Machine IP- 10.10.10.7
Nmap
#nmap -p- -sCV -A -v 10.10.10.7Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-08 12:27 EST
Nmap scan report for beep.localdomain (10.10.10.7)
Host is up (0.087s latency).
Not shown: 65519 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.3
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
746/tcp open status 1 (RPC #100024)
993/tcp open ssl/imap Cyrus imapd
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4190/tcp open sieve Cyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445/tcp open upnotifyp?
4559/tcp open hylafax HylaFAX 4.3.10
5038/tcp open asterisk Asterisk Call Manager 1.1
10000/tcp open http MiniServ 1.570 (Webmin httpd)
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com, localhost; OS: Unix
So here we are getting 15 ports to be open let’s start our enumeration with port 80
Found a redirection form http to https where we are getting elastix login page , and found a LFI vulnerability at exploit db
So let’s see does that bring
Here it’ brings a file which is having some passwords as we can see them so i just copied this to a file and then sorted it and found some password
cat amportal.conf | tr “ “ “\n” | sort | uniq > final.txt
AMPDBPASS=jEhdIekWmdjEThen i just tried this password at every login and luckily found this to be the root ssh password
………………………………….DONE…………………………………………….
