HackTheBox - Beep
Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method. This machine can be overwhelming for some as there are many potential attack vectors. Luckily, there are several methods available for gaining access.
Reconnaissance and Enumeration
We start with full Nmap scan using default scripts (-sC), version detection (-sV), OS detection (-O), and max speed (-T5)
┌──(vq4s㉿kali)-[~/Downloads]
└─$ nmap -sC -sV -O -T5 beep.htb
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.2.3
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://beep.htb/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: IMPLEMENTATION(Cyrus POP3 server v2) UIDL TOP RESP-CODES APOP LOGIN-DELAY(0) STLS USER AUTH-RESP-CODE PIPELINING EXPIRE(NEVER)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 790/udp status
|_ 100024 1 793/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: CONDSTORE Completed OK CATENATE BINARY ACL UNSELECT X-NETSCAPE LITERAL+ LISTEXT NAMESPACE THREAD=REFERENCES ATOMIC MAILBOX-REFERRALS ANNOTATEMORE IDLE THREAD=ORDEREDSUBJECT MULTIAPPEND ID URLAUTHA0001 SORT=MODSEQ SORT UIDPLUS STARTTLS IMAP4 RENAME LIST-SUBSCRIBED QUOTA IMAP4rev1 NO RIGHTS=kxte CHILDREN
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Elastix - Login page
|_ssl-date: 2025-04-02T01:18:56+00:00; 0s from scanner time.
|_http-server-header: Apache/2.2.3 (CentOS)
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2017-04-07T08:22:08
|_Not valid after: 2018-04-07T08:22:08
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Device type: WAP|general purpose|media device|broadband router|PBX
Running (JUST GUESSING): Linux 2.4.X|2.6.X (96%), Sony embedded (95%), Asus embedded (95%), Starbridge Networks embedded (95%), ZyXEL embedded (95%)
OS CPE: cpe:/o:linux:linux_kernel:2.4.30 cpe:/o:linux:linux_kernel:2.6 cpe:/o:sony:smp-n200 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:asus:rt-ac66u cpe:/h:asus:rt-n16 cpe:/h:starbridge_networks:1531 cpe:/h:zyxel:o2_homebox_6641
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (96%), Linux 2.6.9 - 2.6.27 (95%), Sony SMP-N200 media player (95%), Linux 2.6.21 (95%), Linux 2.6.5 (SUSE Enterprise Server 9) (95%), Linux 2.6.18 (95%), Tomato 1.28 (Linux 2.6.22) (95%), Asus RT-AC66U router (Linux 2.6) (95%), Asus RT-N16 WAP (Linux 2.6) (95%), Asus RT-N66U WAP (Linux 2.6) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: beep.localdomain, 127.0.0.1, example.com
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 390.07 seconds
The web service on port 443 redirects to Elastix login page, this is open-source communication server based on FreePBX and Asterisk.
Next we run gobuster to enumerate directories on the web server:
┌──(vq4s㉿kali)-[~/Downloads]
└─$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://beep.htb -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://beep.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 306] [--> https://beep.htb/images/]
/help (Status: 301) [Size: 304] [--> https://beep.htb/help/]
/themes (Status: 301) [Size: 306] [--> https://beep.htb/themes/]
/modules (Status: 301) [Size: 307] [--> https://beep.htb/modules/]
/mail (Status: 301) [Size: 304] [--> https://beep.htb/mail/]
/admin (Status: 301) [Size: 305] [--> https://beep.htb/admin/]
/static (Status: 301) [Size: 306] [--> https://beep.htb/static/]
/lang (Status: 301) [Size: 304] [--> https://beep.htb/lang/]
/var (Status: 301) [Size: 303] [--> https://beep.htb/var/]
/panel (Status: 301) [Size: 305] [--> https://beep.htb/panel/]
/libs (Status: 301) [Size: 304] [--> https://beep.htb/libs/]
/recordings (Status: 301) [Size: 310] [--> https://beep.htb/recordings/]
/configs (Status: 301) [Size: 307] [--> https://beep.htb/configs/]
Progress: 58084 / 220560 (26.33%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 58128 / 220560 (26.35%)
===============================================================
Finished
===============================================================
Vulnerability Discovery
We found some interesting directories during enumeration. At the same time, I ran searchsploit and discovered some potential vulnerabilities related to Elastix.
One of the listed exploits was a Local File Inclusion (LFI) vulnerability.
LFI allows an attacker to include and read local files on the server, typically through a vulnerable parameter in a URL or POST request.
I tested the LFI by passing a known configuration file through the vulnerable URL:
To better view the output, I used browser dev-tools and switched to View Source — this made it easier to extract credentials, usernames, and file structure.
From here, we discover all users. We can try to log in via SSH using the password we found.
Exploitation
Since the SSH server is outdated, we need to specify older algorithms for key exchange and host key:
┌──(vq4s㉿kali)-[~/Downloads]
└─$ ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa root@10.10.10.7
root@10.10.10.7's password:
Last login: Tue Jul 16 11:45:47 2019
Welcome to Elastix
----------------------------------------------------
To access your Elastix System, using a separate workstation (PC/MAC/Linux)
Open the Internet Browser using the following URL:
http://10.10.10.7
We are now logged in as root, which means no further privilege escalation is needed!
[root@beep fanis]# wc user.txt
1 1 33 user.txt
[root@beep fanis]# wc /root/root.txt
1 1 33 /root/root.txt
Beep is a great example of how multiple outdated services combined with poor security practices (like default credentials and known LFI vulnerabilities) can result in a full compromise.