Beep
Overview
Initial Foothold : RCE Using known exploit of Elastix service running on webserver
Privilege Escalation : Abusing SUDO rights of the user
Enumeration
Start with port scanning
Port Scanning
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: LOGIN-DELAY(0) EXPIRE(NEVER) PIPELINING TOP IMPLEMENTATION(Cyrus POP3 server v2) USER RESP-CODES AUTH-RESP-CODE APOP UIDL STLS
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: CHILDREN IMAP4rev1 Completed ACL RENAME SORT IMAP4 CONDSTORE URLAUTHA0001 BINARY X-NETSCAPE LIST-SUBSCRIBED LISTEXT STARTTLS IDLE CATENATE ATOMIC NAMESPACE ID UNSELECT QUOTA ANNOTATEMORE LITERAL+ THREAD=REFERENCES THREAD=ORDEREDSUBJECT NO SORT=MODSEQ OK MAILBOX-REFERRALS MULTIAPPEND RIGHTS=kxte UIDPLUS
443/tcp open ssl/https?
|_ssl-date: 2020-06-24T11:33:19+00:00; -8s from scanner time.
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).So many ports are open lets start with common port 80 and 443
Web Service Enumeration
Lets Visit the webpage
The web server was running on apache we can see in our nmap scan
Elastix web application was running on webserver
Search exploit for this service
We got two exploits one requires authentication so we will not use that one right now
Lets start with LFI as it doesnt require any Authentication
We will manually craft the url
The Above url will exploit the LFI and we can get the configuration file of the service
Now we have to find password for user admin in this configuration file.
We will search for password
We got the password and username
admin : jEhdIekWmdjE
Lets try to login using this creds
Boom !! we got in
Summary
We got admin creds we also have the exploit for this service that can give us RCE
Exploitation
As we got the admin session we can now use the exploit
According to this exploit code we need extension value for exploiting
We can try to find it by some enumeration on the website
We got it on PBX section of the website
Now update this extension value, lhost, rhost and lport in the exploit
Now we are ready to exploit
we will manually pass the url payload to browser
Yeah we got the shell
Upgrade shell to tty shell using python
python -c 'import pty;pty.spawn("/bin/bash")'Thats all for the low privilege shell
Lets start Privilege Escalation
Privilege Escalation
Simply run
sudo -l
Cool we can run many commands as root user
Privilege Escalation using nmap
Using gtfobins reference
Got root shell
In this similar manar we can exploit other sudo rights using gtfobins
Last updated
Was this helpful?