Hack The Box — Beep— without Metasploit (TJNull’s list for OSCP)
This is my 7th write-up for Beep, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.
nmap -sC -sV -O -A -T4 -Pn 10.129.68.60
- -sC is used to run default scripts to enumerate the services further.
- -sV is used for Version enumeration of the services
- -O is used to for OS enumeration. (not usually needed if you use -A. But who cares)
- -A is used for aggressive (not usually recommended in a real environment)
- -T4 is used to set the number of parallel threads.
- -Pn is used to force enumerate even if the machine is not responding to icmp (ping) packets.
There are my ports open, but let’s start from port 80, and 10000 since they are http services.
Navigating to port 80 tells us, that Elastix is installed on the server.
Doing a quick search on exploit-db, we can find the LFI exploit.
https://www.exploit-db.com/exploits/37637
By reading the exploit I found the LFI payload for current_language parameter in /vtigercrm/graph.php
/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&actionBy simply sending this payload via URL, we are able to read amportal.conf file.
But reading it is quiet difficult. Let’s right click and view-source to make it readable.
We can see that a password is being repeated. What if this password is also being used in other places??
Exploitation
Since SSH is enabled, let’s try this password against root user for SSH.
Unable to SSH because of Key Exchange method incompatibility. Let’s specify key exchange methods and give the password that we found in the config.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss root@10.129.68.60
It was really unexpected, but we got a root shell.
It was way too simple and easy :)
