Path to OSCP: Beep

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

Onward to Beep. Nmap gets us underway:

u01@nostromo:~$ sudo nmap -p- -A beep.htb -oA HTB/beep/beep
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-14 14:36 IST
Nmap scan report for beep.htb (10.10.10.7)
Host is up (0.029s latency).
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://beep.htb/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: UIDL AUTH-RESP-CODE TOP PIPELINING IMPLEMENTATION(Cyrus POP3 server v2) USER STLS LOGIN-DELAY(0) EXPIRE(NEVER) RESP-CODES APOP
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 875/udp status
|_ 100024 1 878/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed OK STARTTLS X-NETSCAPE UIDPLUS RIGHTS=kxte URLAUTHA0001 CATENATE LITERAL+ QUOTA ID ATOMIC SORT IDLE CONDSTORE LIST-SUBSCRIBED UNSELECT ANNOTATEMORE ACL THREAD=REFERENCES IMAP4rev1 NAMESPACE SORT=MODSEQ NO MULTIAPPEND RENAME CHILDREN BINARY THREAD=ORDEREDSUBJECT LISTEXT MAILBOX-REFERRALS IMAP4
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
|_ssl-date: 2023-09-14T13:40:40+00:00; -1s from scanner time.
|_http-title: Elastix - Login page
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.2.3 (CentOS)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
878/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=9/14%OT=22%CT=1%CU=35557%PV=Y%DS=2%DC=T%G=Y%TM=65030E1
OS:1%P=x86_64-pc-linux-gnu)SEQ(SP=CE%GCD=1%ISR=D2%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11N
OS:W7%O6=M53CST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M53CNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M53CST11NW7%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: -1s

TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 40.37 ms 10.10.14.1
2 40.49 ms beep.htb (10.10.10.7)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 423.95 seconds

A lot of open ports to investigate, with the scan taking considerably longer than a standard SSH/HTTP box, as you’d expect. But let’s take a look at HTTP/HTTPS to start. First issue we have to deal with is Firefox not permitting a connection to a TLS 1.0 site. To remedy that, we go to about:config, search for tls, and change security.tls.version.min to 1:

We now get a warning rather than an outright block, and can accept the risk to view the Elastix logon page:

I kick off gobuster (with the -k flag to ignore the expired certificate) while trying a few default credentials found online (none of which work) and search for any known exploits for the service versions we’ve found so far from the nmap scan.

We have a Webmin login page at https://beep.htb:100000

A vtiger CRM login at https://beep.htb/vtigercrm/

And also a FreePBX login at https://beep.htb/admin (login popup) and https://beep.htb/recordings/index.php

I don’t have any luck with default credentials for any of these login portals, as well as attempts to log into the Asterisk Call Manager via telnet.

I start with Webmin. An exploit for CVE-2019-15107 from https://github.com/ruthvikvegunta/CVE-2019-15107 initially looks promising, but no dice:

The only service I’m struggling to get an obvious version for is Elastix, so I circle back and concentrate on that. Running through the directories gobuster has found, I come across a language file that indicates Elastix v1.0:

But I can’t find any exploits for this version. I’m also not 100% confident this file is stating the true version number.

vtiger does have an exploit in searchsploit matching its version:

u01@nostromo:~$ searchsploit vtiger 5.1
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------- ---------------------------------
vTiger CRM 5.1.0 - Local File Inclusion | php/webapps/18770.txt
------------------------------------------------------------------------------------------------------------------------- ---------------------------------

The text file simply gives the LFI path, and sure enough we get a result for the POC passwd file:

From this we see a user ‘fanis’ which is a likely foothold account for SSH access. It’s time to start digging around for common config files. I first try mysql at /etc/mysql/my.cnf but nothing shows. I try a few items under /configs, such as configs/default.conf.php, but again nothing to show. Likewise at etc/webmin/miniserv.conf. Finally get some kind of hit at /etc/asterisk/extensions_additional.conf mentioned in https://community.freepbx.org/t/ivr-files/6086/4.

This leads to https://www.voip-info.org/asterisk-config-files/, which has a list of configuration files within /etc/asterisk. I run down through the majority of them, but am unable to find anything of note.

At this stage I take a look at a hint, and find that I’m barking up the wrong directory. The POC which the HTB guide suggests /etc/amportal.conf contains the database configuration, and sure enough it does:

I try this password with a couple of usernames in the various portals, and eventually get a hit on the webmin portal as root:

From here there’s a handy Command Shell under “Others” from which we can run a simple bash TCP reverse shell to a netcat listener for a root shell:

u01@nostromo:~$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.7] 41934
bash: no job control in this shell 
[root@beep ~]# ls /root/root.txt 
/root/root.txt
[root@beep ~]#

Leave a Reply

Your email address will not be published. Required fields are marked *