# VoIP
## Gaining Access
Nmap scan:
```
$ nmap -p- --min-rate 4000 192.168.152.156
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 15:06 +08
Nmap scan report for 192.168.152.156
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
```
### Initial Enumeration -> Digest Leak
Port 80 had a login page:
We didn't have any credentials, and weak credentials don't work, so we can move on first.
Port 8000 had another login page:
`admin:admin` worked for this one, and we were brought to a IP Phone instance, which matches the name of the box being Voice over IP:
Within the logs tab, we can see that there were some calls being logged:
Within the Configuration tab, there was some XML looking output. Here's it below:
```markup
Content-Length: 0
]]>
Content-Length: 0
]]>
Content-Type: application/sdp
Content-Length: [len]
v=0
o=user1 53655765 2353687637 IN IP[local_ip_type] [local_ip]
s=-
c=IN IP[media_ip_type] [media_ip]
t=0 0
m=audio [media_port] RTP/AVP 0
a=rtpmap:0 PCMU/8000
]]>
$connect
;tag=[pid]SIPpTag09[call_number]
To: [service] [peer_tag_param]
Call-ID: [call_id]
CSeq: 2 BYE
Contact: sip:sipp@[local_ip]:[local_port]
Max-Forwards: 70
Subject: Performance Test
Content-Length: 0
]]>
```
The only thing notable about this was teh protocl used, which was SIP/2.0. Since we know that SIP is being used, we can test for stuff on Hacktricks like SIPDigestLeak from the `sippts` repo:
{% embed url="" %}
{% embed url="" %}
Using this worked and we managed to get a hashed password:
```
$ python3 sipdigestleak.py -i 192.168.152.156
```
This hash cracks easily:
With this, we can login to port 80 as `adm_sip`.
### Audio File -> SSH Creds
We can view the CDR (Call Data Records) and find that one of them is raw, which allows us to download it:
This is a raw audio file, and we need to convert it using `sox`. We can find the exact configurations required in the Stream Rates tab on the left:
Then, we can convert this to a `wav` file:
```
$ sox -t raw -r 8000 -v 4 -c 1 -e mu-law 2138.raw out.wav
sox WARN sox: `out.wav' output clipped 6377 samples; decrease volume?
sox WARN sox: `2138.raw' balancing clipped 13425 samples; decrease volume?
```
Afterwards, we can listen to the audio file and it just plays this one line.
{% hint style="info" %}
Your password has been changed to Password1234 where the P is capital.
{% endhint %}
Interesting. We have a username, but not a password. This was the part I got stuck at for a long time. I tried some usernames like `voip`, `zoiper`, and `voiper` because those were popular softwares used with VoIP, and `voiper` worked:
## Privilege Escalation
This was simple:
```
voiper@VOIP:~$ sudo -l
[sudo] password for voiper:
Matching Defaults entries for voiper on VOIP:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User voiper may run the following commands on VOIP:
(ALL : ALL) ALL
```
Rooted!
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/proving-grounds-practice/linux/voip.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.