How can I obtain domain administrator permissions through VOIP Intranet evaluation?

How can I obtain domain administrator permissions through VOIP Intranet evaluation?

Through the internal VOIP evaluation, we scanned port 5060 and port 5061 to find the IP phone that has been started. Then we found a range and started to connect to the web page with port 80 enabled for each phone.

Check the status message of the VOIP Phone. We found that the phone file was not updated, for example:

SEPDC ***** 90. cnf. xml. sgn

Tip: All VOIP phones download the latest configuration from the TFTP server of the Call Management Center.

Now we can find the call management TFTP server, which can be easily found from the phone settings menu.

Then we connect TFTP to call management and download the SEPDC ***** 90. cnf. xml. sgn file.

In the downloaded file, I found more files stored on the TFTP server, for example, SPDefault. cnf. xml.

Download the SPDefault. cnf. xml file from TFTP. We found that the LDAP server credential is connected to '*** mmunicatio.

Use the creden we found to successfully connect to the domain name control and enumerate all users on the domain name. These users can only request and provide information without RDP.

From all the enumerated users, we try to find all common accounts, such as mcafee ****** n and SQL-***** n. In SQL-*** n, the default credential is successfully entered.

Then we use netscan to find that all super administrators have logged on. Use SQL-*** n user RDP to the box. Fortunately, there is a box in which we use SQL-*** n to connect successfully.

Then follow these steps to RDP to the box, SQL-*** n Credential-> disable anti-virus software-> download Mimikatz-> all passwords in the activity file-> Find all super administrator creden- in the file-> PWNED

Then we use the super administrator creden。-> Add ***-voip user RDP to the domain name control to add the user to the Domain Name Administrator group. The game is over.