twitter

Hack The Box: Beep

Difficulty: Easy

Machine Creator: ch4p

Tools Used:
NMAP

Network Enumeration
Let’s start with an NMAP scan of the server to see what ports are open.


Initial scan reveals 15 open ports. I like to start with the common exploitable ports and work out from there. I know ssh typically is not the target exploit, so the first common exploit port that I see is 80 (HTTP) let’s see what is running.


It appears that port 80 auto redirects to port 443 (https) and it is running Elastix PBX system.


A quick search on Exploit-DB reveals there are multiple exploits, so let’s try Local File Inclusion (LFI) exploit.


LFI exploit takes us to what looks like a configuration page. We can see a lot of users and passwords so let’s see if we can build a password list out of this. I copied all the text from the config page and put it into a text file. Then I ran a bash command to read the contents of the config file and put all the individual unique words into another word list. This step is not necessary, but I like to have a clear view of any hidden usernames or passwords.

cat list.txt | tr ” ” “\n” | sort | uniq > list2.txt

Looking at the list created I see some lines that have “pass” in their name. Let ‘s see if any of those are subject to password reuse attack on the server.


After a couple of tries, I was able to ssh into this machine as root.


From here we can quickly grab the root.txt key.


Next, I was able to grab the user.txt from the user “franis” home folder.