# Beep

## Beep - 10.10.10.7 

### Target Enumeration: 

OS: Linux IP: 10.10.10.7 

User: aeff3def0c765c2677b94715cffa73ac 

Root: d88e006123842106982acce0aaf453f0 

### Ports / Services / Software Versions Running 

```
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp       Postfix smtpd
80/tcp    open  http       Apache httpd 2.2.3
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
993/tcp   open  ssl/imap   Cyrus imapd
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
```

### Vulnerability Exploited: 

This attack exploits FreePBX version 2.10.0,2.9.0 and possibly older. Due to the way callme\_page.php handles the 'callmenum' parameter, it is possible to inject code to the '$channel' variable in function callme\_startcall in order to gain remote code execution. Please note in order to use this module properly, you must know the extension number, which can be enumerated or bruteforced, or you may try some of the default extensions such as 0 or 200. 

Also, the call has to be answered (or go to voice). Tested on both Elastix and FreePBX ISO image installs. 

### Privilege escalation. 

User is allowed to run an old version of nmap --interactive using sudo which can then drop the low privileged user into a root shell. 

### Exploiting the host: 

Nmap

<div align="left"><img src="https://lh3.googleusercontent.com/-PFHD_EgTcymfwgLl7glMkfRY1Ulc2hTkMRzyuiNZb3X6S0i5iR_29Mhw03TmMpgY-4xvd1To46UWuYE_oKrcqcydI_Gh6-ZnYe6Ihz7NaEE2_xtFAgHcBFkrakWe8tt4BTp_b1A" alt=""></div>

Port 443 is running elastix which has a common vulnerability.

<div align="left"><img src="https://lh5.googleusercontent.com/4eEvntlb7ZIjXFRqLAg-rHMfVV3pwsnciqV4nQcEW4VRgPI91izCzKoYjGHb0wU7xHB2DHQpMERaSNe7oLtD6e_9X_TDRTwPe4vERdbGo35YFVCMSZDHoxLrM3ip_Si258YFKBHe" alt=""></div>

Set up unix/http/freepbx\_callmenum with the following options in metasploit.

<div align="left"><img src="https://lh6.googleusercontent.com/G-cciqarTeTBkjNMv12H6LqiR2eEYaRn8zvPN3XkN4Yd4Qhd0LqMfi18ypXB7AvkBAVZkmCW6ictMxKS1_8bN08r2QYIL9S_3s6-wVYrzbtNTcEXYw33NLGImUHvlNINUU4M8xLn" alt=""></div>

Execute the exploit and wait a while as it runs. After a while you will get a shell.

<div align="left"><img src="https://lh6.googleusercontent.com/gyBNiAMzJeTACwncPxLuDC0CmBBeUf9-cehmamvBU-QtPAe-2F3h81aKG0oSh5lM7fcYE2k2Kh4lIwwUSHX5PL3Avq-GikDQKqip4TYKolKZu4DYxtuU9jEe918KzT_ZbQ8HXExA" alt=""></div>

Interact with the session and start enumerating the machine.

<div align="left"><img src="https://lh6.googleusercontent.com/qIllDtley4hgXjqCjwZubX8vJGKa44_I_fW2iMF-Eqdi7LMdWrv-ytY19pU1nIUsuffXFyEJfO4d5NR9HKy_stuZMJ8SWwY5IOOIbqsodn43R-GkaKqchUJLxnuhx9mz_Z552XGR" alt=""></div>

Unusual entry in sudo -l

<div align="left"><img src="https://lh6.googleusercontent.com/Pw0Gu0H4NsQsKW8Id1151oGymObY694nGWK6DuMT2HFed0tvspirf99JtDOWxQzcp5UDbu6uqzZwBDMwDEiZzrCcsPHlT98x0LgoKa26xm9fhRXNoTHanS_ExSUEiaYVLKIviFWP" alt=""></div>

Use sudo nmap --interactive to get root.

<div align="left"><img src="https://lh4.googleusercontent.com/LzZ1UIkVPaPf30RfOHjI97AzybKJJsI5bvXjhh_mC_mri1yOQpZqBQVmJUnxfbYXbKIE50yPBLOaNWplKyKAF9M5_MR0t8lePQGkIIII0W5YTvW2f5VyMzTlDGzuBJVQcYRwmpZx" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/beep.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.