Writeups for CTF and OSCP Boxes
  • CTF
    • Firebird - PHP Deserialization
    • Firebird - Escape Again
    • Firebird - Secret Code
    • Firebird - M$Office Meta Reader
    • Firebird - Office Meta Reader 2
  • HackTheBox
    • Shocker
    • Optimum
    • Devel
    • Beep
  • VulnHub
Powered by GitBook
On this page
  • Process
  • My Approach
  • Ippsec's Other 4 Approaches
  • Takeaways
  1. HackTheBox

Beep

PreviousDevelNextVulnHub

Last updated 2 years ago

Process

My Approach

This is a rather chaotic box with a lot of services running.

I spent a lot of time scanning for http but got nothing. And I didn't know the version of services used in the server.

After using feroxbuster, I got a bunch of directories:

https://10.10.10.7/help/ https://10.10.10.7/var/ https://10.10.10.7/recordings/ https://10.10.10.7/admin/ https://10.10.10.7/configs/ https://10.10.10.7/index.php https://10.10.10.7/lang/ https://10.10.10.7/mail/ https://10.10.10.7/panel/ https://10.10.10.7/static/ https://10.10.10.7/themes/ https://10.10.10.7/libs/ https://10.10.10.7/modules/ https://10.10.10.7/cgi-bin/ https://10.10.10.7/images/

Services version can be confusing as some files on server belongs to an obsolete version of the package, e.g.:

This shows it is v1, but actually it is 2.2.0

Looked at the walkthrough for hints, and realised I should have tried different exploits on searchsploit about elastix:

Elastix 2.2.0 - 'graph.php' Local File Inclus | php/webapps/37637.pl works ==this stood out== Elastix < 2.5 - PHP Code Injection | php/webapps/38091.php FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code | php/webapps/18650.py NOPE Elastix 2.x - Blind SQL Injection | php/webapps/36305.txt

I tried with etc/passwd. Found that restricted file cannot be accessed. And was a bit lost.

But then on second glance on the exploit and hints from walkthrough, I realised it is trying to access a file named amportal.conf with %00. The null byte can bypass check < PHP 5.4 Read more about it in [[Use of Null Byte]]

found clear text password

AMPMGRUSER=admin
#AMPMGRPASS=amp111
AMPMGRPASS=jEhdIekWmdjE

But dont know how to use them, tried SSH with hydra but no luck

Found complete package versions ![[Pasted image 20220809142027.png]]

tried uploading a backdoor module, but unsuccessful

Then from walkthrough hints, I realised ssh with root account reuses this admin password. Got root easily

Ippsec's Other 4 Approaches

#not_finished

Takeaways

  1. More accurate scanning! Got it in one! Maybe use a better wordlist

  2. Rmb to scan https!!!!!!! 我重重複複scan 咗http 好多次omg 😰

  3. test password reuse for SSH

The exploit itself didn't work but the PoC works: