My Communication Server :1

MY-COMMUNICATION-SERVER :1

As the description of the machine on Vulnhub given by the author tells us to change the MAC address of the Adapter to let the machine take IP.

Before proceeding forward lets have a look at the description of the machine

So starting with the changes to be made :

MY-COMMUNICATION-SERVER :1
MY-COMMUNICATION-SERVER :1

After this without wasting my time I switched the machine on and started the enumeration with the IP scan :

Here I got the Machine IP next step is to scan it’s Port :

Here I got few services that are running on it, that seems to a communication server as the name of the machine says itself. Asterisk and FreePBX services are running on ports 8088 and 5038 respectively. But the version of the services are not vulnerable.

Next I switched on web to enumerate further. Here I got the service page of FreePBX.

FreePBX 2.10.0 MY-COMMUNICATION-SERVER :1

Nmap report get the robots.txt page having two disallowed directories as shown below :

MY-COMMUNICATION-SERVER :1/robots.txt

I downloaded the file but can’t open it as it is a password protected file, after wandering on the web for around 10–15 minutes I came around a script that generates the hash for the password of the .7z file. (Refrence ) Tish a python script.

Finally got the hash after running the script and redirected the output in a file named hash.txt.

I used hachcat to crack the hash to get the password .

MY-COMMUNICATION-SERVER :1, hashcat result

Without wondering here and there I unzipped the file and got the credentials of a ftp user and the IP as well. most interesting thing here is that the IP given by the author in the machine is the IP of my own machine.

FTP credentials for MY-COMMUNICATION-SERVER

The file hints that server will sent a backup file to a FTP server running on the host machine having IP 192.168.56.1 with the user “armour” and password “armour” on the default port no. 21.

Here I installed the required library file for FTP server. then made a python script to run a temporary FTP server as shown below :

FTP server script for MY-COMMUNICATION-SERVER :1

To get the backup in a specified directory that I have mentioned in the python script, I created a directory named ftp and changed the ownership of the directory with the following cmd.

Here I all set to receive the backup file so running the script with get the backup in FTP directory.

Having look at the backup file it seems to be a tar file so I untared it.

After untarring the file I jumped in to the directory I got. Here again I got a mysql-2.sql.gz named file which is also a zip file again doing the same thing. got the config file of MYSQL with the uaser named and password in hash format.

MYSQL Credentials MY-COMMUNICATION-SERVER :1

Cracking the hash with hashcat is the very next step that should be taken by us if having the hash to get the plain password.

Hachcat result MY-COMMUNICATION-SERVER :1

Here is the admin credentials for FreePBX Administrator. Getting loggedin with them I wandered their for a few minutes and got the module upload facility so I searched the web for any module if present and I got it. ( Refrence)

Created a directory and copied php-reverse-shell code in a install.php file after doing all modifications needed. and another file named module.xml and pasted the code from the refrence link in that.

Then to upload it I used to zip it and uploaded it on the machine.

Module upload Facility MY-COMMUNICATION-SERVER :1

After successfully uploading it a proceeded to install it but before that I put a listner on the other hand.

Module Installation MY-COMMUNICATION-SERVER :1
Module Installed MY-COMMUNICATION-SERVER :1

And yuppp!!!!

I got the shell but not the tty so I used the python cmd to get the tty shell.

Listner MY-COMMUNICATION-SERVER :1
Shell called MY-COMMUNICATION-SERVER :1

Here the first thing I used to do is to check the sudoer permissions if any, so a file named reboot has the permission to run as root.

I moved in the /tmp directory and created a reboot named file with the code to get the root shell.

shell cmd in reboot file MY-COMMUNICATION-SERVER :1

After all this I have given all permissions to that file using chmod cmd.

Then I changed the PATH variable to /tmp.

Here I put a listner on the port 1111 to get the root shell symultaniously I called the reboot named file that I created in tmp directory as a sudoer user.

reboot MY-COMMUNICATION-SERVER :1
Root Shell MY-COMMUNICATION-SERVER :1

YOPP!!!!! Got the shell.

MY-COMMUNICATION-SERVER 💯

And the proof .🍾🍾🤩🤩🥳🥳

Hope you Enjoyed reading it.

Corrections to be made if any, DM A-s4t0sh OR ashutoshsinghumath11082001@gmail.com .

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store