HTB - Beep Writeup

Featured image

Initial Enumeration

1. Nmap Scanning

Starting with a scan of the target ip address:

nmap -sC -sV -oA beep.nmap 10.10.10.7

The nmap scan shows multiple open ports. Let’s open up the web browser and investigate. We are redirected to a HTTPS website running Elastix.

In the meantime, we will run a gobuster scan to find any more directories:

2. Gobuster Scanning

gobuster dir -u https://10.10.10.7/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -k

Let’s load up searchsploit and take a quick look to see if there are any exploits available for Elastix.

Exploitation

3. LFI Exploit

We see there are multiple exploits, the most interesting one is the LFI and Remote Code Execution. So let’s give that one a shot.

EDB-ID:37637

Reading the exploit, we see the location of the LFI, which is the /vtigercrm directory. That lines up with what we see in our gobuster results too.

So let’s copy it into the browser and see the result…

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

We got something, but it’s not rendered so we can simply look at the source code.

We see many usernames / passwords for FreePBX which we can access using the admin account.

4. Flag Capture

As noted in the nmap scan, port 22 is open so let’s test the admin account out there.

Using the AMPDBPASS: Admin doesn’t seem to work for SSH but what if the password is reused for root? After trying root we see the password worked! Password reuse is a common vulnerability on some other boxes as well.

Let’s grab the user flag which is located at the home folder of the user “fanis” as user.txt

The root flag is located