2. Beep (Easy)
Pre-Setup
Before we start off we will need to edit the hosts file. We are doing this because sometimes the same IP can host multiple websites to its best habit when doing HTB Boxes to edit the /etc/hosts file and add the IP address. Now in our case the box name is Beep so we will edit the etc file as shown below
Reconnaissance
Nmap
To start of with reconnaissance we will start of with a simple nmap service detection command, this is done so that we can get a glance of all the services that is currently running in the server. It may take some times as there are multiple services running.
Once the scan is complete we can do a full scan using the following command. This will give the result in detail which can be useful to extract important information.
From the above we can see what is useful is and there are 3 ports that catches the eye. If we want we can enumerate the rest but the catchy ones are these.
Port 443 - Elastix Application
From the above we know that we can narrow it down to Port 443 & Port 10000. We will start of with port 443 or https://beep.htb. We can see that there is an elastix website that is running.
Sometimes users might not be able to view the website if so add an exception and if you do not get the option to add exception. Then within the Firefox browser head to about:config search for security.tls.version.min and change it from whatever value it is to 1 this should fix the issue.
Fuzzing Directories
We can start to fuzz directories to see what all application exists. The tool that will be used here is Gobuster. Any tool can be used such as Dirbuster, Dirb, FFUF, WFUZZ etc . The command we will be using is:
In the above command we can use wordlists from /usr/share/dirb/big.txt or /usr/share/dirbuster/directory-listl2.3-medium.txt . The wordlist which has been used here is from SecLists.
We are using -t 100 to increase the threads so that it will fuzz faster and finally we will use -k so that we can skip SSL verification and directly move on to the fuzzing.
We can see that it has listed multiple directories but the one that catches the eye is vtigercrm directory. This is because this is a CRM [Customer Relationship Management] as it is a web application there is a possibility that there could be an exploit for it. Now we shall navigate into that directory to see what is present
Exploitation of VTiger CRM
In the above picture we can see that there is a login form but what is more crucial is the CRM version number which is vtiger CRM 5.1.0 . We can use google or searchsploit to check if there are any vulnerabilities for this system.
We can see that there are multiple vulnerabilities for this application. There are also RCE present within Metasploit. Now we can fire up Metasploit console or msfconsole and search for the exploits.
In the above picture we can see there is about 4 exploits but we will use the 3rd one. The reason being the 1st and 4th exploit we need to be authenticated and the 2nd one ranking is manual exploitation. So we can use the 3rd one and see if it will work.
Note : To get more info regarding the exploit we can first select the exploit then use show info command.
Now we will select the exploit by typing in use 2 and type in show options to see what all options we need to give.
For the Exploit Module we need to give the RHOSTS, change the RPORT to 443 as Port 80 redirects to 443, change SSL to true and set the VHOST
For the Payload Options we need to change the LHOST to our HTB machine IP. This can be set by using the set option.
In The above picture we have set the required information. We will type in show options one more time to make sure all the information given is accurate. Once it is done we will fire up the module and type in exploit to run the command and hope it works.
We got a shell back, the exploit worked successfully. Now we can move on to Post-Exploitation steps to get the user flag and root flag.
Post Exploitation
Once we have meterpreter session we can convert it to a shell by typing in shell after that we will type in whoami to check which user we are logged into and as you can see in the below picture we are logged in as asterisk . Now like previous box we will spawn in a TTY shell. The reference for it can be found in the references section. In this case we will be using:
In the above picture we can see we have now gotten a stable shell. We can navigate to /home/fanis to get the user.txt flag.
Privilege Escalation
Now that we have gotten the user.txt we will try to get the user.txt flag. First method we will do is check if we have any sudoers command available to us. We can do this by typing in sudo -l and we can see the following binaries will give us root access to use it.
We will use the /usr/bin/nmap to get root access. For this we can head to https://gtfobins.github.io/# and search for nmap.
We can see from the above picture that using the nmap --interactive followed by !sh we can drop a shell in root mode. Now we will head back to the terminal and type in the following to get access to nmap interactive mode then we will type in !sh to get into shell and finally type in whoami .
NOTE: Nmap interactive allows the user to run Nmap commands interactively, meaning the user can enter commands one by one and receive immediate feedback and results. This is available for Nmap versions from 2.02 to 5.21. It allows to also pop shells. Which is useful in this case for privilege escalation
We can see from the above picture we officially got root access. This was possible because within the sudoers list. Nmap was given permission to run as sudo, now that we were able to run it as sudo whatever command given is running as root therefore when we use the above command we get the shell as root to thus giving as privilege escalation.
Now we can navigate to the root folder at /root to get the root.txt flag.
After submitting the user.txt flag and root.txt flag we have officially pwned the machine. Congratulations!
Reference
Last updated