BEEP – HackTheBox Walkthrough

Hello Friends, Today I am here with a new HTB machine.

This machine was pretty easy. The main goal is to get root flag.

Here we will be learning about a specific vulnerability called Local File Inclusion.

I didn’t use much of the tools to pwn this machine.

#nmap -sSV -T5 -p- 10.10.10.7 –allports

There are a lot of service running on the host

PORT      STATE SERVICE    VERSION

22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)

25/tcp    open  smtp       Postfix smtpd

80/tcp    open  http       Apache httpd 2.2.3

110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4

111/tcp   open  rpcbind    2 (RPC #100000)

143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4

443/tcp   open  ssl/https?

878/tcp   open  status     1 (RPC #100024)

993/tcp   open  ssl/imap   Cyrus imapd

995/tcp   open  pop3       Cyrus pop3d

3306/tcp  open  mysql      MySQL (unauthorized)

4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)

4445/tcp  open  upnotifyp?

4559/tcp  open  hylafax    HylaFAX 4.3.10

5038/tcp  open  asterisk   Asterisk Call Manager 1.1

10000/tcp open  http       MiniServ 1.570 (Webmin httpd)

 

I did a dirb scan to find the directories but before checking the ports and services, I did a quick google search about Elastix and its vulnerabilities. Then I came across this Local File inclusion in Elastix 2.2.0

So, what is a Local File Inclusion (LFI) vulnerability?

LFI is often found in poorly written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.

You can find more about  LFI here https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/

I opened the exploit from Exploit DB and was going through the code. I found that it affects Vtiger CRM.

Here I checked whether this page has Vtiger CRM

Okay, now I probably found something interesting without using dirbuster. Here I can see the Vtiger CRM 5.1.0. Again, google is a savior here, I checked for Vtiger CRM exploit.

Before trying the Vtiger CRM SOAP exploit, I decided to use the Elastix LFI Exploit and see what result we get. I used the LFI exploit. I always wished not to use the Metasploit and pwn a vulnerable machine. So, this was my right chance.

After taking a glance at the page source  I found ,

AMPDBHOST=localhost

AMPDBENGINE=mysql

# AMPDBNAME=asterisk

AMPDBUSER=asteriskuser

# AMPDBPASS=amp109

AMPDBPASS=jEhdIekWmdjE

AMPENGINE=asterisk

AMPMGRUSER=admin

#AMPMGRPASS=amp111

AMPMGRPASS=jEhdIekWmdjE

 

Now digging more at the source, I found something interesting “ jEhdIekWmdjE “

As you can see in the below screenshot, this password is mentioned in multiple places.

I didn’t want to spend any more time attempting to brute force usernames and passwords. Instead, I just picked up the password and tried my luck whether I would get SSH using this password.

#ssh root@10.10.10.7

But it threw an error                       

Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

So, I used the key exchange to resolve the issue

#ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7

Finally, I got the root access…! Now, all I have to do is  finding the flag

94812bd3b0622f1228481fdd9ea7054b- that’s the flag.

This was the first machine I pwned without using Metasploit.

 Hint: You can still use Metasploit and do privilege escalation with Nmap

https://pentestlab.blog/category/privilege-escalation/

Copyright © 2023 Clear Infosec. All Rights Reserved.