HackTheBox – Walkthrough of BEEP BOX

Beep box has a very large list of running services, which can be challenging to find the correct exploit method. The beep box may be a little difficult for some as there are a number of potential attack vectors.

We will use the following tools to pawn the box on a Kali Linux box

  • NMAP
  • Dirbuster
  • Searchsploit
  • Metasploit

Step 1 – Scanning the network

As an initial step, before the machine is exploited, it needs to be scanned and investigated.

This is important to determine what can be exploited afterwards. It is always better to spend time on this phase to extract maximum informatio.

Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. Raw IP packets are used to determine hosts available on the network, services offered by those hosts, operating systems running, packet filters, firewalls in use, and many other characteristics.

Use the following command to get a basic idea of what we are scanning

nmap -sV -sC -A

-sV: Probe open ports to determine service/version info

-sC: Default script sets

-A: Aggressive scan. Enable OS detection, version detection, script scanning, and traceroute IP address of the Beep box

We can see that there are 12 open ports:

Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding.

Port 25. Simple Mail Transfer Protocol (SMTP) used for email routing between mail servers.

Port 80. Hypertext Transfer Protocol (HTTP). Here it’s an Apache httpd 2.2.3.

Port 110. Post Office Protocol, version 3 (POP3).

Port 111. Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC).

Port 143. Internet Message Access Protocol (IMAP), management of electronic mail messages on a server.

Port 443. Hypertext Transfer Protocol over TLS/SSL (HTTPS).

Port 993. Internet Message Access Protocol over TLS/SSL (IMAPS).

Port 995. Post Office Protocol 3 over TLS/SSL (POP3S).

Port 3306. MySQL database system.

Port 4445. I2P HTTP/S proxy.

Port 10000. Webmin, Web-based Unix/Linux system administration tool (default port).

Nmap finds quite a long list of services. The target will be Apache, on port 80.

Step 2 – Enumeration of Directories.

I now use DirBuster. DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers.  

You can launch DirBuster by typing this command on the terminal


Specify the target URL as in the application

I use the directory-list-2.3-medium.txt for this search.

DirBuster finds a huge list of directories with several content management systems and open source applications. There are several vulnerabilities that can lead to shell amongst the results.

Step 3 – Visiting the URL.

Let’s try port 80 and visit

Adding it to the security exception we can visit the address. Elastix login portal opens. Elastix is a unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing.

An IP PBX (“Internet Protocol private branch exchange”) is a system that connects telephone extensions to the public switched telephone network (PSTN) and provides internal communication for a business.

Searchsploit, command line tool is used to check the vulnerabilities in Elastix.

The following command is used to get the exploit:

cat user/share/exploitdb/exploits/php/webapps/37937.pl

The LFI exploit is as under:


An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS).

Step 4 – Trying the Elastix LFI exploit

Let’s navigate to the exploit.

We use the source file to comprehend the contents properly.

Now, we find some usernames and passwords and try to SSH into the network using one of these.

We find that other usernames do not work so we try root to SSH with the following command.

ssh root@

Try the password jEhdIekWmdjE and Yep! Got an SSH session.

Step 5 – Looking for the root.txt flag

Following command is used to know our location on the machine.


We are in the root, and by following command


We find the root.txt file.

To read the content of the file the following command is used.

cat root.txt

Step 6 – Looking for the user.txt flag

Now look for flag user.txt

Go to the home directory.

cd home

We found the user.txt file in home>fanis .To read the content of the file following command is used.

type user.txt

Congrats! We found both flags! 😀

Share the Post...

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Recent Posts

Follow Us on Youtube

Cyber Security Training Program 2020

Cyber security Course offered by Cybervie prepares students for a path of success in a highly demanding and rapidly growing field of cyber security. The course is completely designed with an adaptable mindset, where the program allows the student to complete the course work at their own pace while being able to complete weekly assignments. Hence, also making it convenient for busy working professionals to pursue the training to help them advance their career in cyber security.

Cybervie has designed the training module based on the cyber security industry requirements in both offensive and defensive manner, using real time scenarios which help our students to understand the market standards.

Sign up for our Newsletter

Interested in Cyber Security Training Program 2020 – Click Here

Open chat
Hello 👋
How can we help you?