Hey Everyone! Here we come back with one of HackTheBox machines “Beep”. Before we get started, let’s see machine’s info
It’s easy and based on Linux OS, let’s get started…
DNS Enumeration
At the first we will use nmap to check about the open ports, service running and OS version and other info we will see now
> nmap -A -T4 -oG beep.gnmap 10.10.10.7
-A : service detection, os detection, script results -T4: Threads=4 to increase the speed -oG: to get the output in the extension gnmap to brute force the credentials by brute-spray
The result is
Nmap scan report for 10.10.10.7Host is up (0.20s latency).Not shown: 988 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)| ssh-hostkey: | 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)25/tcp open smtp Postfix smtpd|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp open http Apache httpd 2.2.3|_http-server-header: Apache/2.2.3 (CentOS)|_http-title: Did not follow redirect to https://10.10.10.7/|_https-redirect: ERROR: Script execution failed (use -d to debug)110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_pop3-capabilities: STLS AUTH-RESP-CODE LOGIN-DELAY(0) IMPLEMENTATION(Cyrus POP3 server v2) USER UIDL RESP-CODES APOP TOP PIPELINING EXPIRE(NEVER)111/tcp open rpcbind 2 (RPC #100000)143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_imap-capabilities: UIDPLUS ANNOTATEMORE ACL IDLE OK THREAD=ORDEREDSUBJECT CATENATE LISTEXT LITERAL+ X-NETSCAPE ATOMIC CONDSTORE LIST-SUBSCRIBED URLAUTHA0001 ID MAILBOX-REFERRALS THREAD=REFERENCES IMAP4 IMAP4rev1 NAMESPACE NO SORT=MODSEQ UNSELECT STARTTLS SORT RENAME RIGHTS=kxte BINARY QUOTA MULTIAPPEND Completed CHILDREN443/tcp open ssl/https?|_ssl-date: 2020-12-08T14:07:56+00:00; +3h02m01s from scanner time.993/tcp open ssl/imap Cyrus imapd|_imap-capabilities: CAPABILITY995/tcp open pop3 Cyrus pop3d3306/tcp open mysql MySQL (unauthorized)4445/tcp open upnotifyp?10000/tcp open http MiniServ 1.570 (Webmin httpd)|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
Host script results:|_clock-skew: 3h02m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Now we have more than one port open so it’s given us more chances to hack this machine from multiple entry points, but we will work on one of them, just take notes about this output and let’s continue…
Website Enumeration
After opening 10.10.10.7 it redirects us to https://10.10.10.7 and now we have a login portal as you can see here
let’s try to find any entry point here like CMS and it may be vulnerable or something like this, let’s take a look at the source code
Now we have 2 keywords we will search for exploitation related to them elastix and palosanto. After searching about palosantoI didn’t find anything so let’s search about elastix by using searchsploit
As you can see here are multiple exploitation, but we will work on the easiest one “LFI” and see what it will lead us to, so open the link, and you will find the exploitation code like this
now we have the LFI full link, after accessing it
we have passwords and usernames but it’s hard to read so open the source code and search for password you will find this password, keep it, for now, we will need it
for now, we have username:root and the password which we have found above.
If you remember from nmap scan there’s port is open, sossh 22 we will try to login to the server with the credentials we have
ssh root@10.10.10.7 or ssh 10.10.10.7 but at the first, I’ve faced a problem with ssh itself as you can see here and after some search, I’ve found the solution here
After resolving the problem, we’re logged in as root through ssh port :) let’s search for the flags…
The root flag is in /root and the user flag is in /home/fanis
