Web
Nmap has found that there is a web server running over 443
It was also discovered that the HTTP connections are re-directed to HTTPS
Webroot of the port 443
it’s a login page of elastix
elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing.
A PBX controls a telephone / voice network within a corporate network, connecting it to the rest of the network
wappalyzer also identified the technologies involved
It’s written in PHP 5.1.6
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ searchsploit elastix
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilitie | php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py
------------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No ResultsWhile Elastix suffers from many vulnerabilities, the version has NOT been confirmed yet .
Fuzzing
Due to ffuf not functioning with unusual TLS signature from the webserver, I had to opt out to wfuzz
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -u https://beep.localdomain/FUZZ --hc 404
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://10.10.10.7/FUZZ
Total requests: 35325
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 34 L 111 W 1785 Ch "index.php"
000000010: 200 34 L 111 W 1785 Ch "register.php"
000000064: 200 34 L 111 W 1785 Ch "config.php"
000000102: 200 0 L 37 W 868 Ch "favicon.ico"
000000237: 200 2 L 4 W 28 Ch "robots.txt"
Total time: 0
Processed Requests: 35325
Filtered Requests: 35307
Requests/sec.: 0wfuzz returned a few interesting files but they all seem to be pointing to the login page due for authentication
But, there is /robots.txt
/robots.txt was blocking from the entire web root
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt -u https://beep.localdomain/FUZZ/ --hc 404
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://10.10.10.7/FUZZ/
Total requests: 62284
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000024: 200 26 L 189 W 3172 Ch "themes"
000000001: 403 10 L 30 W 286 Ch "cgi-bin"
000000003: 302 0 L 0 W 0 Ch "admin"
000000005: 200 78 L 761 W 13132 Ch "modules"
000000002: 200 165 L 1549 W 29898 Ch "images"
000000062: 200 9 L 24 W 346 Ch "help"
000000108: 200 16 L 79 W 1236 Ch "var"
000000090: 403 10 L 30 W 284 Ch "error"
000000129: 200 64 L 165 W 2411 Ch "mail"
000000173: 200 36 L 256 W 4788 Ch "lang"
000000157: 200 16 L 73 W 1276 Ch "static"
000000220: 200 48 L 395 W 7798 Ch "libs"
000000328: 200 27 L 74 W 1065 Ch "panel"
000000386: 200 176 L 1665 W 31006 Ch "icons"
000000836: 200 16 L 73 W 1282 Ch "configs"
000001109: 403 10 L 30 W 286 Ch "mailman"
000001437: 200 13 L 46 W 698 Ch "pipermail"
000006171: 200 156 L 353 W 5194 Ch "recordings"
000008571: 200 162 L 569 W 6499 Ch "vtigercrm"
/usr/local/lib/python3.10/dist-packages/wfuzz/wfuzz.py:77: UserWarning:Fatal exception: Pycurl error 3:
Total time: 552.5517
Processed Requests: 62272
Filtered Requests: 62250
Requests/sec.: 112.6989wfuzz found so many directories
/admin/
Heading over to the /admin/ directory, I got re-directed to /admin/config.php and prompted for Basic HTTP Authentication
Attempting to log in with some weak and default credentials all failed
But something strange happens upon clicking the Cancel button
I certainly wasn’t authenticated, but the web server executed and displayed the content of the /admin/config.php file, which contains the version information.
FreePBX 2.8.1.4
/themes/
/theme/ has directory indexing enabled
/modules/
/modules/ has directory indexing enabled as well
/var/
/var/backups/ was empty
/mail/
Another web app being served at /mail/
it’s roundcube, a web mail software
Attempting to login with default/weak credentials also failed here
/recordings/
This must be the voicemail module used by FreePBX
I can see the version; FreeBPX 2.5
This comes off a bit strange as FreePBX version discovered to be 2.8.1.4
I guess that just the module happens to have a different version.
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ searchsploit FreePBX 2
------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------- ---------------------------------
FreePBX 2.5.1 - SQL Injection | multiple/webapps/11186.txt
FreePBX 2.5.2 - '/admin/config.php?tech' Cross-Site Scripting | php/webapps/33442.txt
FreePBX 2.5.2 - Zap Channel Addition Description Parameter Cross-Site Scripting | php/webapps/33443.txt
FreePBX 2.5.x - Information Disclosure | multiple/webapps/11187.txt
FreePBX 2.5.x < 2.6.0 - Persistent Cross-Site Scripting | multiple/webapps/11184.txt
FreePBX < 13.0.188 - Remote Command Execution (Metasploit) | php/remote/40434.rb
Freepbx < 2.11.1.5 - Remote Code Execution | php/webapps/41005.txt
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsWhile FreePBX 2.5 has many vulnerabilities, that RCE stands out the most to me.
This appears to be the most promising entry point
I will continue to enumerate the directories at the web root and get back to this once it’s done
/vtigercrm/
vtiger crm is found at /vtigercrm/
It’s running version 5.1.0
┌──(kali㉿kali)-[~]
└─$ searchsploit vtiger crm 5.1.0
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
vTiger CRM 5.1.0 - Local File Inclusion | php/webapps/18770.txt
-------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No Resultsvtiger crm 5.1.0 is suffering from LFI