GXP1165-Executive IP Phone:information disclosure

# GXP1165-Executive IP Phone:Broken Access & Weak credentials # Exploit Title: GXP1165-Executive IP Phone:Broken Access & Weak credentials # Date: 2023-09-07 # Exploit Author: ErickAlex # Vendor Homepage: https://www.grandstream.com/ # Version: V1.0.5.26 # Tested on: kali LInux **Description** Actually the issue behind here is that i was able to login to an admin with default creds. The other vulnerability here is a version (the version is not updated) **NB:** Don't try this if your not authorized by the company or organization because it can take you to jail dude,but also remember that your need to be in the same network as the organization before u can start snooping around and messing with the stuffs i.e internal network. **PoC** **ENUMERATION AND RECON** As the hacker you always need to gather enough information, i started by scanning the whole internal network and after that i started checking one IP address after another, one among the interesting ip was the this one responsible for VoIP phone scanned with nmap 21,open 80, open and so on(i was interested with these ones first) **EXPLOITATION** I browser to the desired IP address it took me to the login page and the login page needs only the password with no username section mhmmmm, that sound gud for sure for any hacker. I tried default password i.e admin (i tried this one because normally network devices comes with default creds such as admin:admin),My guess was right for sure and i was able to login ![](https://hackmd.io/_uploads/Sk27_evAh.png) Finally i login as an admin mhmmmmmm, we can do any changes we want since because we are admin, but that was not my aim,I didn't want to mess things around ![](https://hackmd.io/_uploads/Sys65gvAh.jpg) Were done with port 80, time for port 21 LOL, oky what came into my mind is that might want to try to login into telnet lets try to see if it works or what ![](https://hackmd.io/_uploads/HkSMyWv02.png) I fired up my terminal and try to connect to telnet, if your try to login with anonymous login it reject to login ![](https://hackmd.io/_uploads/r1TRG-DCh.jpg) I tried to login with the admin password (admin) and I found myself in. ![](https://hackmd.io/_uploads/rJU_7-vRh.png) And if you try to run the command (ps_status) , you can see a bunch of stuff running behind ![](https://hackmd.io/_uploads/HyWq4WvR3.png) **NB:** Finally you can find your way in hacker. **Lessorn:** what i have learnt here is that most organization thinks once the have internal network they think there secured so they leave others stuffs with default creds but that not true default creds is something that should be ignored men, but also hacking into those computers from a distant place is possible and i could still do the same thing (i.e pivoting) keeps thing uptodate and use of complex password should be some something to be preached all the time