0x00 前言

这是一篇writeup,靶机是来自hackthebox的Beep

0x01 信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root@kali:~/htb/beep# ports=$(nmap -PN -p- --min-rate=1000 -T4 10.10.10.7 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ','| sed s/,$//)
root@kali:~/htb/beep# nmap -p$ports -sC -sV 10.10.10.7
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-16 09:24 EST
Nmap scan report for 10.10.10.7
Host is up (0.34s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: RESP-CODES EXPIRE(NEVER) LOGIN-DELAY(0) USER TOP AUTH-RESP-CODE IMPLEMENTATION(Cyrus POP3 server v2) STLS PIPELINING UIDL APOP
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: MULTIAPPEND CHILDREN Completed CONDSTORE IDLE SORT=MODSEQ ATOMIC QUOTA IMAP4 MAILBOX-REFERRALS THREAD=REFERENCES SORT X-NETSCAPE UNSELECT LIST-SUBSCRIBED LISTEXT OK CATENATE NO ANNOTATEMORE URLAUTHA0001 THREAD=ORDEREDSUBJECT RIGHTS=kxte IMAP4rev1 BINARY ID ACL LITERAL+ RENAME UIDPLUS STARTTLS NAMESPACE
443/tcp open ssl/https?
|_ssl-date: 2019-12-16T15:29:00+00:00; +1h00m45s from scanner time.
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
5038/tcp open asterisk Asterisk Call Manager 1.1
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: 1h00m44s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 394.04 seconds

因为直接全扫太慢了,所以分开两次扫,第一次粗扫,对第一次的结果再细扫。不过没想到居然开了这么多端口。。

80打开是一个Elastix,网上搜了一下默认密码,还包括MySql数据库的默认密码,尝试登录80或3306都不成功。

1
2
3
root@kali:~/htb/beep# mysql -h 10.10.10.7 -u root -p
Enter password:
ERROR 1130 (HY000): Host '10.10.14.9' is not allowed to connect to this MySQL server

Web

查了下Elastix好像是个电话服务器,是asterisk的后台管理页面。

查一下cve

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[0] % searchsploit elastix
----------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Exploit Title | Path
| (/usr/local/opt/exploitdb/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Elastix - 'page' Cross-Site Scripting | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | exploits/php/webapps/18650.py
----------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------
Shellcodes: No Result

稍微试了几个,LFI的漏洞是可利用的:

有了密码之后就可以登录了。

也尝试了代码执行的CVE,但是需要一个电话号码。翻看了下后台找到一个号码:

那么那就弹个shell吧,使用http://www.exploit-db.com/exploits/18649来getshell,但是代码中的payload并不奏效,那就从owefsad大佬的文章how get a reverse shell随手挑一个payload试一下。

没想到这就登录进来了,还是ROOT权限:

1
2
3
4
5
6
[0] % nc -lv 443
sh: no job control in this shell
sh-3.2# ls
user.txt
sh-3.2# whoami
root

最后看了下别人的writeup,原来那个密码就是ssh的root账号密码。密码复用的问题还是值得重视。