Wednesday, January 9, 2019

Beep


BEEP


- Layout for this exercise:





1 - INTRODUCTION


- The goal for this exercise is to develop a hacking process for the vulnerable machine Beep, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/


2 - ENUMERATION

Beep's IP is 10.10.10.7:




- Scanning with Nmap:




- When connecting to the web server at port 80 HTTP there is a redirection to port 443 HTTPS, where an Elastix application is running:




- Dirbusting the web server with wordlist big.txt:




- Trying to use Elastix basic credentials like admin:admin, admin:password, etc ... an Authentication Required form is prompted to the user when connecting to folder /admin:





- Also, from folder /admin we learn that Beep runs FreePBX 2.8.1.4: 





- Going to folder /vtigercrm we learn that Beep runs vtiger CRM 5:





- Checking port 10000, where webamin is running:









- The authentication form reveals session_login.cgi:








3 - EXPLOITATION


- Let's use two ways to exploit the vulnerable machine Beep:

3.1 - WEBMIN

- We can try to get a reverse shell by using this bash script:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet





- Setting a Netcat  listener at port 1234:




- curl helps to execute remotely the bash script, using options -k (for insecure connections) and -H (extra header):




- As a result, a successful remote reverse root shell is achieved:





3.2 - ELASTIX LOCAL FILE INCLUSION

- Elastix 2.2.0 is vulnerable to several exploits, for instance this one:




- Reading the instructions, it seems that graph.php?current_language allows a Local File Inclusion:





- Following the instructions:




- Viewing the source, the file is now readable:





- There are some interesting lines what must be noticed, for instance:









- Also, we can use the LFI to get /etc/passwd:




- Unfortunately access to /etc/shadow is restricted:




- In the same way let's have a look to /etc/asterisk/manager.conf:




- Now, it's time to bruteforce the SSH service.


- Let's create one file for users (picking up the most relevants from previous lists) and another one for passwords:




- Medusa does the work for us:





- Finally, it is easy to get a remote root shell just connecting with SSH by using credentials root:jEhdIekWmdjE







4 - CAPTURING THE FLAGS

- Reading the 1st flag user.txt:




- Decrypting the 1st flag:





- Reading the 2nd flag root.txt:




- Decrypting the 2nd flag: