Beep HackTheBox WalkThrough
This is Beep HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Beep HTB box. Before starting let us know something about this box. It is a
Linux box with IP address
10.10.10.7 and difficulty
easy assigned by it’s maker.
This box is currently
retired so you will need VIP subscription to access this box. Before starting, connect your PC with VPN and make sure your connectivity by pinging the IP 10.10.10.7. If you are getting connectivity problem then make sure beep machine in running on the lab. If all correct then it is time to start hacking.
As usual I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also.
Nmap (a port scanner) gave the following result:-
$ nmap -sC -sV -oN beep_scan 10.10.10.7
Many numbers of ports are open. However, the port generally we have to focus on is 22, 25, 80, 111, 443, 3306, and 10000.
SSH server is running on port 22,
SMTP server on port 25,
Apache2 web server on port 80 and it’s SSL version at port 443,
POP3 on port 110 & it’s SSL version at port 995,
rpcbind on port 111,
IMAP on port 143 & it’s SSL version on port 993,
mysql on port 3306,
upnotifyp on port 4445 and
Webmin server on port 10000 are running.
We have port 80 & 443 open. Ongoing to URL http://10.10.10.7 directed to https://10.10.10.7. Got a login page of
Elastix software. Checked page source by
CTRL+U for any version information of this software but could not find any information related to version.
Just checked using
$searchsploit for any public exploit of
elastix. Lots are present but did not know which will work because at this time we did not know the installed version of this software.
$ searchsploit elastix
XSS exploit is useless so tried remaining exploits and could easily confirmed that
PHP Code Injection and
Local File Inclusion exploits that is listed by searchsploit worked.
Mirrored the exploit on my local machine using
-m switch of
Searchsploit so that I could see the content of the exploit and its usage details.
$ searchsploit -m exploits/php/webapps/37637.pl
According to this exploit the
2.2.0 is vulnerable to
LFI vulnerability. Let us confirm it using the
PoC given in the exploit.
Followed the same steps as mentioned in the exploit and confirmed that the installed version of Elastix is vulnerable to LFI. This URL can confirm it.
According to above configuration page
amportal.conf we have many numbers of potential users and passwords. Added all of them in separate username and password file so that I could
brute force using hydra for SSH login. As started brute forcing, I was
This is probably because there is some script, which prevents from brute forcing. Unfortunately, have to check each username and password manually for SSH login. According to
passwd file obtained by LFI we have potential users
fanis. And potential passwords
passw0rd. So we have total of 24 combination.
After three attempts got an SSH credential
jEhdIekWmdjE. There may be other but did not tried because it is root user credential and
root in Linux is GOD.
$ ssh [email protected]
We have logged in successfully into beep and even with the
root user privilege. Therefore, we do not have to escalate privilege to root.
Capture User Flag
$ cat /home/fanis/user.txt
Capture Root Flag
$ cat root.txt
This is how I rooted Beep HackTheBox machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box walkthrough. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to write us at [email protected].
Next retired machine walkthrough is Optimum.