Beep Writeup
Without Metasploit
Last updated
Without Metasploit
Last updated
Initial Nmap Scan to find open ports, using treat all hosts as online (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,25,80,110,111,143,443,993,995,3306,4445,10000
(-oN nmap): Saving it into a files called nmap
Just to make sure we are getting all the ports, lets run a nmap scan that covers all ports
Port 22: OpenSSH 4.3 (protocol 2.0)
Port 25: Smtp (Postfix smtpd)
Port 80: http (Apache httpd 2.2.3)
Port 110: pop3 (Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4)
Port 111: rpcbind
Port 143: imap (Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4)
Port 443: ssl / https
Port 878: status
Port 993: ssl / imap (Cyrus imapd)
Port 995: pop3 (Cyrus pop3d)
Port 3306: MySQL
Port 4190: Sieve (Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap))
Port 4445: Upnotifyp
Port 4559: hylafax (HylaFAX 4.3.10)
Port 5038: asterisk (Asterisk Call Manager 1.1)
Port 10000: http Miniserv 1.570 (Webmin httpd)
Port 22 is running a OpenSSH service that is old and exploitable.
Ports 25, 110, 143 and 995 are running mail servers.
Port 111 is running Rpcbind which is a service used to map other RPC services such as nfs, Mountd, etc.
Ports 80, 443 and 10000 are running Web Servers
Port 3306 is running a MySQL database
Port 4445 is running Upnotifyp which is an online TCP UDP port finder
Port 4559 is running HylaFAX 4.3.10. HylaFAX is running an open source fax server which allows sharing of fax equipment among computers.
Port 5038 is running Asterisk Call Manager 1.1.
Lets visit the application
Its running a software called Elastix, a unified communications server software that brings together IP PBX, email and other functionalities. We do not get any other information so lets run gobuster to find hidden directories. And we have to skip SSL certification with the flag (-k) as its running on https.
Looking through directory , we find the version of FreePBX which is 2.8.1.4 but nothing on Elastix, so lets try searching for exploits on searchsploit
We found few exploits, Cross-site scripting vulnerabilities won't work here as it is a client-side attack and needs user interaction for it to work. We can use exploits such as LFI and Remote Code Execution.
Lets visit the application
It looks like a login page, and also it gives us what it is running on which is "Webmin", lets go to searchsploit and find vulnerabilities on this.
There are so many exploits, looking at all of them , we see something in common which is CGI, something that we exploited in the Shocker box on HackTheBox. And the exploit that we used is called Shellshock, so lets try using that exploit.
We are going to exploit the LFI vulnerability to get root privileges on this system. So lets copy the exploit to our directory.
Reading through the exploit, we can see that we are going to exploit the LFI vulnerability which is in the current_language parameter.
So lets try using this exploit
And we get a lot of information, lets try looking at the source code. Looking at it we find something interesting.
Lets try to ssh into the machine using these credentials.
I got this error, which is something that I did see before, and I think that it is something that is not related to false information so I went to google and searched up this error and found an article telling us how to solve this issue. After using it I tried logging in but it said it was the wrong password, so I tried a different username (root) and it worked.
Lets use the Shellshock vulnerability, first we have to capture the request to the web application using Burp Suite and change the User Agent field to the following:
And this will give us a reverse shell, so lets start a listener
And now lets run the exploit on Burp Suite, if you want the steps, go to my Shocker writeup, I did not use Burp there but you will be guided till this step and then you can change the User-Agent parameter and send the request.
After clicking send, you should a reverse shell.
