Beep
easy linux machine
Last updated
Was this helpful?
easy linux machine
Last updated
Was this helpful?
As usual let's start by scanning open services using nmap
if we browse to /admin it will promp as for the admin password if you dont have a password it will show this page
i couldn't go any further so i checked for elastix exploits using searchsploit
the one that seems to work is the LFI vulnerabiility
let run the command searchsploit -x <PATH> to analyze the exploit
now let's vesit the exploitDB url to take a look at the exploit
let's visit this path
reviewing the source code of this page reveals the admin password
we can use this password to login to the elastix login form
now let's disclose /etc/password
now ssh to the beep box as the user root and the password we have found in the amportal.conf page
root : jEhdIekWmdjE
after doing nmap we found out that there is an open port on 10000 running Webmin httpd let's visit it:
when we submit wrong credentials it shows the session_login.cgi directory
cgi scripts use the Bash shell for processing user input were particularly susceptible to exploitation and there was a famous exploitation called shellshock which exploit cgi script to execute arbitrary code
so let's test if this cgi is vulnerable to shellshock attack
let's capture the login submit using burp suite and replace the user agent value with a bash one-liner reverse shell shellshock payload
before sending this request we have to start listening on the port we specified in the payload for me it was 443
and now let's send the request using burp
and we get back a reverse shell
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
