GITBOOK-3880: change request with no subject merged in GitBook
This commit is contained in:
parent
34c27bc4e1
commit
a9e2d3b784
|
@ -420,6 +420,34 @@ You could also even make Asterisk **execute a script that will leak the call** w
|
|||
exten => h,1,System(/tmp/leak_conv.sh &)
|
||||
```
|
||||
|
||||
### RCE
|
||||
|
||||
In Asterisk you somehow manage to be able to **add extension rules and reload them** (for example by compromising a vulnerable web manager server), it's possible to get RCE using the **`System`** command.
|
||||
|
||||
```scss
|
||||
same => n,System(echo "Called at $(date)" >> /tmp/call_log.txt)
|
||||
```
|
||||
|
||||
There is command called **`Shell`** that could be used **instead of `System`** to execute system commands if necessary.
|
||||
|
||||
{% hint style="warning" %}
|
||||
If the server is **disallowing the use of certain characters** in the **`System`** command (like in Elastix), check if the web server allows to **create files somehow inside the system** (like in Elastix or trixbox), and use it to **create a backdoor script** and then use **`System`** to **execute** that **script**.
|
||||
{% endhint %}
|
||||
|
||||
#### Interesting local files and permissions
|
||||
|
||||
* **`sip.conf`** -> Contains the password of SIP users.
|
||||
* If the **Asterisk server is running as root**, you could compromise root
|
||||
* **mysql root user** might **doesn't have any password**.
|
||||
* this could be used to create a new mysql user as backdoor
|
||||
* **`FreePBX`**
|
||||
* **`amportal.conf`** -> Contains the password of the web panel administrator (FreePBX)
|
||||
* **`FreePBX.conf`** -> Constains the password of the user FreePBXuser used to access the database
|
||||
* this could be used to create a new mysql user as backdoor
|
||||
* **`Elastix`**
|
||||
* **`Elastix.conf`** -> Contains several passwords in clear text like mysql root pass, IMAPd pass, web admin pass
|
||||
* **Several folders** will belong to the compromised asterisk user (if not running as root). This user can read the previous files and also controls the configuration, so he could make Asterisk to load other backdoored binaries when executed.
|
||||
|
||||
### RTP Injection
|
||||
|
||||
It's possible to insert a **`.wav`** in converstions using tools such as **`rtpinsertsound`** (`sudo apt install rtpinsertsound`) and **`rtpmixsound`** (`sudo apt install rtpmixsound`).
|
||||
|
@ -437,6 +465,10 @@ There are several ways to try to achieve DoS in VoIP servers.
|
|||
* [**SIPsak**](https://github.com/nils-ohlmeier/sipsak): SIP swiss army knife. Can also be used to perform SIP attacks.
|
||||
* Fuzzers: [**protos-sip**](https://www.kali.org/tools/protos-sip/), [**voiper**](https://github.com/gremwell/voiper).
|
||||
|
||||
### OS Vulnerabilities
|
||||
|
||||
The easiest way to install a software such as Asterisk is to download an **OS distribution** that has it already installed, such as: **FreePBX, Elastix, Trixbox**... The problem with those is that once it's working sysadmins might **not update them again** and **vulnerabilities** are going to be discovered with time.
|
||||
|
||||
<details>
|
||||
|
||||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||||
|
|
Loading…
Reference in New Issue