Beep

Overview

Initial Foothold : RCE Using known exploit of Elastix service running on webserver

Privilege Escalation : Abusing SUDO rights of the user

Enumeration

Start with port scanning

Port Scanning

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: LOGIN-DELAY(0) EXPIRE(NEVER) PIPELINING TOP IMPLEMENTATION(Cyrus POP3 server v2) USER RESP-CODES AUTH-RESP-CODE APOP UIDL STLS
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: CHILDREN IMAP4rev1 Completed ACL RENAME SORT IMAP4 CONDSTORE URLAUTHA0001 BINARY X-NETSCAPE LIST-SUBSCRIBED LISTEXT STARTTLS IDLE CATENATE ATOMIC NAMESPACE ID UNSELECT QUOTA ANNOTATEMORE LITERAL+ THREAD=REFERENCES THREAD=ORDEREDSUBJECT NO SORT=MODSEQ OK MAILBOX-REFERRALS MULTIAPPEND RIGHTS=kxte UIDPLUS
443/tcp   open  ssl/https?
|_ssl-date: 2020-06-24T11:33:19+00:00; -8s from scanner time.
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

So many ports are open lets start with common port 80 and 443

Web Service Enumeration

Lets Visit the webpage

The web server was running on apache we can see in our nmap scan

Elastix web application was running on webserver

Search exploit for this service

We got two exploits one requires authentication so we will not use that one right now

FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code ExecutionExploit Database

Lets start with LFI as it doesnt require any Authentication

If we get the username and password using this LFI we can use the Above exploit to get RemoteCodeExecution

Elastix 2.2.0 - 'graph.php' Local File InclusionExploit Database

We will manually craft the url

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action10.10.10.7

The Above url will exploit the LFI and we can get the configuration file of the service

Now we have to find password for user admin in this configuration file.

We will search for password

We got the password and username

admin : jEhdIekWmdjE

Lets try to login using this creds

Boom !! we got in

Summary

We got admin creds we also have the exploit for this service that can give us RCE

Exploitation

As we got the admin session we can now use the exploit

FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code ExecutionExploit Database

According to this exploit code we need extension value for exploiting

We can try to find it by some enumeration on the website

We got it on PBX section of the website

Now update this extension value, lhost, rhost and lport in the exploit

Now we are ready to exploit

we will manually pass the url payload to browser

Yeah we got the shell

Upgrade shell to tty shell using python

python -c 'import pty;pty.spawn("/bin/bash")'

Thats all for the low privilege shell

Lets start Privilege Escalation

Privilege Escalation

Simply run

sudo -l

Cool we can run many commands as root user

For abusing sudo and suid rights search that command in gtfobins

GTFOBins

Privilege Escalation using nmap

Using gtfobins reference

Got root shell

In this similar manar we can exploit other sudo rights using gtfobins