AdSense

Wednesday, January 9, 2019

Beep


BEEP

 - Layout for this exercise:


1 - INTRODUCTION

- The goal for this exercise is to develop a hacking process for the vulnerable machine Beep, what is a retired machine from the Hack The Box pentesting platform:

 https://www.hackthebox.eu/


 2 - ENUMERATION

 Beep's IP is 10.10.10.7:


- Scanning with Nmap:


- When connecting to the web server at port 80 HTTP there is a redirection to port 443 HTTPS, where an Elastix application is running:


- Dirbusting the web server with wordlist big.txt:

- Trying to use Elastix basic credentials like admin:admin, admin:password, etc ... an Authentication Required form is prompted to the user when connecting to folder /admin:



- Also, from folder /admin we learn that Beep runs FreePBX 2.8.1.4: 


- Going to folder /vtigercrm we learn that Beep runs vtiger CRM 5:


- Checking port 10000, where webamin is running:









- The authentication form reveals session_login.cgi:







3 - EXPLOITATION

 - Let's use two ways to exploit the vulnerable machine Beep:

 3.1 - WEBMIN

 - We can try to get a reverse shell by using this bash script:

 http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet



- Setting a Netcat  listener at port 1234:


- curl helps to execute remotely the bash script, using options -k (for insecure connections) and -H (extra header):


- As a result, a successful remote reverse root shell is achieved:

3.2 - ELASTIX LOCAL FILE INCLUSION

 - Elastix 2.2.0 is vulnerable to several exploits, for instance this one:
- Reading the instructions, it seems that graph.php?current_language allows a Local File Inclusion:
- Following the instructions:


- Viewing the source, the file is now readable:





- There are some interesting lines what must be noticed, for instance:






- Also, we can use the LFI to get /etc/passwd:

- Unfortunately access to /etc/shadow is restricted:




- In the same way let's have a look to /etc/asterisk/manager.conf:




- Now, it's time to bruteforce the SSH service.

 - Let's create one file for users (picking up the most relevants from previous lists) and another one for passwords:


- Medusa does the work for us:




 - Finally, it is easy to get a remote root shell just connecting with SSH by using credentials root:jEhdIekWmdjE



4 - CAPTURING THE FLAGS

 - Reading the 1st flag user.txt:


- Decrypting the 1st flag:



- Reading the 2nd flag root.txt:


- Decrypting the 2nd flag:












Posted by at
Labels: