BEEP
- Layout for this exercise:
1 - INTRODUCTION
- The goal for this exercise is to develop a hacking process for the vulnerable machine Beep, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Beep's IP is 10.10.10.7:
- Scanning with Nmap:
- When connecting to the web server at port 80 HTTP there is a redirection to port 443 HTTPS, where an Elastix application is running:
- Dirbusting the web server with wordlist big.txt:
- Trying to use Elastix basic credentials like admin:admin, admin:password, etc ... an Authentication Required form is prompted to the user when connecting to folder /admin:
- Also, from folder /admin we learn that Beep runs FreePBX 2.8.1.4:
- Going to folder /vtigercrm we learn that Beep runs vtiger CRM 5:
- Checking port 10000, where webamin is running:
- The authentication form reveals session_login.cgi:
3 - EXPLOITATION
- Let's use two ways to exploit the vulnerable machine Beep:
3.1 - WEBMIN
- We can try to get a reverse shell by using this bash script:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- Setting a Netcat listener at port 1234:
- curl helps to execute remotely the bash script, using options -k (for insecure connections) and -H (extra header):
- As a result, a successful remote reverse root shell is achieved:
3.2 - ELASTIX LOCAL FILE INCLUSION
- Elastix 2.2.0 is vulnerable to several exploits, for instance this one:
- Reading the instructions, it seems that graph.php?current_language allows a Local File Inclusion:
- Following the instructions:
- Viewing the source, the file is now readable:
- There are some interesting lines what must be noticed, for instance:
- Also, we can use the LFI to get /etc/passwd:
- Unfortunately access to /etc/shadow is restricted:
- In the same way let's have a look to /etc/asterisk/manager.conf:
- Now, it's time to bruteforce the SSH service.
- Let's create one file for users (picking up the most relevants from previous lists) and another one for passwords:
- Medusa does the work for us:
- Finally, it is easy to get a remote root shell just connecting with SSH by using credentials root:jEhdIekWmdjE
4 - CAPTURING THE FLAGS
- Reading the 1st flag user.txt:
- Decrypting the 1st flag:
- Reading the 2nd flag root.txt:
- Decrypting the 2nd flag:
POPCORN
- Layout for this exercise:
1 - INTRODUCTION
- The goal for this exercise is to develop a hacking process for the vulnerable machine Popcorn, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Popcorn's IP is 10.10.10.6:
- Scanning with Nmap:
- Connecting with the browser:
- Dirbusting the web server:
- There is an interesting directory torrent what holds a Torrent Hoster application:
- The Upload tab might be promising:
- A login form is presented to the user:
- Creating a new user whitelist:whitelist with Sign Up:
- Login as whitelist:
- Clicking Upload to upload torrent files:
- Downloading Kali's torrent file from the original repository:
- Uploading Kali's torrent to Popcorn:
- Changing category to Other/Other (otherwise the upload doesn't work):
- The upload is successful:
- Clicking the filename, it seems that the Screenshot can be edited by uploading new images with extensions like jpg, jpeg, gif, png:
3 - EXPLOITATION
- The exploitation attack consists on uploading an exploit to Popcorn's web server, running it and then getting a reverse shell connection.
- Creating an exploit with Msfvenom and saving it as exploit.php:
- However exploit.php will be probably filtered because it does not have an image extension:
- Let's intercept the submission with Burp:
- Submitting exploit.php:
- Let's focus in this line:
- Changing to:
- Forwarding:
- The submission is successful:
- Now, where has exploit.php been uploaded?
- Dirbusting the folder /torrent we find a directory called upload:
- Connecting to /upload we locate exploit.php:
- Now, setting a Meterpreter listening session:
- To run exploit.php just click it:
- The Meterpreter session is achieved:
- Reading information about the system:
- Getting a remote shell:
- Improving the shell with:
- Going to /home and listing content:
- Going to user george's folder:
- Reading user's flag:
4 - PRIVILEGE ESCALATION
- Let's exploit the kernel in two ways:
4.1 - Dirtycow
- The kernel 2.6.31 is vulnerable to the exploit dirtycow.c:
- Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel, a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem.
https://en.wikipedia.org/wiki/Dirty_COW
- According to the instructions of dirty.c it creates a new user called firefart with a password provided by the attacker.
- Copying the exploit and storing locally at Kali:
- Transferring dirty.c to Popcorn:
- Compiling dirty.c by following the instructions:
- Running dirty and entering the new password hola:
- Switching to the user firefart:hola we get a remote root shell:
4.2 - Full-Nelson.c Local Privilege Escalation
- Also, the kernel 2.6.31 is vulnerable to the exploit 15704.c:
- Downloading 15704.c to Kali:
- Transferring 15704.c from Kali to Popcorn /tmp folder:
- Compiling 15704.c according to the instructions:
- Running the exploit a root shell is achieved:
5 - CAPTURING THE FLAG
- Reading root.txt: