Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

BEEP

First a scan to get the open ports and services running.

A lot of open ports. Let’s start with the webserver.

Webserver 10.10.10.7:443

Webserver 10.10.10.7:443/admin


After a quick lookup it looks like Elastix has some issues. Combining that with FreePBX I think I’m going to check out the python script first which should exploit a RCE vulnerability.
The python script needs a little tweaking with the hosts and it give the following description:

That shouldn’t be to hard.

It gives back an error. It looks like there are some problems with SSL. Some adjustments to the script:

After the adjustment the script runs fine, but there is no shell. Time to scan for the known VOIP devices and get more info.

Looking at the output I could smack myself silly. The scripts try to bind with port 5060, which is the default port for SIP……..and it is closed…..from the beginning!
So it’s back to the initial port scan and check out what’s next.
I decide to get back to the webserver and run a dirsearch scan.

Looks like version 5.1.0 has a LFI vulnerability.

That’s easy to test.

Lets grab the first flag.

Because I don’t have the ability to search at my leisure in the file system, I’m going to look for interesting files for the programs I know are installed and to which I have access, like Asterisk (https://www.voip-info.org/asterisk-config-files/).

After a few tries I get some credentials. With these credentials I have access to the dashboard of Elastix, FreePBX and vtigerCR
With vtigercrm there are a few possibilities to upload files. I go with changing the company logo.

For the uploading of the file I’ll use the php reverse shell script from pentestmonkey. After uploading the file I find the uploaded file in the /test/ folder.

Now for root.

There are some flag for nmap that requires root, like -sS, but for a restricted user this is not a normal choice. Also having nmap on root level gives great possibilities.

No /bin/cat? LOL….funny….but no problem.

And it’s done!!!

2 thoughts on “BEEP

  1. Hi!
    Thanks for this doc, very well done!
    I have a question 🙂
    Which reverse shell did you upload on vtigercrm? I’m blocked at this point since 2 days 🙁
    I uploaded a php reverse shell changing the extension to .php;.jpg in order to pass the sanity for the file. But then I cannot trigger the reverse shell.
    Any help?
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.