# Nmap 7.80 scan initiated Wed Sep 25 13:54:58 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 993,80,110,10000,143,3306,4190,4559,995,111,5038,443,22,4445,880,25,U:10000 10.10.10.7
Nmapscanreportfor10.10.10.7Hostisup (0.23s latency).PORTSTATESERVICEVERSION22/tcpopensshOpenSSH4.3 (protocol 2.0)|ssh-hostkey:|1024ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)|_2048bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)25/tcpopensmtpPostfixsmtpd|_smtp-commands:beep.localdomain,PIPELINING,SIZE10240000,VRFY,ETRN,ENHANCEDSTATUSCODES,8BITMIME,DSN,80/tcpopenhttpApachehttpd2.2.3|_http-server-header:Apache/2.2.3 (CentOS)|_http-title:Didnotfollowredirecttohttps://10.10.10.7/|_https-redirect:ERROR:Scriptexecutionfailed (use -dtodebug)110/tcpopenpop3Cyruspop3d2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) STLS AUTH-RESP-CODE TOP USER RESP-CODES UIDL APOP PIPELINING LOGIN-DELAY(0) EXPIRE(NEVER)
111/tcpopenrpcbind2 (RPC #100000)143/tcpopenimapCyrusimapd2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_imap-capabilities: BINARY UNSELECT Completed ATOMIC LITERAL+ X-NETSCAPE LIST-SUBSCRIBED SORT=MODSEQ IDLE UIDPLUS ACL MULTIAPPEND IMAP4rev1 RIGHTS=kxte STARTTLS CATENATE THREAD=ORDEREDSUBJECT NAMESPACE NO ANNOTATEMORE THREAD=REFERENCES LISTEXT OK CHILDREN CONDSTORE QUOTA MAILBOX-REFERRALS IMAP4 URLAUTHA0001 SORT ID RENAME
443/tcpopenssl/https?|_ssl-date:2019-09-25T08:20:35+00:00; -7m55sfromscannertime.880/tcpopenstatus1 (RPC #100024)993/tcpopenssl/imapCyrusimapd|_imap-capabilities:CAPABILITY995/tcpopenpop3Cyruspop3d3306/tcpopenmysqlMySQL (unauthorized)4190/tcpopensieveCyrustimsieved2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrusimap)4445/tcpopenupnotifyp?4559/tcpopenhylafaxHylaFAX4.3.105038/tcpopenasteriskAsteriskCallManager1.110000/tcpopenhttpMiniServ1.570 (Webmin httpd)|_http-title:Sitedoesn't have a title (text/html; Charset=iso-8859-1).Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purpose|media device|PBX|WAP|printer|specializedRunning (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys embedded (94%), HP embedded (94%), Enterasys embedded (94%), Netgear embedded (94%), Osmosys embedded (93%), Riverbed RiOS (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:linksys:wrv54g cpe:/h:enterasys:ap3620 cpe:/h:netgear:eva9100 cpe:/o:riverbed:rios
Aggressive OS guesses: Linux 2.6.27 (95%), Linux 2.6.9 - 2.6.24 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.27 (likely embedded) (95%), Linux 2.6.18 (95%), Linux 2.6.20-1 (Fedora Core 5) (95%), Linux 2.6.30 (95%), Linux 2.6.5 (Fedora Core 2) (95%), Linux 2.6.5 - 2.6.12 (95%), Linux 2.6.5-7.283-smp (SuSE Enterprise Server 9, x86) (95%)
No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: UnixHost script results:|_clock-skew: -7m55sTRACEROUTE (using port 22/tcp)HOP RTT ADDRESS1 226.92 ms 10.10.14.12 227.25 ms 10.10.10.7OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Wed Sep 25 14:01:06 2019 -- 1 IP address (1 host up) scanned in 368.60 seconds
Running all the services through the searchsploit didn't get me anything worthwhile, either the exploits failed or were not at all working due to compatibility or version issues. The obvious attack vectors left were the web-servers on port 10000 and 80 . The one at 10000 didn't have anything interesting however the one at 80, the elastix server had some publicly available exploits, namely 18650.
Running the script as it is didn't get me the shell as expected however did get me SSL errors, which I tried resolving using the modified script below, and along side that I had to find a valid extension number which I did using the following snippet of svwar tool.
However this didn't seem to work either, still got SSL errors, so as I knew this was just making a request to a the web-server with some parameters, so I pasted the request in the browser and kept listening for the reverse shell and to my surprise I got the reverse shell.
Beneath the exploit script itself there was a way mentioned for privilege escalation, to which I gave a shot and to my astonishment that worked out just fine and got me root shell.
I learnt about SIP extensions and how to find a valid one for the machine and target, and how reading the exploit scripts in details can actually help in owning the complete machine.