Close
Writeup – HTB – Beep

Writeup – HTB – Beep

This box got me going for a little bit, until I remembered my basics and focused. Beep is a good box for demonstrating the most common vulnerability of all – users. With that said, let’s get to it! The initial AutoRecon scan shows a lot of open ports.

This is a box that requires patience!

As you can see, we have a lot to work with here. SSH, SMTP, HTTP (on Port 80, 443, and 10000), a POP3 Server, an IMAP Server, and numerous others (HylaFax anyone?).

With there not being a lot of common ports here, probably the best place to start is by looking at the HTTP ports. Port 80 has nothing, and quickly redirects over to Port 443. Port 10000 has a Webmin portal up, which may be accessible.

The best thing here is to slow down, get all of your services down, and RESEARCH! Look up vulnerabilties on each port related to the services, and if possible, the versions of the software (if you can find them). This is the only good way to stop you from going down rabbit holes.

Eventually, on the HTTPS server on port 443, you’ll see the Elastix login. Looking up vulnerabilities for this takes you to https://www.exploit-db.com/exploits/37637, which describes the ability to perform some local file inclusion. If you read through the comments, you can find the Proof of Concept here:

Trying this out by pasting it in our browser window works! You’ll be able to pull up a configuration file for the Asterisk Management Portal. Right-clicking and selecting View-Source will probably make it look a little better for you, like this:

Scrolling through here we can see a bunch of passwords, including some that are re-used. That is the key to this lesson – password re-use. Maybe one of these is re-used for other logins. We have some passwords, let’s use the LFI vulnerability to get our users list.

Modifying the LFI to browse to the /etc/passwd file works, and we can see the standard root user has logon, as well as the user on the bottom, fanis.

Trying both of these user names against our passwords from our configuration file over SSH quickly gains us access. I’ve included a screenshot of an error I’ve received trying to SSH in here as well as the fix, for future reference. This is because of the age of this box, but it still could be applicable in future pentesting.

Once here, it’s a trivial matter again to browse to the two flags. No extra privilege escalation needed!