one password beginning with ‘j’ that seems to be reused with multiple accounts, so that is going to be the one I try first.

Using admin/jEhdIekWmdjE as credentials, we get in!

Once again using the same creds we get access to the recordings page.

With some googling, we find that there is a vulnerability with the recordings page of FreePBX that allows for remote code execution.

Exploit

Using the provided URL and modifying it for our hosts and listening port we get a shell!

We use some python to get a more interactive shell, and then use the Nmap privilege escalation described in the exploit to get root very easily.

Thank you for reading this write-up, best of luck in capturing flags!

Infosec
Hacking
Hackthebox

--

--

Max Register

Written by Max Register

11 Followers

Information Security Writer

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams