Lots of open ports = big attack surface. The quickest one we could check is the webpage via port 80.
Since we have no information about the credential it’s not practical to blindly brute force it.
Searching around, we could see that there are lots of exploits available for Elastix
Since I don’t know the exact Elastix version for this one, I could just try all these and see what sticks. The most straightforward here if the LFI exploit.
Just append the exploit on the URL
And you will see this
After viewing the page source to format this wall of text, we will see these credentials
Maybe we could use this credential for SSH connection
This is an issue with key exchange but you resolve this temporarily using this command:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 220.127.116.11
So admin is not working using the
AMPDBPASS/AMBMGRPASS. Maybe we could try root as username using the same password.
Finding the Flags
Now that we have root access, finding the flags is trivial.