Today we’re going to solve another CTF machine “Beep. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services:  22,25,80,110,111,143,443,993,995,3306,4445,10000
  • IP Address: 10.10.10.7
  • Difficulty: Medium

Weakness

  • LFI vulnerablity
  • Sudo NOPASSWD

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

We have a quite long list of services. HTTP is running so this is our primary target now.

Enumerate Directories

We a huge list of directories because there’s a Elastix CMS installed on Apache.

Let’s searchsploit elastix,

To read

To copy exploit to current directory

The proof of concept is extremely simple. Browsing to https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf% 00&module=Accounts&action will expose the credentials for AMPortal.

The box is vulnerable to password reuse, and it is possible to SSH in directly as the root user with the AMPDBPASS password.


Method 2

There’s another method to hack this box. Let’s start over again.

Port Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

We have a quite long list of services. HTTP is running so this is our primary target now.

Enumerate Directories

We a huge list of directories because there’s a Elastix CMS installed on Apache.

We have a login field either we can brute force or find an SQL injection vulnerability i tested both but unable to find them.

Let’s dig more into directories and see if we can find anything.

https://10.10.10.7/vtigercrm/

We can see another login portal for vtiger CRM 5.1.0 🙂 The first thing we should do is searchsploit vtiger.

So we found some metasploit modules as well let’s test them first to save our time.

We found our exploit let’s use it.

After executing exploit we got an error let’s take a look at.

If you remember we have an SSL installed on server as well and this exploit also have an option to support SSL. Let’s enable it.

After executing we got an shell 🙂

Inside /home/fanis directory we have found our user.txt flag.

Privilege Escalation 

It’s time to get root.txt now we can use privilege escalation scripts to gather information or we can do some research manually first to save our time.

If you do sudo -l you can see many NOPASSWD commands which can lead us to getting root.

There’s nmap and if you google nmap privilege escalation you can find this command 🙂