Beep | HTB | Write-up

Beep is a retired box on HackTheBox. It is mentioned in TJ_Null’s list of OSCP like VMs.

It is perhaps one of the easiest box you will see on the platform. With that said, let us get started.

SCANNING :

A quick nmap scan reveals ports 22, 25, 80, 110, 111, 143, 443, 993, 995, 3306, 4445 and 10000 are open. That’s quite a lot =|

Let us do a service scan for version detection.

The service scan fails to detect the software version of some services except for OpenSSH 4.3 (on port 22), Apache httpd 2.2.3 (on port 80), rpcbind version 2 (on port 111) and MiniServ 1.570 (on port 10000).

ENUMERATION :

Since HTTP has a large attack vector, let us go with that first.

If I hit the IP on my browser, it is redirected to https://<IP>.

Seems there is Elastix installed on the box.

EXPLOITATION :

After a google search, I found that Elastix version 2.2.0 suffers from a local file inclusion vulnerability, as it fails to sanitise user input properly. The vulnerable parameter is : /vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action.

With LFI, I can read sensitive files on the system.

Let us check if this version of Elastix is vulnerable to LFI.

Seems, it is indeed vulnerable.

Here, I have opened /etc/amportal.conf. This is the configuration file for Elastix. Most of the contents are useless, except for the part below:

Here, I can see the admin credentials for Elastix admin.

Since Elastix deals with network-related activities such as communication via video calls, live chats etc, there is a high probability that it is installed by the root user of the system.

I have SSH open, I can try to login as root with admin password.

And I am in !!

Since I am already root, I do not need privilege escalation.

Easy, is not it? (Told ya so)

So, that was the Beep box from HackTheBox. Hope you liked it =)

Thank you for reading it. See you in the next one. Peace.