Port Scanning and Enumeration (Nmap)
nmap -sV -sC -oN nmap/initial -T4 10.10.10.7
nmap -p- 10.10.10.7 -oN nmap/allports
Lots of stuff to look at here. Let’s check out the webserver first
Couldn’t find any default creds. Let’s keep enumerating.
What’s on 10000?
Access (Elastix: LFI and RCE, exploitdb, elastix)
Searching exploitdb for ‘elastix’ we can see that there’s a few vulnerabilities. Some require authentication, so let’s try the LFI vulnerability using graph.php and current_language.
Using the supplied exploit, we’re given a config file
Let’s try to log in to Elastix using those creds
Nice, it worked. Maybe one of those vulnerabilities that required some sort of auth will work now?
So this one requires an extension. Let’s check the PBX tab.
So, now that we have an extension, let’s sub in our details for extension, lhost and lport, fire up a listener on our machine and let her rip.
Privesc (Nmap interactive)
Now that we’re on the box, let’s see about privesc. sudo -l
Nmap? Let’s look at gtfobins
And we’re root! Let’s capture the flags