Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
PurpleSharp
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Beep

Beep - 10.10.10.7

Target Enumeration:

OS: Linux IP: 10.10.10.7
User: aeff3def0c765c2677b94715cffa73ac
Root: d88e006123842106982acce0aaf453f0

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.3
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
993/tcp open ssl/imap Cyrus imapd
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)

Vulnerability Exploited:

This attack exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200.
Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs.

Privilege escalation.

User is allowed to run an old version of nmap --interactive using sudo which can then drop the low privileged user into a root shell.

Exploiting the host:

Nmap
Port 443 is running elastix which has a common vulnerability.
Set up unix/http/freepbx_callmenum with the following options in metasploit.
Execute the exploit and wait a while as it runs. After a while you will get a shell.
Interact with the session and start enumerating the machine.
Unusual entry in sudo -l
Use sudo nmap --interactive to get root.
Hack The Box last updated - 2019 - Previous
Popcorn
Next - Hack The Box last updated - 2019
Tenten
Last modified 3yr ago
Copy link
Outline
Beep - 10.10.10.7
Target Enumeration:
Ports / Services / Software Versions Running
Vulnerability Exploited:
Privilege escalation.
Exploiting the host: