Machine Creator: ch4p
Let’s start with an NMAP scan of the server to see what ports are open.
Initial scan reveals 15 open ports. I like to start with the common exploitable ports and work out from there. I know ssh typically is not the target exploit, so the first common exploit port that I see is 80 (HTTP) let’s see what is running.
It appears that port 80 auto redirects to port 443 (https) and it is running Elastix PBX system.
A quick search on Exploit-DB reveals there are multiple exploits, so let’s try Local File Inclusion (LFI) exploit.
LFI exploit takes us to what looks like a configuration page. We can see a lot of users and passwords so let’s see if we can build a password list out of this. I copied all the text from the config page and put it into a text file. Then I ran a bash command to read the contents of the config file and put all the individual unique words into another word list. This step is not necessary, but I like to have a clear view of any hidden usernames or passwords.
cat list.txt | tr ” ” “\n” | sort | uniq > list2.txt
Looking at the list created I see some lines that have “pass” in their name. Let ‘s see if any of those are subject to password reuse attack on the server.
After a couple of tries, I was able to ssh into this machine as root.
From here we can quickly grab the root.txt key.
Next, I was able to grab the user.txt from the user “franis” home folder.