Wednesday, January 9, 2019



- Layout for this exercise:


- The goal for this exercise is to develop a hacking process for the vulnerable machine Beep, what is a retired machine from the Hack The Box pentesting platform:


Beep's IP is

- Scanning with Nmap:

- When connecting to the web server at port 80 HTTP there is a redirection to port 443 HTTPS, where an Elastix application is running:

- Dirbusting the web server with wordlist big.txt:

- Trying to use Elastix basic credentials like admin:admin, admin:password, etc ... an Authentication Required form is prompted to the user when connecting to folder /admin:

- Also, from folder /admin we learn that Beep runs FreePBX 

- Going to folder /vtigercrm we learn that Beep runs vtiger CRM 5:

- Checking port 10000, where webamin is running:

- The authentication form reveals session_login.cgi:


- Let's use two ways to exploit the vulnerable machine Beep:

3.1 - WEBMIN

- We can try to get a reverse shell by using this bash script:

- Setting a Netcat  listener at port 1234:

- curl helps to execute remotely the bash script, using options -k (for insecure connections) and -H (extra header):

- As a result, a successful remote reverse root shell is achieved:


- Elastix 2.2.0 is vulnerable to several exploits, for instance this one:

- Reading the instructions, it seems that graph.php?current_language allows a Local File Inclusion:

- Following the instructions:

- Viewing the source, the file is now readable:

- There are some interesting lines what must be noticed, for instance:

- Also, we can use the LFI to get /etc/passwd:

- Unfortunately access to /etc/shadow is restricted:

- In the same way let's have a look to /etc/asterisk/manager.conf:

- Now, it's time to bruteforce the SSH service.

- Let's create one file for users (picking up the most relevants from previous lists) and another one for passwords:

- Medusa does the work for us:

- Finally, it is easy to get a remote root shell just connecting with SSH by using credentials root:jEhdIekWmdjE


- Reading the 1st flag user.txt:

- Decrypting the 1st flag:

- Reading the 2nd flag root.txt:

- Decrypting the 2nd flag: