Exploiting Beep with 2.10.0 / Elastix 2.2.0 - Remote Code Execution

I would like to start with a thanks to whom may solve this one for me.
So as my pen-testing studies goes from a machine to another i encountered Something that i found as very interesting ,
I was looking for another way to exploit FreePBX 2.8.1.4 (which is the version the Machine is currently running , and some how related to Elastix 2.2.0 Which i don`t completely understand how these two are combine to work
(Is FreePBX the OS? and Elastix is the web application?)

So i found this exploit that actually has a video proof of working

ippsec did the same with another exploit that matches the versions involved in here, and from reading the exploit itself , it seems legit.

So why when i try to apply this exploit to this machine (Beep) it fails?

![](upload://sLpZ2mV2sBS3tV8HtvyQZvjafgk.png)

Thanks
400,

Didn’t watch the video, but the error message in your screenshot states that urllib didn’t like the (potentially self-signed) TLS certificate. You might need to tell urllib to simply ignore the certificate: python ignore certificate validation urllib2 - Stack Overflow

@HomeSen said:
Didn’t watch the video, but the error message in your screenshot states that urllib didn’t like the (potentially self-signed) TLS certificate. You might need to tell urllib to simply ignore the certificate: python ignore certificate validation urllib2 - Stack Overflow

Dear HomeSen , thank you for your time ,
I don`t understand how can i tell python to ignore the TLS cert
Here is the full exploit code (i added .requests to the original code since it gave me an error without this)

i would really appreciate it if you could show me what you meant

Thanks again
400 :slight_smile:

All you need to do is add import ssl at the beginning of the script and extending the urlopen() call with an additional parameter:
urllib.request.urlopen(url, context=ssl._create_unverified_context())

it gives me the same error , even when i apply the addition you told me (adding a screen shot)


Strange. -Out of curiosity: Is the service even running on HTTPS?-
Sounds like the server is using an old SSL-/TLS-protocol version. Can you run sslscan against the server and post the output, please?

Thank you for the quick response!
There is the sslscan output


EDIT :
(as far as i can tell it works on HTTP (i checked in where the url is and it says “not secure” )

Can i contact you somehow by discord?
Thnaks
400 :slight_smile:

Well, it runs on HTTPS. The “not secure” is usually due to self-signed certificates.
The server seems to only allow old/insecure protocols, so you need to explicitly tell urllib to also use one of those old protocols:
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib.request.urlopen(url, context=ctx)
That way, urllib should use TLSv1.0 and also ignore the self-signed certificate.

Regarding Discord, you can reach me under: HomeSen#8275
But I can’t promise to be more responsive than here, due to work and kids :wink:

I am so thankful for all of your help!
The code finally got executed with no errors!
Unfortunately after nc -lvp 443 there was not any connection established

I am more happy that the code actually ran than the exploit itself didn`t work ( lol )

I will see you at the Discord
You are awesome!
Thank you!

Hope it’s OK to bump this old thread.

This exploit works with the updated code supplied by HomeSen. The issue is the extension.

After looking into the extensions with sipvicious_svwar and not really getting anything concrete, I decided to loop through some extensions to see if I could get a connection. I got a shell while connecting to extension 233.

Using the code in here you would just change the extension to 233.

rhost = “10.10.10.7”
lhost = “10.10.14.13”
lport = 443
extension = “233”


url = ‘https payload’
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE


urllib.request.urlopen(url, context=ctx)

If the extension is not connecting, here is the code I used to find a connectable extension. I just looped through a bunch of extensions, looking for a connection.

https://github.com/dhowes47/HTB-Beep-Remote-Code-Execution/blob/main/find-con.py

Imgur

AttributeError: 'module' object has no attribute 'request'