80
(which redirects to 443
) and see a login page for Elastix:admin:admin
,admin:mypassword
,admin:palosanto
,etc), but we turn up empty. Our next step is looking for exploits. using searchsploit we find this exploit:2.2.0
version of Elastix there is an LFI vulnerability.GET
request, we can simply navigate to the url that it builds:CTRL+U
in firefox):admin:jEhdIekWmdjE
and we are able to log into the Elastix console. While there were also some authenticated RCE vulnerabilities in our searchsploit results, lets try the easiest option first and attempt to ssh to the box as root with the same password: