What I did

Followed Writeup


$ nmap -p- -T4
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-12 12:23 MST
Nmap scan report for
Host is up (0.062s latency).
Not shown: 65519 closed ports
22/tcp open sshtel
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
878/tcp open unknown
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
4190/tcp open sieve
4445/tcp open upnotifyp
4559/tcp open hylafax
5038/tcp open unknown
10000/tcp open snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 32.61 seconds


Navigating to {ip}:80 redirects to 443. Elastix is running

exploit-db https://www.exploit-db.com/exploits/37637

I took the URL in the script and ran it in my own browser window  because I couldn't get the perl script to run

Using this exploit prints some sort of script or config file is loaded

In the printout there are some passwords printed. I tried a few with root and was able to get root and user quickly

user: 934e03773fad477df0cbf669e55426c6