#Nmap7.92scaninitiatedSunJan1605:37:132022as:nmap-sC-sV-p--oNnmap/beep_all10.10.10.7Nmapscanreportfor10.10.10.7Hostisup(0.056slatency).Notshown:65519closedtcpports(reset)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH4.3(protocol2.0)|ssh-hostkey:|1024ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53(DSA)|_2048bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d(RSA)25/tcpopensmtpPostfixsmtpd|_smtp-commands:beep.localdomain,PIPELINING,SIZE10240000,VRFY,ETRN,ENHANCEDSTATUSCODES,8BITMIME,DSN80/tcpopenhttpApachehttpd2.2.3|_http-server-header:Apache/2.2.3(CentOS)|_http-title:Didnotfollowredirecttohttps://10.10.10.7/110/tcpopenpop3Cyruspop3d2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_pop3-capabilities:PIPELININGTOPAPOPLOGIN-DELAY(0)EXPIRE(NEVER)UIDLUSERSTLSIMPLEMENTATION(CyrusPOP3serverv2)AUTH-RESP-CODERESP-CODES|_ssl-date:ERROR:Scriptexecutionfailed(use-dtodebug)|_tls-nextprotoneg:ERROR:Scriptexecutionfailed(use-dtodebug)|_ssl-cert:ERROR:Scriptexecutionfailed(use-dtodebug)|_tls-alpn:ERROR:Scriptexecutionfailed(use-dtodebug)|_sslv2:ERROR:Scriptexecutionfailed(use-dtodebug)111/tcpopenrpcbind2(RPC#100000)|rpcinfo:|programversionport/protoservice|1000002111/tcprpcbind|1000002111/udprpcbind|1000241875/udpstatus|_1000241878/tcpstatus143/tcpopenimapCyrusimapd2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_tls-nextprotoneg:ERROR:Scriptexecutionfailed(use-dtodebug)|_imap-capabilities:RENAMEOKTHREAD=REFERENCESIMAP4rev1SORT=MODSEQIDX-NETSCAPELIST-SUBSCRIBEDACLNAMESPACECATENATELISTEXTRIGHTS=kxteSORTNOQUOTAIDLECONDSTOREIMAP4ANNOTATEMORETHREAD=ORDEREDSUBJECTBINARYATOMICURLAUTHA0001CHILDRENUNSELECTCompletedUIDPLUSMULTIAPPENDLITERAL+MAILBOX-REFERRALSSTARTTLS|_ssl-cert:ERROR:Scriptexecutionfailed(use-dtodebug)|_tls-alpn:ERROR:Scriptexecutionfailed(use-dtodebug)|_ssl-date:ERROR:Scriptexecutionfailed(use-dtodebug)|_imap-ntlm-info:ERROR:Scriptexecutionfailed(use-dtodebug)|_sslv2:ERROR:Scriptexecutionfailed(use-dtodebug)443/tcpopenssl/httpApachehttpd2.2.3((CentOS))|_http-server-header:Apache/2.2.3(CentOS)|_ssl-date:2022-01-15T22:41:00+00:00;+1h00m01sfromscannertime.|ssl-cert:Subject:commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
|Notvalidbefore:2017-04-07T08:22:08|_Notvalidafter:2018-04-07T08:22:08|http-robots.txt:1disallowedentry|_/|_http-title:Elastix-Loginpage878/tcpopenstatus1(RPC#100024)993/tcpopenssl/imapCyrusimapd|_imap-capabilities:CAPABILITY995/tcpopenpop3Cyruspop3d|_ssl-known-key:ERROR:Scriptexecutionfailed(use-dtodebug)|_ssl-date:ERROR:Scriptexecutionfailed(use-dtodebug)|_tls-nextprotoneg:ERROR:Scriptexecutionfailed(use-dtodebug)|_ssl-cert:ERROR:Scriptexecutionfailed(use-dtodebug)|_tls-alpn:ERROR:Scriptexecutionfailed(use-dtodebug)|_sslv2:ERROR:Scriptexecutionfailed(use-dtodebug)3306/tcpopenmysqlMySQL(unauthorized)|_tls-nextprotoneg:ERROR:Scriptexecutionfailed(use-dtodebug)|_tls-alpn:ERROR:Scriptexecutionfailed(use-dtodebug)|_ssl-date:ERROR:Scriptexecutionfailed(use-dtodebug)|_ssl-cert:ERROR:Scriptexecutionfailed(use-dtodebug)|_sslv2:ERROR:Scriptexecutionfailed(use-dtodebug)4190/tcpopensieveCyrustimsieved2.3.7-Invoca-RPM-2.3.7-7.el5_6.4(includedw/cyrusimap)4445/tcpopenupnotifyp?4559/tcpopenhylafaxHylaFAX4.3.105038/tcpopenasteriskAsteriskCallManager1.110000/tcpopenhttpMiniServ1.570(Webminhttpd)|_http-title:Sitedoesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
Host script results:
|_clock-skew: 1h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 16 05:42:46 2022 -- 1 IP address (1 host up) scanned in 332.87 seconds
that’s bunch of the open ports on this machine.
Webserver
This machine has apache running on port 80. When I visited the page it was redirected into port 443 which is the Elastix login page.
Gobuster
Well, I’m gonna run the gobuster on this webserver. Try to find any hidden directory on it. I’m gonna use the PHP as -x extension because this server running on PHP.
/admin
The /admin really does sound good to me. When I visited the admin page. It’s prompt me with login forms.
I try a bunch of passwords such as admin:admin but it doesn’t work. However, when I clicked the cancel button. It goes to this page https://10.10.10.7/admin/config.php and displays the Unauthorized message.
Local File Inclusion/LFI
This box has an LFI tag on it. I know it sounds not fair at all but information matters.
So, I’m run the searchsploit and found this.
I’m gonna mirror/copy this exploit in my current directory with -m flag. Here is the exploit/PoC :
it’s basically, using current_language as the parameter. This PoC already includes the config file on it. I’m gonna copy/paste this in my browser and VOILA!
I managed to grab a bunch of passwords that appear in this file but a lot of passwords seem to be commented out.
Just one password does not get commented out and appears more often in here.
Method: 1
SSH
The Nmap scan result shows us port 22 is open. Well, I’ve got the potential password and don’t know what users it belongs to. So, I’m gonna try my luck to go with the root user
Error
Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found.
Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
If you get one of these errors just like me. You need to run an ssh command like this
Finally, I login in as root through SSH. Let’s get the user and root flags.
the flag
Method: 2
RCE
The last exploit I’m using was LFI 'graph.php' and the version of Elastix was 2.2.0 and this RCE have the same version of Elastix.
As always, I’m gonna mirror/copy this exploit into my current working directory with the -m flag. When I ran the exploit it shows a bunch of errors regard to SSL. I tried fixing the error by changing the python code and it was painful but I managed to fix it. Here is the code:
I ran the exploit one more time and it doesn’t work. I’m speechless and I saw the extension in the original script that set the value into 1000 and maybe this is not a valid extension. So, I’m gonna run the svwar/SIPVicious tool to identify a working extension.
I’m gonna run this command:
1
svwar -m INVITE -e100-400 10.10.10.7
Shell as Asterisk
Now, let’s run the exploit again and make sure to set up the Netcat listener first.
YES! it worked. Based on the comment in the original exploit, I can be a root user by using nmap --interactive. Let’s do it.