Hackthebox Walkthrough — Beep
Being taking the PWK courses and preparing for the OSCP exam recently. I got inspired a lot from many Hackthebox machines besides the pwk labs. So I decided to start writing some hackthebox retired machines walkthroughs (inspired from hackingarticles, infosec, ippsec’s youtube videos and etc, thanks for all of these amazing materials of Penetration Testing!)
Target: 10.10.10.7
Local IP: 10.10.14.2
Nmap Enumeration:
Run nmap to see what ports are open and what services are running behind them
There are multiple ports and services running behind
Since port 80 and port 443 are open, we know it is running a web server. Let’s browse the victim’s web page
This directs us to the ‘elastix’ page
Use dirsearch to fuzz the web directories
we did not find any directories interesting
Let’s use dirb this time with a ‘big’ wordlist
and we found /vtigercrm directory
browse that on the web server
try the arbitrary file upload exploit
And we got a meterpreter session open
got a user shell and grab our first user.txt flag!
Run Local Exploit Suggester for privilege escalation suggestions
use post/multi/recon/local_exploit_suggester
No suggestion available. So we decide to play around with the elastix (the version is relatively old)
cat that file and we see there’s a LFI exploit
And we got a bunch of mess on that page. Use view-source to make this page cleaner
These seem to be passwords. Let’s take those potential passwords out and put them in a passfile on our machine
change the file to /etc/passwd so that we could get a list of usernames to do a ssh bruteforce
save it to a file on our machine and delete nologin items with command :g/nologin/d
also delete the non /bin/bash items and other unnecessary things
We got a list of users
Something is blocking us from the ssh bruteforcing
We found the password “jEhdIekWmdjE” appears more than once on the page. Guess it might be a root password.
Let’s log in with ssh and use the password :jEhdIekWmdjE
Luckily we made a correct guess!
Grab the root.txt flag!
