HackLab – VulnVoIP (“Harder” way in)

After finishing Vulnix I decided to take on VulnVoIP and try my hand with some phone system hacking! 🙂

The VM has some instructions on what to do other then get root:

VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.

NMAP

HackLab – VulnVoIP

So yes there is a REALLY easy way, and a harder way to do VulnVoIP. This is a quick and dirty write-up on the easy way…

root@kali:~# nmap -sU -p 5060 172.16.28.160

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-14 16:28 EST
Nmap scan report for 172.16.28.160
Host is up (0.00032s latency).
PORT     STATE         SERVICE
5060/udp open|filtered sip
MAC Address: 00:0C:29:D8:2E:59 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
root@kali:~#

After that scan as well as running svmap…

HackLab – Vulnix

So I was poking around VulnHub for a new VM to work on and I came across Vulnix…  Here is how I got root!

NMAP:

Enumerator:

Found ssh credentials.

Tried to login as User with the password “letmein”


We get access to user.

We also can see that this system is using rservices more specifically rlogin (We had a pretty good idea that this was the case with our original port scan showing port 513 being opened.)

Added wildcard + + to allow anybody to login with no password as user.

The opinions and thoughts on this blog are those of Overflow Security members, and do not reflect those of our members employers.