Beep HackTheBox WalkThrough

Beep HackTheBox WalkThrough

This is Beep HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Beep HTB box. Before starting let us know something about this box. It is a Linux box with IP address 10.10.10.7 and difficulty easy assigned by it’s maker.

This box is currently retired so you will need VIP subscription to access this box. Before starting, connect your PC with VPN and make sure your connectivity by pinging the IP 10.10.10.7. If you are getting connectivity problem then make sure beep machine in running on the lab. If all correct then it is time to start hacking.

As usual I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. Nmap (a port scanner) gave the following result:-

Scanning

$ nmap -sC -sV -oN beep_scan 10.10.10.7

Port Scanning in Beep HackTheBox WalkThrough using nmap

Many numbers of ports are open. However, the port generally we have to focus on is 22, 25, 80, 111, 443, 3306, and 10000. SSH server is running on port 22, SMTP server on port 25, Apache2 web server on port 80 and it’s SSL version at port 443, POP3 on port 110 & it’s SSL version at port 995, rpcbind on port 111, IMAP on port 143 & it’s SSL version on port 993, mysql on port 3306, upnotifyp on port 4445 and Webmin server on port 10000 are running.

We have port 80 & 443 open. Ongoing to URL http://10.10.10.7 directed to https://10.10.10.7. Got a login page of Elastix software. Checked page source by CTRL+U for any version information of this software but could not find any information related to version.

elastix login panel of beep hackthebox machine

Just checked using $searchsploit for any public exploit of elastix. Lots are present but did not know which will work because at this time we did not know the installed version of this software.

$ searchsploit elastix

Searching for public exploit of elastix machine during Beep HackTheBox WalkThrough

XSS exploit is useless so tried remaining exploits and could easily confirmed that PHP Code Injection and Local File Inclusion exploits that is listed by searchsploit worked. Mirrored the exploit on my local machine using -m switch of Searchsploit so that I could see the content of the exploit and its usage details.

$ searchsploit -m exploits/php/webapps/37637.pl

Mirroring the LFI exploit from the exploit-db using searchsploit tool

According to this exploit the Elastix version 2.2.0 is vulnerable to LFI vulnerability. Let us confirm it using the PoC given in the exploit.

LFI PoC for beef hackthebox machine from the prewritten PoC

Followed the same steps as mentioned in the exploit and confirmed that the installed version of Elastix is vulnerable to LFI. This URL can confirm it.

View-source:https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
LFI PoC 2 for elastix during Beep HackTheBox WalkThrough

According to above configuration page amportal.conf we have many numbers of potential users and passwords. Added all of them in separate username and password file so that I could brute force using hydra for SSH login. As started brute forcing, I was blocked.

This is probably because there is some script, which prevents from brute forcing. Unfortunately, have to check each username and password manually for SSH login. According to passwd file obtained by LFI we have potential users root, mysql, asterisk, cyrus, spamfilter & fanis. And potential passwords amp109, amp111, jEhdIekWmdjE & passw0rd. So we have total of 24 combination.

LFI PoC 3 for elastix software during Beep HackTheBox WalkThrough

After three attempts got an SSH credential root: jEhdIekWmdjE. There may be other but did not tried because it is root user credential and root in Linux is GOD.

Getting Shell

$ ssh [email protected]

                  or

$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1 [email protected] # if you are getting key error. I have found it from a question posted on https://stackoverflow.com.

Login into beep htb machine using SSH

We have logged in successfully into beep and even with the root user privilege. Therefore, we do not have to escalate privilege to root.

Capture User Flag

$ cat /home/fanis/user.txt

Beef Hackthebox machine user flag

Capture Root Flag

$ cat root.txt

Beef hackthrbox machine root flag

This is how I rooted Beep HackTheBox machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box walkthrough. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to write us at [email protected].

Next retired machine walkthrough is Optimum.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/