Hack The Box: Beep

Written By Alexander Commodore

What will you learn? Beep is a retired easy rated Linux machine. It has a large list of running services which can make it confusing to pick an entry method. There are about 4 different ways to gain access root. The way I went about it was leveraging the Local File Inclusion (LFI) vulnerability for directory traversal, finding clear text passwords to test against accounts, and succeeding against the root user manually due to depreciated algorithms required by SSH.

Let’s begin enumerating the box:

We have a lot of services open. Web ports, email servers, RPC may be fruitful, SQL, and other more ambiguous stuff. We are going to find the shortest path first and go towards the web exploitaiton.

In order to visit the depreciated TLS version webpage you will need to use this resource to set your Firefox browser to accept a minimum TLS version of 1.0: https://support.mozilla.org/en-US/questions/1101896 and then you can reach the following:

We notice the back end here is PHP and it’s an Apache web server. The target OS is CentOS. The version of Elastix is probably old, mentioning 2006-2024. Running a quick searchsploit query may show us some options for later. I did the same with GitHub to see potential vectors as well. I am seeing a lot of duplicative entries.

I started looking for potential default passwords for this website. I also started fuzzing in the background to find potential subdirectories, it would be wise to look for subdomains as well.

My directory busting yielded some results and I went to the /admin page that popped up. This showed me awesome information after failing to authenticate and closing the popup window, it redirected me to this page. We see FreePBX 2.8.1.4 on the host IP.

I am going to attempt to use the LFI exploit listed earlier mentioning graph in the name.

When we open this file and view the proof of concept it mentions where #LFI exploit is, we see a path where we can start injecting terms like /etc/passwd to obtain a list of users.

Copying and pasting the path that is suggested here will give us a page that has many passwords suggested on it. We should compile a list of passwords from that.

We can attempt to grab /etc/passwd now for a list of users and we find a fanis user account. We can construct a list of users with /bin/bash or other shells that may be valid as we’re attempting to spray / login through SSH which is open on the box.

When we attempt the passwords against the SSH service we’re able to succeed with jEhdIekWmdjE and become the root user, while providing some depreciated contexts to be able to connect to the target as its a lot older.

There are other ways to complete this, this is just the way I went about completing this.

Alexander Commodore
Previous

Hack The Box: Forest
Next

Hack The Box: Mailing