Welcome to my writeup on the HackTheBox machine Beep. While it wasn't a very challenging machine, it did have a lot of potential rabbit holes which could be distracting.
I started my enumeration with an nmap scan and saved the output to a file
sudo nmap -sCV 10.129.229.183 -oN scan.initial
The output of the initial scan showed a lot of different services running. I first tried viewing the web server, but firefox was giving me the error shown in the screenshot below.
To resolve it I had to modify my tls settings in about: config. I changed the minimum TLS version to 1, and then I was able to view the site.
The site was running elastix and had a login page
I tried some basic things like admin' or Ƈ'=Ƈ and <script>alert(0);</script>. But no success. After trying a few more techniques, I decided to check out the website on port 10000, which also had a login page.
I tried some more basic attacks from OWASP Top Ten and then decided to run a gobuster scan. I also tried connecting to a few other open ports with netcat while the scan was running, but didn't get any meaningful responses.
When I ran the scan I needed to use the -k flag to ignore the SSL certificate
sudo gobuster dir -u https://10.129.229.183/ -w /usr/share/wordlists/dirb/big.txt -o gobust -k 
The gobuster scan found a lot of directories including a /admin one. When I attempted to view the admin page it brought me to another login page, which revealed that it was running freePBX 2.8.1.4.
I spent a decent amount of time trying different CVEs, enumerating versions, and testing some of the different login pages more thoroughly. I first ran searchsploit with freepbx, and saw an rce vulnerability, but it didn't work. In metasploit there was a bunch of RCE vulnerabilities for it, but none worked. I did more research on CVEs for elastix and CVE-2012–4869 caught my attention. It targets elastix and freepbx versions that are newer than the ones being used, meaning they are probably unpatched.
However, the exploit required an extension number. I did some research on hacktricks and discovered that Elastix and FreePBX use the Session Initiation Protocol (SIP). A protocol used to start, manage, and end real-time communication sessions over ip networks. https://hacktricks.wiki/en/network-services-pentesting/pentesting-voip/index.html After learning this, I ran svmp to identify what port SIP is running on and confirmed it is running on the standard, 5060.
svmap 10.129.229.183
I also used a tool called sippts to confirm my findings and further enumerate. It has a really nice output.
sippts enumerate -i 10.129.229.183In the screenshot below, pay attention to the invite method. That is the method being used to initiate calls.
In the hacktricks notes, it says that 100 trying is the response received from calling. So I used SVWAR to enumerate extensions using the invite method. And as shown in the screenshot below, the extension being used is 233.
sudo svwar 10.129.229.183 -p 5060 -e 100-500 -m INVITE
I then ran the PoC (https://www.exploit-db.com/exploits/18650) with python2 and changed the extension value in the script to 233. I started a listener on port 9001 and gained initial access.
I then got the user flag. But only after having to rerun the exploit because my terminal froze after trying to stabilize the shell. ;)
Checking sudo -l Inoticed that I could run a lot of commands as root, without a password.
I then looked back at the original POC and noticed it shows how you can abuse the interactive mode of nmap to get a root shell.
Thank you for reading my write-up on Beep. I hope you enjoyed it and picked up something useful along the way.